Regarding administrative actions against SBI SECURITIES Co., Ltd.
February 12, 2010 Financial Services Agency administrative action against SBI SECURITIES Co., Ltd. As a result of an inspection by the Securities and Exchange Surveillance Commission against SBI SECURITIES Co., Ltd. (hereinafter referred to as "our company"), the following facts of legal violations was recognized, and a recommendation was made to seek administrative action, which will open in a new window on February 5, 2010. ○ Situation in which it is recognized that the management of the electronic information processing system related to the financial instruments business is insufficient However, as described below, more than three-fourths of the system failures that occurred were not subject to risk management, and it was recognized that system risk management itself was virtually non-functional. In addition, deficiencies were found in the implementation status of the cases that the Company was subject to risk management, as well as deficiencies in the development status of internal regulations. This is due to the fact that the Company's management has left system risk management to the person in charge and outsourced contractors, and has not grasped the actual situation of the business. This is due to lack of awareness. (1) Situations where many system failures are not subject to system risk management Until the reference date, 188 system failures were managed based on management standards. However, when we examined the occurrence of system failures at our company, at least 592 system failures other than the above occurred during the above period, and it was recognized that they were not subject to risk management. In addition, regarding the 592 cases of system failures, it was found that related departments and management were unaware of the fact that failures had occurred, as records and reports were not made as required by the management standards. Of the 592 system failures, 33 failures affecting customer transactions, such as inability to log in and suspension of ordering and receiving orders, were identified. (2) Insufficient development of safety measures Regarding the 188 system failures described in (1) above, which were subject to risk management by the Company, after examining the implementation status, etc., the development and operation of the system was as follows. Deficiencies were found in safety measures such as maintaining the quality of work. 1There are deficiencies in the format of records and reports related to system failures, and the implementation status of countermeasures according to the identification of failure causes and analysis results for each case is unclear. In addition, measures such as collecting and analyzing these on a regular basis and taking measures to prevent recurrence have not been implemented. 2There are unresolved failures for a long period of time, as continuous management from the occurrence of failures to the completion of response and clearing management of unresolved failures are not performed. In addition, due to insufficient measures to prevent the recurrence of failures, system failures of the same event have occurred. (3) Inadequate status of improvements related to matters pointed out by system audits, etc. At our company, improvements have not been made for a long period of time regarding matters pointed out in system audits entrusted to an external auditing organization. In addition, as a result of insufficient improvement, failures due to omissions in risk management and inadequate failure management were constantly occurring. In addition, in the audits, etc. conducted by the Audit Department of the Company, there was no verification of whether business operations were being conducted in accordance with the management standards, and it was recognized that the effectiveness of system audits was not ensured. (4) Deficiencies in regulations, etc., related to system risk management The Company has not established basic policies related to system risk management, nor has it identified the locations and types of risks that should be managed. Deficiencies were found in the maintenance status. (5) Occurrence of a system failure that has a significant impact on customer transactions At our company, we have experienced a system failure that has a significant impact on customer transactions, such as the inability to log in and the suspension of orders and orders. In addition, some of these cases were not subject to system risk management, and the actual situation regarding the impact on customers was not fully understood. The status of the above business operations at our company is based on Article 123, Paragraph 1, Item 14 of the Cabinet Office Ordinance on Financial "Situation where the management of the electronic information processing system is deemed insufficient". In addition, as a major Internet-only securities company, the Company is required to develop and operate systems with strong fault tolerance and to develop a sufficient system for responding appropriately in the event of a fault. Considering the reasons, it is considered necessary to work on improvement. Based on the above, the following administrative actions were taken against our company today. ○ Business improvement order based on Article 51 of the Financial Instruments and Exchange Act (1) Investigate the cause of the acceptance and normalization of an inappropriate system risk management system, clarify where responsibility lies, and review the business management system thing. (2) Investigate past system failure cases, including cases where processing was not carried out in accordance with the management standards for system failures, and categorize possible cases and countermeasures to ensure effectiveness Build a system risk management system. (3) To reaffirm the importance of system management to officers and employees, and to ensure an appropriate business operation system, review regulations and business procedures, and implement training, etc. (4) Respond appropriately to issues pointed out in past external system audits. In addition, in order to appropriately verify the effectiveness of system risk management in general, including the response to the indicated items, external system audits shall be conducted appropriately, and the system of the internal audit department shall be strengthened. (5) By March 12, 2010 (Friday) for the status of responses to (1) to (4) above (and by May 31, 2010 (Monday) for the status of progress after that, and three days thereafter) monthly) in writing.
View original