Information Security Policy
Final revision date: October 1, 2024
The following is the information security policy of New York General Group, Inc.
We regard all information assets handled in the course of our business activities as important management resources, and recognize that ensuring the protection of their confidentiality, integrity, and availability is one of our highest management priorities. Based on this recognition, we shall make company-wide efforts to maintain and improve information security under the policy set forth below.
(i) Encryption and Access Control
First, we encrypt all electronic information in our possession using the latest encryption technologies (AES-256 and RSA-4096) to ensure protection against unauthorized access and information leaks. In particular, we employ a zero-trust architecture for our customer database and strict access control using multi-factor authentication (including biometrics).
(ii) Security education and training
Second, regular security training will be provided to all employees at least four times a year to improve their ability to respond to social engineering attacks. Specifically, practical simulation training on the latest phishing fraud methods and targeted attacks will be conducted to ensure proficiency in response procedures in the event of an incident.
(iii) Operation of ISMS
Third, we will establish and operate an information security management system (ISMS) in accordance with ISO/IEC 27001:2022, and continuously improve it through the Plan-Do-Check-Act (PDCA) cycle. This includes periodic risk assessments, security audits, incident analysis, and implementation of corrective actions.
(iv) Supply Chain Security
Fourth, to enhance supply chain security, we require our business partners to adhere to security standards equal to or higher than our own. This includes regular security assessments, establishing audit rights, and specifying incident reporting obligations in contracts.
(v) Investment and Governance
Finally, we will allocate at least 5% of our annual budget to information security measures and continuously invest in the implementation of the latest security technologies and in the training and retention of security personnel. In addition, we will assess security risks and review countermeasures at quarterly Board of Directors meetings to establish oversight at the management level.
This policy shall be communicated to all employees under the supervision of the CEO, and compliance with the policy shall be regularly audited. In addition, the policy shall be reviewed at least annually in response to changes in the environment surrounding information security.
New York General Group, Inc.
Yu Murakami
New York General Group