Addressing Information Security Risks

Toray Group has formulated its Confidential Information Management Regulations and Regulations for the Management of Personal Information for the purpose of protecting confidential information and personal information owned by the Group and of appropriately managing the confidential information and personal information entrusted by suppliers and stored by the Group.
Based on these regulations, Toray Industries, Inc. established the position of Corporate Information Security Officer (held by the Senior Vice President, General Administration & Communications Division¹) as the officer responsible for the Toray Industries. The Corporate Information Security Officer discusses and coordinates measures related to enhancing information security with related departments, and promotes their deployment. Under the Corporate Information Security Officer, the Group is working to enhance information security by defining the roles and responsibilities of each division and department, and by establishing an Information Security Committee in each department for their promotion.
The Toray Group Information Security Basic Policy was established in April 2022. While strengthening governance, its purpose is to ensure appropriate management of confidential information across Toray Group in order to reduce information security risks such as data leaks.
As is the case at Toray Industries, each group company in and outside Japan also establishes various rules and promotes information security measures in accordance with the Toray Group Information Security Basic Policy.
Moreover, information security has been included in the fifth three-year set of priority risks for Toray Group (fiscal 2021–2023), and more comprehensive initiatives will be taken group-wide. Plans for addressing priority risks and progress reports on steps taken are reported to the Board of Directors on a regular basis.

1. 1 As of July 2022, a senior vice president serves as general manager of the General Administration & Communications Division.

Toray Group is taking the following initiatives to respond to today’s increasingly sophisticated cyberattacks.

1. Thoroughly implementing and enhancing existing initiatives

   Standardizing and automating the settings and security measures of PCs owned by the Group

2. Enhancing network security
   1. (1) Constant monitoring and analysis of communications between the outside (Internet) and the corporate network, and within the corporate network
   2. (2) Periodic external expert vulnerability assessments of connections with the outside (Internet) and reviews of appropriate responses
3. Enhancing education and training

   Because IT measures alone may not be sufficient to address today’s increasingly sophisticated cyberattacks, the Group also conducts education through regular e-learning (once a year) and several unannounced rounds of suspicious e-mail response training for all employees.

In addition to providing information security education for all employees on an annual basis, Toray Group conducts grade-specific training for employees, including new employees and newly appointed managers, in aims of improving security awareness and skill-levels. At the same time, an e-mail magazine is sent out regularly and a series on information security is carried in an in-house magazine to encourage the improvement of information security literacy among all employees.
Before removing a computer or smartphone from an office, for example, employees must receive permission from a manager. In addition, the actual device must be inspected monthly, and an inventory of assets is taken once every six months. Moreover, the Group has established approaches to dealing with the loss of such devices and other similar incidents, and has built channels for reporting and other mechanisms to minimize damage thereof.