Among the risk items identified, risks that could have an enormous impact if they materialize are identified as particularly important risks and are listed below:

(i) Risks related to business continuity in the event of a significant natural disaster

Our executives, employees, offices, and facilities are concentrated in the Tokyo metropolitan area, and there is a possibility that a situation may arise when earthquake directly under the Tokyo metropolitan area, eruption of Mt. Fuji and flood damage due to typhoon, storm surge, etc. might led to loss of critical information assets, shortage of available personnel, collapse of infrastructure and we will not be able to resume business operations quickly. In addition, we recognize that the loss of important documents and data related to business execution and intellectual property, etc., due to damage caused by earthquakes and other natural disasters or fires at our group's business sites could hinder our business activities and affect our business performance and financial position, and is therefore a particularly important risk.
As risk mitigation measures, we backed up important documents and data to a remote location, established an emergency headquarters and other initial response systems, and formulated a business continuity plan (BCP) to resume business operations. In addition, by enhancing our online business infrastructure, we are striving to prepare for both the safety of our executives and business partners and the continuity of our business operations by utilizing remote work from normal times.

(ii) Risks associated with cloud-based service business

Some of the cloud services provided by our group include consolidated accounting services, management accounting services, and other services that handle important customer data.
For those services, service outages or loss of customer data due to system operation problems, cloud environment failures, cyber-attacks, or other causes could have a significant impact on customer operations. In addition, we recognize that this is a particularly important risk because the occurrence of such an event for reasons attributable to our company could have a significant impact on our group's performance and financial position, including the payment of compensation for damages, and could also lead to a decline in the credibility and brand image of our group. We recognize that this is a particularly important risk.
To reduce risk, the Group has established a cloud service operation organization and a security organization to identify and improve risks on an ongoing basis, and is promoting security measures such as multiple data backups and other system failure countermeasures and multi-factor authentication. In addition, some of our cloud services have obtained SOC1 Type2 reports in compliance with the U.S. Statement on Standards for Assurance Engagements No. 18 (SSAE18), and we strive to improve the quality of system operations by utilizing objective evaluations from a third-party perspective.

(iii) Risk of information leaks and other security incidents

In the course of its business activities, the Group may handle personal and confidential information of its affiliates and customers. There is a possibility that this information could be leaked due to unauthorized access to our group's computers by outside parties, leakage of information due to errors by our group's officers or contractors, or other unforeseen circumstances. Such an incident could have a serious impact on the social credibility of the Group and its customers, as well as on the Group's business performance and financial position.
To address security risks, the Group has established an Information Security Policy and a Personal Information Protection Policy, and reviews these policies in response to advances in information and communication technology and changes in social and regulatory environments. The Information Security Committee, led by the Chief Information Security Officer (CISO) and headed by the President and CEO, has been established to formulate policies, implement measures, educate and enlighten employees, and conduct audits and evaluations. We have also acquired ISMS certification (ISO/IEC27001:2013), an international standard for objective evaluation and continuous improvement of these operations. In addition, we respond to cyber-attacks and incidents in accordance with internal rules and regulations, and the Information Security Committee takes measures according to the degree of impact on the Group's business. We also conduct quarterly information security
training to raise the security awareness of all executives, temporary employees, and outsourced employees.