Basic Concept
The Nisshinbo Group regards information security as one of the most important risks, and in April 2023, the Group revised the "Guidelines for Information Security" to be achieved by the Group and deployed them to group companies to improve information security and establish an information security operation system. These guidelines consist of human and organizational management, physical management, and technical management, and the following three points were particularly emphasized in the revision.
- ① When outsourcing operations, the responsibilities of the outsourcer regarding information security and the measures to be implemented should be clarified.
- ② In preparation for the event of an information security incident, an emergency response system and recovery procedures should be established.
- ③ For backups of important information, backups should be stored in a secure environment and restoration procedures should be established.
In addition, The Group recognizes that one of its key corporate responsibilities is to ensure that all important information related to stakeholders is protected and managed appropriately. In order to fulfill this responsibility, the Group handles personal information in accordance with its "Privacy Policy."
Promotion System
Nisshinbo Holdings Inc. reorganized its organizational structure in April 2025 with the aim of building and overseeing a structure that would lead to urgent change. The Company has appointed an executive officer to take responsibility for each area and strengthened its functional organizations.
About Information Security
In order to ensure the continuation of safe and stable business activities of Nisshinbo Group companies, under a system in which the Executive Officer in charge of Information Systems of Nisshinbo Holdings, Inc. is the supreme authority, the Nisshinbo Group has established a meeting of information system managers, which is overseen by the Information System Group of the Risk Management Department, to confirm the status of information system update plans and management of security measures.
Personal Information Protection
Nisshinbo Holdings, Inc. has established a personal information protection secretariat and is working on personal information protection activities under a system in which its managing officer is the chief privacy officer and personal information protection officers are appointed for each department unit. The Group has also established a personal information consultation service to handle consultations and inquiries regarding personal information from outside the group that is received by telephone, fax, or inquiry form.
The officer responsible of the Company reports on its Group's information security and personal information protection initiatives and status at the annual Board of Management* and supervises the targets and progress. The president of the Nisshinbo Group, who is the chief executive officer of the Group, conducts management reviews and issues instructions on the matters necessary for management. Special items are reported to the Board of Directors as appropriate.
* The Board of Management: Executive conference consisting of Directors, Executive officers, etc.
For an overview of our organizational structure for promoting sustainability, please see "Promotion System for Sustainability Activity".
Specific Initiatives of The Nisshinbo Group
5th Sustainability Promotion Plan (to be achieved by FY2024)
In the 5th Sustainability Promotion Plan with FY2024 as the target year, the Nisshinbo Group set the following item as target and KPI to strengthen information security measures as a priority activity and achieve the goals of Defending against external threats.
Strengthen protection against external threats and continuously training employees on information security
We have continuously implemented targeted email training and education on personal information protection.
6th Sustainability Promotion Plan (to be achieved by FY2027)
In the 6th Sustainability Promotion Plan, which targets FY2027, the Nisshinbo Group will continue to focus on strengthen information security measures as a priority activity and will set the following goal to achieve defending against external threats.
Strengthen protection against external threats and continuously training employees on information security
Please refer to "Sustainability Promotion Plan and KPIs" for details regarding of the "Sustainability Promotion Plan."
Strengthening Responses to External Threats
Along with subsidiary inspections covering the entire Nisshinbo Group, vulnerabilities in servers and network equipment are checked and systematic vulnerability countermeasures are implemented. Going forward, the Group will promote comprehensive countermeasures that take into account early detection, response, and recovery, assuming that it is difficult to completely defend against attacks.
Cyber Security Framework
Initiatives to Ensure Information Security
The Nisshinbo Group has established the "Guidelines for Information Security" to set forth rules to be followed by all group companies in Japan and overseas. To prevent the leakage of confidential information, including customers' personal information, the Group is continuously promoting education and other measures to enhance information security based on these guidelines.
Compliance with Rules / Implementation of Information Security Education and IT Internal Audits
The Group has compiled rules to be kept by information system users into educational materials and is working to raise awareness of information security measures among all Group users through a Learning Management System that includes periodic education and comprehension tests. At the same time, group training is provided for new employees and those dispatched overseas.
In addition, IT internal audits are regularly conducted on Japan and overseas subsidiaries to confirm compliance with the information security guidelines and to ensure continuous improvement.
Prevention of Internal Fraud
The Group uses an information security management system to monitor access to important data and restrict network access to unauthorized information devices.
Prevention of External Attacks
To counter cyber-attacks, the Group monitors e-mails through its e-mail security system, installs antivirus software on information equipment, and applies security correction programs thoroughly.
Targeted e-mail drills are conducted once a year for employees of domestic and overseas Group companies with the aim of raising cyber security awareness and cultivating response capabilities. In the FY2024 training, training e-mails simulating three targeted e-mail drills were prepared for 8,097 participants from 31 Group companies and sent to the targets at random. The open rate varies greatly depending on the pattern of training e-mails, and the Group will use this as an opportunity to identify future issues, enhance security education, and continue targeted e-mail training.
In addition, the following two incidents occurred within Nisshinbo Group in FY2024. Please refer to the following for details on the causes and measures taken.
- ・Risk of personal information leakage due to unauthorized access
- ・Apology and report regarding targeted attack emails
Nisshinbo Group will continue to strengthen our response to external threats and provide ongoing information security training to our employees.
Countermeasures in the Event of a Large-Scale Disaster
From the standpoint of business continuity in the event of a large-scale disaster, the Group promotes the use of external data centers and cloud systems.
Support for New Normal Lifestyles
To enhance security during telework, the Group eliminated traditional VPN connections and switched to using a cloud-based firewall system. The group is moving from a traditional perimeter security model that keeps the company secure internally to a zero trust security model that monitors the overall status with the same security from outside the group.
Initiatives to Protect Personal Information
To ensure every one of its employees maintains awareness of personal information protection, the Nisshinbo Group conducts training when employees join the company and when they are promoted as well as training at each of its business sites based on its annual plan. The Group also conducts regular internal audits to check the management status of listed personal information (registration, deletion, storage methods, training status, etc.), and is committed to thorough and continuous improvement in preventing external leakage.
Initiatives Related to Generative AI
Generative AI services available to the public are useful for improving operational efficiency and generating new ideas, but concerns about authenticity and copyrights, as well as the risk of leaking confidential information, have also been raised. Therefore, guidelines for the use of generated AI were established in July 2023, and deployed to Group companies. Each company will tune and customize the guidelines to optimize them for their own needs and prohibitions and to ensure appropriate use and management.
Specific Activities of the Group Companies
Preparation for Information Security Incidents
Japan Radio Co., Ltd., diligently participates in activities organized by the Nippon CSIRT Association (NCA) to exchange information and learn about the latest trends in cyberattack countermeasures.
In September 2024, the company participated in the NCA CSIRT Workshop in Nagano - Security Education Presentation Meeting. They held the first workshop in the Hokushinetsu region at the company's Nagano office and worked with members from different companies to discuss effective education methods. This initiative was recognized for its contribution to activities in the region, and a JRC-CSIRT*1 member employee was honored with the award.
In addition, the company participates annually in joint exercises held by the National center of Incident readiness and Strategy for Cybersecurity (NISC) and the NCA. This exercise is called the NISC/NCA Joint Comprehensive Cyber Exercise as a large-scale cyber exercise targeting 15 critical infrastructure operators*2 across the country. In FY2024, the exercise was held in December with a total of 850 teams participating, including 164 teams (1,014 participants) from NCA member companies and organizations.
The exercise will be conducted via Zoom, following the scenario presented by the secretariat. When the scenario is presented, each participating team will discuss it and record their response on an action record sheet.
This involves recording how the organization responds to a scenario as it unfolds, and then reviewing the results at the end. By simulating scenarios in accordance with internal rules and operating procedures, participants were able to identify issues through the exercises.
※1 JRC-CSIRT: CSIRT stands for Computer Security Incident Response Team, which is a team that handles computer security issues. JRC-CSIRT refers to the CSIRT at Japan Radio Co., Ltd.
※2 15 sectors: Information and communications, finance, aviation, airport and railway, electricity, gas, government and administrative services, medical care, water supply, logistics, chemicals, credit, petroleum, and port operations.
Establishment of Security policies and Internal Audits
JRC Engineering Co., Ltd. established information security policies and objectives, conducted risk assessments, and formulated organization-wide regulations called the ISMS (Information Security Management System) Rulebook to guide its activities.
As part of information security training for employees, JRC Engineering Co., Ltd. holds introductory training sessions and regular training sessions to ensure that employees understand the importance of information security and the relevant rules. In addition, to confirm the effectiveness of the training, the company conducts post-training surveys and internal audits that cover all departments to ensure that employees understand information security and are performing their duties accordingly.
Going forward, the company will continue to conduct management reviews to assess new threats arising from changes in ICT (information and communications technology), changes in stakeholders, and complaints and requests, and implement continuous rule improvements to prevent serious incidents.
Prompt Employee Information Updates and Thorough Security Management
Ueda Japan Radio Co., Ltd. sets account permissions for each employee according to the department and position, and the company has a system in place to update information immediately when personnel changes are announced. This reduces the risk of unnecessary permissions being granted and information leaks, thereby improving operational efficiency.
In addition, the company works closely with each department to ensure system accuracy and rapid response. Furthermore, Ueda Japan Radio Co., Ltd. conducts annual inventory checks to verify account validity and promptly reviews or deletes access privileges for any accounts that are found to be unnecessary. The company conducts regular audits twice a year to maintain and strengthen internal controls, thereby contributing to the safety and reliability of the company.
These initiatives are an integral part of the information security measures of Ueda Japan Radio and serve as an important foundation for the sustainable growth of the company. Ueda Japan Radio will continue to raise employee awareness of security through education and other means, with the aim of building an even more robust management system.
Measures to Prevent Information Leakage
Kokusai Denki Electric Inc. established a 24/7 Security Operation Center (SOC) monitoring system as a measure to prevent information leaks, which the company operates in real time to detect threats.
In order to strengthen data protection, the company introduced hard disk encryption and remote wipe functions to ensure data security even in the event of loss or theft. Furthermore, Kokusai Denki Electric prevents phishing attacks and malware intrusion by quarantining suspicious emails, thereby reducing security risks.
In addition, Kokusai Denki Electric regularly conducts security training to raise employee security awareness and improve incident response capabilities. By sharing knowledge about the latest attack methods and threats and preventing internal misconduct, the company is strengthening its overall security system.
Implementation of Information Security Education
Goyo Electronics Co., Ltd. provides information security education and training on targeted email attacks once a year in accordance with the Kokusai Denki Electric Group Information Security Promotion Plan.
The objective of information security education is to reflect on actual incidents, learn what precautions to take and what actions to implement to prevent incidents from happening in the future, and then maintain a high level of security awareness and approach to daily work with this in mind. In FY2024, the target number of participants was 374, and the implementation rate was 100%.
On the other hand, the purpose of targeted attack email training is to gain a thorough understanding of the characteristics of increasingly sophisticated targeted attack emails and improve the ability to respond to suspicious emails. As a response simulation exercise, training emails were randomly distributed to all employees. The open rate for training emails in FY2024 was 4.6% (down 2.8% from the previous fiscal year). After the training, the Kokusai Denki Electric Group IT Report explained the open rate, points to note, and response procedures with the aim of further raising individual security awareness.
Acquisition of TISAXⓇ information security certification standard from the German Association of the Automotive Industry
Nisshinbo Brake Inc. became the first company in Japan to obtain official certification under the TISAXⓇ (Trusted Information Security Assessment Exchange) information security certification standard established by the German Association of the Automotive Industry (VDA) in March 2024. The company published their basic information security policy, which includes the three elements of information security—confidentiality, integrity, and availability—on their website, and all employees are required to act in accordance with this policy.
In order to maintain certification, the company incorporated the latest revisions to the requirements into its regulations, provided training using videos that reflect these revisions, and confirmed that all applicable personnel completed the training. In targeted email training, employees who receive simulated training emails can be seen alerting those around them. By obtaining TISAXⓇ certification, awareness of information security spread throughout the entire workforce and thereby fostered an atmosphere in which teamwork is leveraged to protect the organization.
Efforts to Prevent Information Leaks
Saeron Automotive Corporation in South Korea is conducting a variety of security activities to prevent information leaks.
Internal documents and programs and files used company-wide are consolidated and managed systematically. For information management, the company uses a system called network access control (NAC) to block unauthorized access to the internal network, and a data loss prevention (DLP) system to prevent the external leakage of important information.
In addition, the company reduces security risks at an early stage by restricting the use of external programs. This initiative is carried out in collaboration with the Information Systems Department of Nisshinbo Brake Inc. The company exchanges information through regular audits and strictly complies with global security guidelines.
In addition, the company operates an information security bulletin board on its internal intranet Groupware. The company shares information security news and guidelines with executives and strives to raise security awareness.
Implementation of Information Security and Personal Information Protection Education
Tokyo Shirts Co., Ltd. provides information security training and personal information protection training for all employees every year from September to October. Based on training materials, headquarters staff and managers in charge of stores nationwide provide training to store managers who then give lessons to each staff member.
The company mainly conducts business in stores where many people come and go and handles a large amount of personal information. Therefore, the training curriculum covers a wide range of topics, including password management for information devices, prohibition of mixing business and personal use (such as using personal devices for business purposes), prevention of loss and theft, precautions to take when working outside the office, and awareness of targeted emails.
