Thorough Information Security

Basic Concept

The Nisshinbo Group regards information security as one of the most important risks, and in April 2023, the Group revised the “Guidelines for Information Security” to be achieved by the Group and deployed them to group companies to improve information security and establish an information security operation system.
These guidelines consist of human and organizational management, physical management, and technical management, and the following three points were particularly emphasized in the revision.

  • ①When outsourcing operations, the responsibilities of the outsourcer regarding information security and the measures to be implemented should be clarified.
  • ②In preparation for the event of an information security incident, an emergency response system and recovery procedures should be established.
  • ③For backups of important information, backups should be stored in a secure environment and restoration procedures should be established.

In addition, The Group recognizes that one of its key corporate responsibilities is to ensure that all important information related to stakeholders is protected and managed appropriately. In order to fulfill this responsibility, the Group handles personal information in accordance with its “Privacy Policy.”

Promotion System

About Information Security

In order to ensure the continuation of safe and stable business activities of Nisshinbo Group companies, under a system in which the Director and the Chief of the Corporate Strategy Center of Nisshinbo Holdings, Inc. is in charge, the Nisshinbo Group has established a meeting of information system managers, which is overseen by the Information System Group of the Finance, Accounting & IT Service Department of the Corporate Strategy Center, to confirm the status of information system update plans and management of security measures.

Personal Information Protection

The Group has established a personal information protection secretariat and is working on personal information protection activities under a system in which its managing officer is the chief privacy officer and personal information protection officers are appointed for each department unit. The Group has also established a personal information consultation service to handle consultations and inquiries regarding personal information from outside the group that is received by telephone, fax, or inquiry form.

In addition, a management review of information security and personal information protection is conducted at the Board of Management of Nisshinbo Holdings Inc. and is directed by the president, who is the chief executive officer of the group. Management reviews are also reported to the Board of Directors.

Specific Initiatives of The Nisshinbo Group

Under the revised Fifth Sustainability Promotion Plan, the Nisshinbo Group has designated the strengthen information security measures as key action items, and is working to strengthen its response to external threats and to provide ongoing information security education to employees.

Strengthening Responses to External Threats

Along with subsidiary inspections covering the entire Nisshinbo Group, vulnerabilities in servers and network equipment are checked and systematic vulnerability countermeasures are implemented. Going forward, the Group will promote comprehensive countermeasures that take into account early detection, response, and recovery, assuming that it is difficult to completely defend against attacks.

Cyber Security Framework

Cyber Security Framework

Initiatives to Ensure Information Security

The Nisshinbo Group has established the “Guidelines for Information Security” to set forth rules to be followed by all group companies in Japan and overseas. To prevent the leakage of confidential information, including customers' personal information, the Group is continuously promoting education and other measures to enhance information security based on these guidelines.

Initiatives to Ensure Information Security

Compliance with Rules / Implementation of Information Security Education and IT Internal Audits

The Group has compiled rules to be kept by information system users into educational materials and is working to raise awareness of information security measures among all Group users through a Learning Management System that includes periodic education and comprehension tests. At the same time, group training is provided for new employees and those dispatched overseas.

In addition, IT internal audits are regularly conducted on Japan and overseas subsidiaries to confirm compliance with the information security guidelines and to ensure continuous improvement.

Prevention of Internal Fraud

The Group uses an information security management system to monitor access to important data and restrict network access to unauthorized information devices.

Prevention of External Attacks

To counter cyber-attacks, the Group monitors e-mails through its e-mail security system, installs antivirus software on information equipment, and applies security correction programs thoroughly.

Targeted e-mail training for employees of Japan and overseas Group companies has been conducted since FY2021 to raise cybersecurity awareness and cultivate response capabilities. Training has been expanded to include Japan and overseas Group companies since FY2022.
In FY2022, the training was conducted for 5,501 persons at 17 Group companies, and the open rate was 7.7%, lower than the previous rate of 11.1%. Those who opened the training e-mails were educated on precautions to take when receiving e-mails through the contents displayed upon opening the e-mails.

Countermeasures in the Event of a Large-Scale Disaster

From the standpoint of business continuity in the event of a large-scale disaster, the Group promotes the use of external data centers and cloud systems.

Support for New Normal Lifestyles

To enhance security during telework, the Group eliminated traditional VPN connections and switched to using a cloud-based firewall system. The group is moving from a traditional perimeter security model that keeps the company secure internally to a zero trust security model that monitors the overall status with the same security from outside the group.

Initiatives to Protect Personal Information

To ensure every one of its employees maintains awareness of personal information protection, the Nisshinbo Group conducts training when employees join the company and when they are promoted as well as training at each of its business sites based on its annual plan. The Group also conducts regular internal audits to check the management status of listed personal information (registration, deletion, storage methods, training status, etc.), and is committed to thorough and continuous improvement in preventing external leakage.

In FY2022, it was discovered that customer information may have been leaked due to unauthorized access by a third party who exploited a vulnerability in a website operated by a company in its group.
The Group reported the matter to the Personal Information Protection Committee, the supervisory authority, and based on the investigation of the cause of the unauthorized access and other matters by a specialized investigation company, the Group made a public announcement and issued an apology and notice to its customers.
The Group takes this incident very seriously and will work to prevent a recurrence through measures such as strengthening the security measures and monitoring systems of the entire Group's systems.

Specific Activities of the Group Companies

Acquisition of Various Certifications Related to Information Security

The Nisshinbo Group has acquired and updated ISO/IEC 27001 (ISMS: Information Security Management System) and other international standards related to information security management systems required for each business at each Group company. The Group is also working to obtain TISAX® (Trusted Information Security Assessment Exchange) certification for the automotive industry supply chain.

Introduction of Surveillance Cameras and PC Control Software

Nisshinbo Business Management (Shanghai) Co., Ltd. in China implemented the following measures in consultation with a JETRO-contracted lawyer office and the Information System Group of Nisshinbo Holdings Inc. to prevent the leakage of trade secrets and to comply with the Cybersecurity Law of the People's Republic of China.

①Installation of surveillance cameras
With this measure it is now possible to keep a record of entry and exit for 24 hours, or about 6 months.
②Installation of PC control software
The new software enables the acquisition of PC logs for a period of six months as stipulated by the Cybersecurity Law of the People's Republic of China, as well as USB memory stick usage restrictions, website upload logs, etc. When the software was introduced, a briefing session was held with all employees to explain the purpose of the system.

The Group will continue to work with the department in charge of information system security to improve the level of information security in China.

Installation of surveillance cameras
Installation of surveillance cameras

Information System Vulnerability Assessment

Japan Radio Co., Ltd. conducts regular information security vulnerability assessments. In light of the recent sophistication of cyber-attacks and actual damage, the objective is to understand the sufficiency of technical countermeasures against possible threats, items requiring additions and improvements, and their priorities.

The company has been taking countermeasures to address the issues identified in the previous assessment by determining the order of priority. Now that these measures have been completed and due to the rapid changes in the security situation, the company once again conducted a vulnerability assessment by a security vendor. This time, the main target was the information-related Internet connection environment. Based on 14 threat scenarios, the company determined the degree of sufficiency in each case and identified areas requiring improvement for the company. Based on the results of the assessment, the company will formulate a plan to improve necessary countermeasures and implement further security enhancement measures in the future.

Based on the results of the determination, the company is currently in good standing and does not require additional security equipment, and will investigate the logs in the future.

Information Security and Personal Information Protection Education at Each Store

Tokyo Shirts Co., Ltd. conducts education on information security every year. Since the employees to be trained work at stores nationwide, group training is first conducted for head office employees and sales managers, and then the managers visit each store and meet with each staff member to read and discuss the materials.

In FY2022, in addition to the company's information equipment management rules, precautions for managing user IDs and passwords, and how to deal with suspicious e-mails, education on the protection of personal information was also provided in parallel. The personal information protection training explained how mishandling of information equipment could lead to the leakage of customers' personal information.

The company will continue to educate its staff to raise their awareness of information management.