Information Security

Information Security Policy

The Kawasaki Group provides products to a diverse range of customers, from business, the public sector, and general consumers to the Self-Defense Forces, and constantly works toward maintaining and improving its information security to protect information relating to our customers and suppliers as well as information on our businesses to suit the requirements of each customer sector. The necessary information security management practices have been established as corporate regulations to ensure compliance with domestic and international laws and contracts with clients and to protect our businesses. These corporate regulations are comprised of the underlying Policy on Information Security, along with various other Group policies as well as the internal rules and regulations for establishing administrative management guidelines, including those for the development, implementation, and use of information systems. The Kawasaki Group recognizes that ensuring information security is a corporate social responsibility and considers it an important management challenge related to business continuity. In order to manage and protect information handled by the Group as an important asset, we have established the following information security policy and aim to ensure proper operations in our business activities.

Information Security Management Structure

The Director in charge of DX strategy takes on the role of CISO. The Information Security Committee is organized as the CISO being the chairperson and the person in charge of information security in each business entity as members. The committee share and deploy policies and plans related to information security and various measures against information security risks to business units, the Kawasaki Group companies, and related organizations. Also an information security supervisory department is established under the executive officer in charge of information security within the head office. The department will develop information security strategies, identify information security risks, plan and implement measures, conduct audits, and handle information security incidents (detect, address, and recover). Based on instructions from the Information Security Committee, the information security supervisory department will lead each business entity, the Kawasaki Group companies, and related departments to collaborate with each other and systematically prepare and promote ways to ensure, maintain, and improve information security from the three perspectives of “technical measures,” “education/training,” and “rules” to address ever-changing information security risks.

Director Responsible for DX Strategy (CISO): Hiroshi Nakatani, Representative Director, Senior Corporate Executive Officer
Executive Officer Responsible for Information Security: Hironobu Urabe, General Manager of DX Strategy Division and Executive Officer

The Kawasaki Group promotes third-party evaluations and certification for information security, with organizational units that have obtained certification for information security detailed below.

ISMS (ISO/IEC 27001)-certified organizations

• Kawasaki Heavy Industries, Ltd. (Project Management Department, Presidential Project Management Division)
• BENIC SOLUTION CORPORATION (Infrastructure Design Department/Operation Service Department, Digital Infrastructure Solution Service Division)

Privacy Mark-certified companies

• BENIC SOLUTION CORPORATION
• K Career Partners Corporation

CSMS (IEC 62443-2-1)-certified organization

• Kawasaki Heavy Industries, Ltd. (Plant Engineering Business Division, Energy Solution & Marine Engineering Company)

We conduct regularly education and training focused on information security for Kawasaki Group employees.
This instruction covers laws and social customs as well as corporate rules and examples of incidents, and course content is tailored by position, with content for newly hired employees, general employees, and managerial staff. Training includes regular drills using simulations of targeted attack phishing emails to help employees learn how to avoid damaging situations, such as cyberattacks and online crime, which can occur in the course of daily business operations. In fiscal 2023, 17,053 employees took the information security training, while 21 training drills were conducted using targeted attack phishing emails for a total of 6,876 employees.

There were no cases of violations pertaining to information security in fiscal 2023.

Product Security

The Kawasaki Group’s products continue to evolve to provide more advanced features and services by connecting to networks and the cloud. Meanwhile, as the risk of cyberattacks increases due to the advance of digitalization, we are committed to maintaining and improving product security to protect our customers and their businesses.
Supplementary to our compliance with domestic and international laws and regulations, standards, and agreements with customers, we have established the Kawasaki Group Product Security Policy as our policy for providing safe and secure products and services by preventing breaches from cyberattacks. In addition, we maintain guidelines to ensure proper security in activities throughout the entire product lifecycle, from product and service planning, development, and manufacturing to their operation. The Kawasaki Group has also established a dedicated organization to oversee product security which manages product security processes to ensure that they function properly.

Information Security Report

We issued Kawasaki Group Information Security Report 2023.
This report is published with the purpose to disclose the Kawasaki Group's initiatives on information security for our stakeholder's understanding. It is based on "Cybersecurity Management Guidelines Ver.3.0" made by the Ministry of Economy, Trade and Industry, Japan.

Personal Information Protection

Kawasaki abides by its Privacy Policy, a basic policy for protecting personal information. This policy is disclosed. Further, we control personal information by such means as appointing a personal information administrator, establishing corporate regulations titled Personal Information Protection Rules, and issuing the Personal Information Protection Manual, which explains the rules clearly for employees. In 2020 we established the Kawasaki Group Policy on the Protection of Personal Information, laying out Group-wide rules for the proper handling of personal information.
In accordance with the revision of the Act on the Protection of Personal Information of Japan in April 2022, we revised relevant corporate regulations, the Privacy Policy and the Personal Information Protection Manual. For the control of personal information, such measures are taken as constructing the security control systems for the personal information possessed by each division and preparing and regularly updating the personal data handling ledger in which the handling status of such personal information can be checked. With regard to personal information in the Company's possession, we have put in place a structure that ensures a prompt response to requests from individuals related to their own personal information, such as requests for disclosure or discontinuance of utilization.

Response to the General Data Protection Regulation

The Kawasaki Group has established corporate regulations regarding compliance with the European Union’s and UK’s General Data Protection Regulation (GDPR), laying out rules for the proper handling of personal information covered by the GDPR.