As the importance of information security grows, it is necessary for all Group members, from management to the front line, to work together to improve the effectiveness of information security management and reduce security risks regarding the Group’s information assets.
Especially in the digital field, cyber-attacks, such as AI-based attacks, are becoming an ever-growing threat. We have been preparing a system to quickly respond to such threats by separating digital security from information security as IT security. We will also commit work to properly protect various types of confidential and personal information, including information entrusted to us by external parties.
Our group has established a promotion system for each area of IT security and confidential information/personal information management, and are working together to strengthen information security under the supervision of the CSR and Sustainability Committee (chaired by an external director).
Regarding IT security, we have established IT Security Committees (with regular meetings twice a year and extraordinary meetings as necessary) chaired by a corporate officer in charge of the Digital Transformation Dept. to monitor the status of IT security activities across the company and promote appropriate measures. In FY2024, the IT Security Committee met twice to report and discuss incidents, activities to strengthen IT security and ISMS activities. In addition, a global conference was held to work on maintaining and strengthening the security system throughout the Group.
Regarding the management of confidential information and personal information, we have established the Confidentiality Management Subcommittee (with regular meetings once a year and extraordinary meetings as necessary) under the Risk Management Committee. This subcommittee, with a corporate officer in charge of the Business Management Dept. as sub-chairman, promotes the reduction of risks related to the management of confidential information and personal information. In FY2024, the Confidentiality Management Subcommittee met once to report incidents and raise awareness of the risk of technical information leaks through people.
In addition, information security activities are led by department managers and department chiefs assigned to each department in the areas of IT security and confidential information/personal information management in each division.
Information Security Promotion SystemIn order to continuously respond to information security risks that threaten companies and organizations, we have set information security as a priority issue (materiality) and are building an information security management system equivalent to ISO 27001.
In recent years, the digital transformation of business operations has progressed, and the number of risk areas that require attention is expanding, such as the use of generative AI. Therefore, we are making continuous improvements by evaluating these new risks in the information security management system, and we conduct annual audits of IT security and IT systems at all bases and promptly correct any identified deficiencies.
At the request of some automobile manufacturers, we have also acquired TISAX certification, which is an audit standard for information security covering the automobile industry supply chain.
We have established a Computer Security Incident Response Team (CSIRT).
When an incident occurs, the CSIRT promptly organizes and confirms the facts, determines the level of the incident, and then responds. We are also accumulating and sharing knowledge as a measure to prevent recurrence.
In addition to responding after an incident occurs, we also focus on proactive defense, striving to improve our security level and maturity from both pre- and post-incident perspectives.
Raising employee awareness of information security is essential to prevent information security incidents, and education and awareness-raising are provided through various training and educational tools.
The working group on confidentiality management annually inspects the company-wide status of confidentiality management based on the confidentiality management rules set by the company. Regarding the self-inspection results by each department, the secretariat of the confidentiality management subcommittee confirms its validity for the enhancement of the checking function. In FY2024, we revised the rules to review how confidential information is handled according to its level, and promoted thorough information management through education and awareness-raising activities for employees.
Furthermore, in addition to the rules on the in-house handling of confidential information, we have also established rules on the use of confidential information outside the company in order to prevent the leaking of such information, including rules on the use of portable computers and cloud services, and we monitor compliance with the rules.
As protection of personal information continues to be strengthened around the world, as seen in the General Data Protection Regulation (GDPR) in Europe and the Act on the Protection of Personal Information in Japan, each company in the Group has established its own regulations to thoroughly protect, manage, and handle the personal information of customers, employees, and others.
See the policy regarding the handling of personal information (Privacy Policy) below.