CSR Activity Report (CSR Guideline Activity Reports) - Risk Management

Addressing Information Security Risks

Addressing Information Security Risks

Toray Group strives to protect and appropriately manage important technical information, confidential sales and marketing information, personal information, hardware and software in its possession. Accordingly, the Group has positioned information security as one of its priority risks, and is promoting increasingly comprehensive initiatives group-wide.
The Toray Group Information Security Steering Committee was established in fiscal 2022, chaired by the General Manager of the General Administration & Communications Division at Toray Industries.1 This committee performs central management of information security across the Group, marking a change from security optimization on a company basis to a group-wide basis. In fiscal 2022, the Toray Group Information Security Basic Policy was also established by resolution of the Board of Directors. Under the supervision and management of this committee, Toray Industries ascertains the risk situation for the entire Group as well as the global trends, establishes group-wide security management standards, conducts follow-up on their adoption, and performs regular diagnostic security checks and monitoring, thereby ensuring and enhancing information security across Toray Group.
In the event of an incident such as an information leak or a system outage due to a cyberattack, any department of Toray Industries or affiliated company that becomes aware of such an incident must report it to the General Manager of the General Administration & Communications Division within 24 hours. Toray Industries has systems and response procedures in place for contacting relevant parties in and outside the Company, depending on the scale of potential or actual damage, and for preventing the damage from spreading.

  1. 1 As of July 2023, a senior vice president serves as general manager of the General Administration & Communications Division.

Toray Group Information Security Basic Policy:Established in April 2022

Toray Group prioritizes information security as an important management issue. In order to fulfill the Group's social responsibility, all officers and employees (including contract, part-time, and dispatched employees) take thorough measures based on the Information Security Basic Policy.

  1. Ethics and compliance
    We will prohibit ourselves from collecting, moving or using any information assets illegally in violation of the regulation or law where Toray group engages their duties.
  2. Development and operation of systems and rules
    In order to promote information security measures and to respond promptly to information leaks, we have established an information security system. We will establish a system and rules for security and apply them appropriately.
  3. Protection of information
    We will protect the information of our customers and the Toray group companies in accordance with the significance of risk. From the perspective of the protection of personal information, we will protect the personal information of our employees, customers, and Toray group companies from being used for any purpose other than its original intent.
  4. Availability of information assets in support of business continuity
    We will secure the availability of information assets necessary to pursue and fulfill our social responsibility.
  5. Continuous Improvement and Maintenance of Information Security
    We will continuously improve the information security management system by prioritizing identified issues, by continuously conducting risk analysis of emerging threats, changes to the business, and or the evolution of information technology.

Combating Cyber Attacks

Toray Group is taking the following initiatives to respond to today’s increasingly sophisticated cyberattacks.

  1. Thoroughly implementing and enhancing existing initiatives

    Standardizing and automating the settings and security measures for computers, servers, and communication equipment owned by the Group

  2. Enhancing network security
    1. (1) Constant monitoring and analysis of communications between the outside (Internet) and the corporate network, and within the corporate network
    2. (2) Periodic external expert vulnerability assessments of connections with the outside (Internet) and reviews of appropriate responses
  3. Enhancing education and training

    Because IT measures alone may not be sufficient to address today’s increasingly sophisticated cyberattacks, the Group also conducts education through regular e-learning (once a year) and several unannounced rounds of suspicious e-mail response training for all employees.

Prevent Employees from Leaking Confidential Information

In addition to providing information security education for all employees on an annual basis, Toray Group conducts level-specific training for employees, including new employees and newly appointed managers. The aim is to improve security awareness and skills, while also thoroughly disseminating the Information Security Basic Policy.
At the same time, an e-mail magazine is sent out regularly and a series on information security is carried in an in-house magazine to encourage the improvement of information security literacy among all employees.
Before removing a computer or smartphone from an office, for example, employees must receive permission from a manager. In addition, the actual device must be inspected monthly, and an inventory of assets is taken once every six months. Moreover, the Group has established approaches to dealing with the loss of such devices and other similar incidents, and has built channels for reporting and other mechanisms to minimize damage thereof.

Click here for the main initiatives for CSR Guideline 5, “Risk Management” in CSR Roadmap 2022.