Internal Control

Dai-ichi Life keeps personal information of customers, including their names, dates of birth, addresses, policy details, and medical information, for long periods, and also retains information of corporate clients that the Company has obtained through its business operations, such as financial transactions. The Company recognizes that complying with laws, regulations, and internal rules, managing the protection of information asset appropriately, and protecting information asset from cyber-attacks and internal misconducts are the major premises for gaining the trust of customers.

Dai-ichi Life's "Basic Internal Control Policy" serves as the basis for basic policies and regulations, including "Information Asset Protection & Control Regulations", the stipulations of which include the philosophies underlying the safekeeping of information. Dai-ichi Life has also created "Information Asset Protection & Control Procedures", which stipulate the details of standards for specific security measures. Based on the "Act on the Protection of Personal Information" and the "Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure", Dai-ichi Life's Board of Directors has established "Personal Information Protection Policy". This policy describes the purposes of the use of personal information with its protection and control, and is posted on the Company website (Click here for details). Furthermore, in order to enhance the system for responding to increasingly sophisticated cyber-attacks, the Board has set out the "Cybersecurity Policy for Dai-ichi Life Group".
The Company has created a "Compliance Manual" and an "Information Asset Protection & Control Manual", which contain policies and regulations related to management and promotion of information asset protection, as well as matters that need attention when operating business. The Company distributes these manuals to all directors, executive officers, and employees, and provides training programs to disseminate the contents of the manuals.

The Information Asset Protection Working Group, which has been established as a subsidiary body of the Compliance Committee, discusses important matters related to the promotion of information asset protection and reports the results to the Compliance Committee. Information Security Management Center has been established within the Compliance Control Department to provide a permanent organization for promoting appropriate safekeeping of information across the Company. The Center gives necessary instructions and support to head office departments and branches, and develops appropriate framework for protection of information asset through compliance managers and compliance promoters who are appointed in each business unit.
The Internal Audit Department conducts regular internal audits to ensure that these measures are working effectively throughout the Company, and reports their findings to the Board of Directors and the Executive Management Board.
In addition, if a matter concerning information asset protection is of certain importance and should be recognized across the whole Dai-ichi Life Group, it is reported to Dai-ichi Life Holdings from the Compliance Control Department as required.

Dai-ichi Life has developed information asset protection framework based on laws and regulations such as the "Act on the Protection of Personal Information", the "Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure", and Guidelines on Personal Information Protection in the Financial Field, and implements the following safety measures in terms of organizational, human, physical, and technical control:

• Publishing its "Personal Information Protection Policy" and developing internal policies regarding protection of information asset
• Disseminating rules on information handling through employee training and conducting inspections on compliance with the rules on a regular basis
• Managing precincts of handling information, implementing measures to prevent theft of information handling devices electronic media, etc.
• Installing firewalls against unauthorized access from outside the Company, Restricting data access and acquiring logs within the Company
• Supervising and checking outsourcing service providers, including their subcontractors

When customers request the disclosure of their own personal information, Dai-ichi Life will respond promptly and appropriately once it is confirmed that the requests are made by the customers themselves or by legal proxies.
Information about disclosure requests based on the "Act on the Protection of Personal Information" is also available on Dai-ichi Life's website.

Dai-ichi Life will respond promptly and appropriately to enquiries about the handling of personal information.