{"url_path":"/sec/nmr/10-k/2026/item-16k","section_key":"item-16k","section_title":"Item 16K Cybersecurity","topic":"sec","document":{"doc_type":"20-F","doc_date":"2026-06-22","source_url":"https://www.sec.gov/Archives/edgar/data/1163653/0001193125-26-277134-index.html","accession_number":"0001193125-26-277134","cik":"0001163653","ticker":"NMR","issuer_name":"NOMURA HOLDINGS INC","edgar_url":"https://www.sec.gov/Archives/edgar/data/1163653/0001193125-26-277134-index.html","primary_entity_key":"0001163653","primary_entity_name":"NOMURA HOLDINGS INC"},"word_count":730,"has_tables":true,"body_markdown":"Item 16K. Cybersecurity\n\nRisk Management and Strategy\n\nNomura maintains a comprehensive cybersecurity strategy. Identifying, assessing and managing cybersecurity threats and risks are an integral component of Nomura’s Operational Risk Management (ORM) Framework. See Item 11. “\n\nQuantitative and Qualitative Disclosures about Market, Credit and Other Risk—Overview of Risk Management Policy and Procedures”\n\nfor further information on the framework.\n\nNomura has invested and is continuing to invest in its cybersecurity strategy to address fast-evolving and sophisticated cybersecurity threats while at the same time complying with extensive global legal and regulatory expectations. Our cybersecurity programs are designed to be in line with industry best practice standards and include core capabilities such as Security Governance, Risk and Control, Security Awareness and Training, Threat Intelligence & Management, Security Operations Management, Vulnerability Management, Application Security, Data Security, and Identity and Access Management.\n\nNomura is regularly engaging various external service providers to perform independent assessments of our cybersecurity programs and controls. The results from these independent engagements are integrated into updates to our cybersecurity strategy as appropriate. We also conduct our own regular internal security assessments, such as penetration testing, vulnerability scanning, red teaming, and tabletop cyber attack simulations.\n\nNomura has developed a Third-Party Security Risk Management program that monitors and assesses the cybersecurity controls of our third-party vendors, which include, among others, service providers, SaaS providers, contractors, consultants, suppliers, etc. This program provides a consistent, controlled, cross-divisional approach to managing the services provided by third-party vendors. We perform various risk identification activities including security questionnaires, threat intel reports, SOC2 Type 2 attestation review, and onsite reviews for critical suppliers. We also perform periodic reassessment of existing critical vendors. Security risks and exceptions observed are monitored per our global Operational Risk Management framework.\n\nDuring the year ended March 31, 2026, we did not identify any risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, there is no guarantee that our business strategy, results of operations and financial condition will not be materially affected by a future cybersecurity incident, and we cannot provide assurances that we have not had occurrences of undetected cybersecurity incidents. See Item 3.D “\n\nRisk Factors\n\n” for further information on our cybersecurity-related risks.\n\nCybersecurity Risk Governance\n\nNomura’s cybersecurity strategy and programs are managed by senior officers: the Group Chief Information Officer (“CIO”), who is supported by the Group Chief Information Security Officer (“CISO”) and the Group Chief Data Officer (“CDO”).\n\n \n\n17\n1\n\n[Table of Contents](#toc)\n\nThese\n\n senior officers have extensive experience in technology, cybersecurity, information security, and data protection and privacy. The CIO has over 35 years of experience in various engineering, IT, Operations and information security roles. The CISO has over 25 years of experience leading cybersecurity teams at financial institutions, including in the areas of security engineering, risk and control management, data privacy, information security, and cybersecurity. The CDO has over 25 years of experience in data and\n\nanalytics-led\n\nbusiness transformation.\n\nOur Board of Directors (“BoD”) has overall responsibility for risk management, with its committees assisting the BoD in performing this function based on their respective areas of expertise. Our BoD delegates its authority to execute business to the Executive Officers led by Group CEO to the extent permitted by law. Among the matters delegated to the Executive Officers by the BoD, the most important matters of business are decided upon deliberation by the Executive Management Board (“EMB”) which consists of the Executive Officers. The EMB delegates responsibility for deliberation of matters concerning risk management including cybersecurity risks to the Group Risk Management Committee (“GRMC”). The CIO is an observer at the EMB and the GRMC, and provides cybersecurity updates to the EMB and the GRMC.\n\nThe GRMC, based on a delegation from the EMB, meets regularly and reports on its activities and findings to the EMB. These meetings cover critical security topics such as resources and budget in cybersecurity risk mitigation and governance, cybersecurity risks, as well as security incidents and cyber tabletop simulations. In addition to these regular reporting activities to the GRMC, the EMB, and the BoD, potentially material cybersecurity events will be escalated to the same management bodies as well as key stakeholders according to Nomura’s security incident response process including crisis management perspectives.\n\n \n\n17\n2\n\n##### Table of Contents\n\nPART III"}