Information Security

Management Approach

The Kawasaki Group provides products and services to a diverse range of customers, from businesses, the public sector, and general consumers to the Self-Defense Forces. Any information leakage could affect our credibility and brand value and thereby undermine the foundations of our management. This is why ensuring information security is an important management issue that needs to be considered. In order to protect our business from such management risks, we are working to appropriately manage and protect important information assets, such as information concerning customers, business partners, and company's business. It is our social responsibility to ensure, maintain and improve information security.

The following four principles are the basic ideas for our approach to information security. "The Kawasaki Group Policy on Information Security" is based on these principals, and we formulated various information security policies for the operation of information systems including use, introduction, and development in accordance with world standards such as NIST CSF.* We also established internal rules and guidelines in accordance with the various policies that govern the entire Group.

1. (1)Build a system to strengthen collaboration across the Kawasaki Group
2. (2)Identify and manage important information assets
3. (3)Plan and deploy appropriate measures to identify, defend, detect, respond, and recover from cyberattacks
4. (4)Ensure all officers and employees improve their knowledge and awareness of information security

* NIST CSF (Cybersecurity Framework): A framework for improving the cybersecurity of a critical infrastructure published by the National Institute of Standards and Technology

The Director in charge of DX strategy takes on the role of CISO. The Information Security Committee is organized with the CISO as the chairperson and with the person in charge of information security in each business entity participating. Based on instructions from management and the Board of Directors, the committee shares and deploys policies and plans related to information security and various measures against information security risks to business units, the Kawasaki Group companies, and related organizations. The Information Security Committee also presents cyberthreats, information security risks, issue sharing, and the status of incident responses to the Management Meeting and reports to the Board of Directors according to the importance.
Also an information security supervisory department is established under the executive officer in charge of information security. The department will develop information security strategies, identify information security risks, plan and implement measures, conduct audits, and handle information security incidents (detect, address, and recover). Based on instructions from the Information Security Committee, the information security supervisory department will lead each business entity, the Kawasaki Group companies, and related departments to collaborate with each other and systematically prepare and promote ways to ensure, maintain, and improve information security from the three perspectives of “technical measures,” “education/training,” and “rules” to address ever-changing information security risks.

Director Responsible for DX Strategy (CISO): Hiroshi Nakatani, Representative Director, Senior Corporate Executive Officer
Executive Officer Responsible for Information Security: Hironobu Urabe, General Manager of DX Strategy Division and Executive Officer

Board of Directors / Information Security Committee

Initiatives to Information Security

The Kawasaki Group promotes third-party evaluations and certification for information security, with organizational units that have obtained certification for information security detailed below.

ISMS (ISO/IEC 27001)-certified organizations

• Kawasaki Heavy Industries, Ltd. (Project Management Department, Presidential Project Management Division)
• BENIC SOLUTION CORPORATION (Infrastructure Design Department/Operation Service Department, Digital Infrastructure Solution Service Division)

Privacy Mark-certified companies

• BENIC SOLUTION CORPORATION
• K Career Partners Corporation

International Standard for Industrial Cybersecurity (IEC 62443-4-1)-certified organization

• Kawasaki Heavy Industries, Ltd. (Robot Business Division, Precision Machinery & Robot Company)

As part of our initiatives to reduce information security risks, we identify the information assets to be protected by the Kawasaki Group and collect information on a daily basis from the Information-technology Promotion Agency, Japan (IPA), Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), and other specialized organizations, as well as security vendors, security analysts and other sources, in order to accurately capture increasingly sophisticated cyber threats. Based on the collected threat information, we analyze possible attackers, attack methods, and attack scenarios and identify vulnerabilities. We then conduct periodic assessments to determine whether information assets are protected accordingly from the analyzed or identified threats and vulnerabilities to evaluate risks. We also conduct internal audits and use other means to periodically examine and assess the implementation status of countermeasures based on risk assessment results as well as the management and operational status in accordance with relevant policies and rules.

When addressing risks in the Group’s supply chain, we establish processes for identifying, analyzing, prioritizing, and assessing risks.
Specifically, in fiscal 2022, we introduced the Kawasaki Group’s Information Security Guidelines for Business Partners to encourage suppliers to implement information security countermeasures and to support them in adopting countermeasures tailored to their specific circumstances. In addition, as a part of supply chain management, we included questions relating to information security in the supplier survey conducted with both domestic and overseas suppliers starting in fiscal 2024. We are working to confirm the information security status of suppliers and mitigate risks in supply chain.

In order to protect the information of our customers and business partners and the information assets of the Kawasaki Group from cyber threats which is becoming more enhanced and dangerous, we have put in place a system necessary to detect cyber threats and promptly respond to cybersecurity incidents. We have established a Cyber Defense Center (CSIRT*), which consists of the following three functions, within the information security supervisory department.

Intelligence function

• Investigate and analyze cyber threats and support response to cybersecurity incidents

Detection/analysis function

• Constantly monitor cyberattacks, and detect and analyze anomalies

Response function

• After detecting an attack, immediately collaborate with parties concerned and take prompt countermeasures to minimize damage

If an incident is detected and, based on the results of analysis, determined to be a breach, the severity of the incident is ascertained and action is taken to prevent further damage, such as shutting off the communication network and isolating information equipment. Then, based on the business impact, the scope of damage and so forth, we cooperate with the concerned parties to investigate the cause, preserve evidence, and restore business to normal operations.
In the event of a serious incident, we immediately report to management in accordance with the defined route and coordinate with the pertinent departments including risk management departments and public relations departments to make immediate reports to our business partners, relevant government ministries, and relevant organizations.

* CSIRT (Computer Security Incident Response Team): If a security threat incident, such as virus infection, unauthorized access, or denial-of-service attack (DoS attack), occurs in a company’s information system or communication network, this team is already aware of the incident and acts as a point of contact within the organization to prevent the spread of damage, collect and notify related information, and develop measures to prevent recurrence.

We conduct regularly education and training focused on information security for our Group employees.
This instruction covers laws and social customs as well as corporate rules and examples of incidents, and course content is tailored by position, with content for newly hired employees, general employees, and managerial staff. The objective of education and training is to ensure that employees can avoid damaging situations, such as cyberattacks and online crime, which can occur in the course of daily work. Employees are instructed to avoid clicking on attachments or links in suspicious emails and to promptly report such emails to the reporting desk and to delete such emails to prevent the spread of damage. We also regularly conduct drills using simulated targeted attack emails. In fiscal 2024, education on information security was provided to 20,274 employees, and 24 drills using simulated targeted attack emails were provided to 10,560 employees.

There were no cases of violations pertaining to information security in fiscal 2024. There were four information security breaches.

Product Security

The Kawasaki Group’s products continue to evolve to provide more advanced features and services by connecting to networks and the cloud. On the other hand, the advancement of digitalization has increased the risk of exposure to cyber threats such as cyberattacks. To protect our customer and their business, we prioritize product security as one of the aspects and continue to maintain and improve the quality of the product.
Our initiatives for product security include complying with Japanese and international laws and regulations, standards, and agreements with our customers, as well as establishing the Kawasaki Group Product Security Policy to provide safe and secure products and services by preventing breaches from cyberattacks. In addition, we have developed guidelines to ensure appropriate security in activities throughout the entire product life cycle, from planning, design, and manufacturing to operation of products and services. Based on the Product Security Policy, we are also establishing the process for designing and developing safe and secure products (SDLC^*1). In our robotics business, we have obtained and started operating under the international standard certification 'IEC 62443-4-1'. Additionally, we have established a specialized organization (PSIRT^*2) to oversee all activities to ensure the safe and secure use of products adopted by our customers. As part of these activities, we collect information on threats and vulnerabilities and publish the status of our responses. Furthermore, we have established and started operating a monitoring system to quickly detect information security incidents related to the services we provide.

*1 SDLC (Secure Development Life Cycle): It is a development lifecycle aimed to ensure that the products developed are secure. The security measures are implemented throughout the entire process, from the upstream stages.

*2 PSIRT (Product Security Incident Response Team): This team is responsible for such activities as finding vulnerabilities in products, analyzing problems, investigating their severity and impact, providing upgraded or modified versions, notifying or disseminating information to customers and the general public, providing information, responding to inquiries, accepting reports from outside parties, and liaising and coordinating with collaboration partners and related organizations.

To improve the quality of cybersecurity for its products, our group has established a vulnerability hotline to continuously collect information on vulnerabilities in its products.

Information about new vulnerabilities in our group products is provided as needed to help customers take appropriate actions to reduce risk.

Information Security Report

We issued Kawasaki Group Information Security Report 2025.
This report is published with the purpose to disclose our Group's initiatives on information security for our stakeholder's understanding. It is based on "Cybersecurity Management Guidelines Ver.3.0" made by the Ministry of Economy, Trade and Industry, Japan.

Personal Information Protection

Kawasaki abides by its Privacy Policy, a basic policy for protecting personal information. This policy is disclosed. Further, we control personal information by such means as appointing a personal information administrator, establishing corporate regulations titled Personal Information Protection Rules, and issuing the Personal Information Protection Manual, which explains the rules clearly for employees. In 2020 we established the Kawasaki Group Policy on the Protection of Personal Information, laying out Group-wide rules for the proper handling of personal information.
In accordance with the revision of the Act on the Protection of Personal Information of Japan in April 2022, we revised relevant corporate regulations, the Privacy Policy and the Personal Information Protection Manual. For the control of personal information, such measures are taken as constructing the security control systems for the personal information possessed by each division and preparing and regularly updating the personal data handling ledger in which the handling status of such personal information can be checked. With regard to personal information in the Company's possession, we have put in place a structure that ensures a prompt response to requests from individuals related to their own personal information, such as requests for disclosure or discontinuance of utilization.

Our Group has established corporate regulations regarding compliance with the European Union’s and UK’s General Data Protection Regulation (GDPR), laying out rules for the proper handling of personal information covered by the GDPR.