Addressing Information Security Risks

In fiscal 2022, Toray Group reviewed its policies and framework related to information security with the aim of maintaining and enhancing information security across the entire Group.
As part of this effort, it established the Toray Group Information Security Basic Policy, which outlines how all executives and employees, including contracted, part-time, and dispatched employees, are expected to fulfill the Group’s social responsibility concerning information security.
In terms of structure, the Toray Group Information Security Steering Committee has been established to promote information security across the entire Group. It is chaired by the general manager of the General Administration & Communications Division at Toray Industries¹, and the members include representatives from the Legal & Compliance Division, Human Resources Division, Information Systems Division, and other relevant departments. The committee deliberates on information security policies, discusses risk mitigation measures, and issues instructions to the Information Security Committees set up in each division. It also monitors security situations and reports the activities to the Company’s Executive Committee. The Information Security Committees in each division provide instructions on security measures to their respective departments within Toray Industries, and to the group companies they oversee, and monitor each situation accordingly.
The main activities of the Toray Group Information Security Steering Committee are as follows and are reported to the Board of Directors after being deliberated by the Executive Committee, which acts as a consultative body.

• Ascertaining the risk situation across the entire Toray Group and staying informed on global trends
• Formulating Toray Group information security standards² and monitoring progress: Checking whether all group companies have met the standards. Requiring companies that have not met the standards to create an improvement plan, as well as following up on progress made
• Conducting regular diagnostic security assessments and monitoring: Having third-party information security companies evaluate Internet security and performance at group companies. Also, requiring any necessary improvements to be carried out by the companies concerned, and following up on progress made
• Ensuring immediate response and prevention of damage escalation in the event of a security incident: The department or group company discovering an incident must report it within 24 hours to the general manager of the General Administration & Communications Division. Depending on the scale of potential or actual damage, actions must be taken according to predetermined procedures to notify relevant internal and external stakeholders and prevent damage from spreading.

1. 1 As of July 2024, a senior vice president serves as general manager of the General Administration & Communications Division.
2. 2 Toray Group information security standards have been developed with reference to information security standards issued by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) and using advice from external security companies. The standards encompass measures to mitigate risks such as cyberattacks, insider threats, and employee operational errors.

Toray Group is taking a range of measures to combat today’s increasingly sophisticated cyberattacks. In addition to efforts aimed at preventing such incidents, the Group has implemented measures to mitigate risks in the event of a damaging attack.

1. Compliance with Toray Group information security standards

   Each group company establishes its own information security management system. After identifying information assets such as computer terminals, servers, user IDs, confidential information, and personal data, the companies define and implement rules for managing and securing each asset. Security measures also include procedures for responding to security incidents, securing backups for system recovery, and preparing recovery procedures.

2. Device management

   Toray Industries has standardized specifications and settings for its computers and smartphones and has established a system for centralized management of these devices. These measures are being expanded across the Toray Group.

3. Authentication management

   Toray Industries has established a system for centralized management of user IDs and utilizes multi-factor authentication (MFA). This initiative is also being expanded across the Group.

4. Network management
   1. (1) Toray Industries and its group companies constantly monitor communications between the Internet and their own internal networks.
   2. (2) Toray Group conducts regular risk assessments of Internet security and performance using third-party security companies and implements all necessary improvements.
5. Server and cloud service management

   Toray Group maintains server and cloud service ledgers. Toray Industries has also developed a group-wide shared server environment with security monitoring capabilities, which is being adopted across the entire Group.

6. Enhancing education and training

   As IT measures alone may not be sufficient to address today’s increasingly sophisticated cyberattacks, the Group also conducts education through regular e-learning for all employees (once a year) and training sessions on responding to unsolicited email.

Toray Group implements a range of measures in accordance with the Toray Group information security standards.
In addition to providing information security education for all employees on an annual basis, Toray Group conducts level-specific training for employees, including new employees and newly appointed managers. The aim is to improve security awareness and skills, while also thoroughly disseminating the Toray Group Information Security Basic Policy. At the same time, an e-mail magazine is sent out regularly and a series on information security is carried in an in-house magazine to encourage the improvement of information security literacy among all employees.
Before removing a computer or smartphone from an office, for example, employees must receive permission from a manager. In addition, the actual device must be inspected monthly, and an inventory of assets is taken once every six months. Moreover, the Group has established approaches to dealing with the loss of such devices and other similar incidents, and has built channels for reporting and other mechanisms to minimize damage thereof.