Information Security

Information Security Policy

The Kawasaki Group provides products to a diverse range of customers, from business, the public sector, and general consumers to the Self-Defense Forces, and constantly works toward maintaining and improving its information security to protect information relating to our customers and suppliers as well as information on our businesses to suit the requirements of each customer sector.
　The necessary information security management practices have been established as corporate regulations to ensure compliance with domestic and international laws and contracts with clients and to protect our businesses. These corporate regulations are comprised of the underlying Policy on Information Security, along with various other Group policies as well as the internal rules and regulations for establishing administrative management guidelines, including those for the development, implementation, and use of information systems.
　The Kawasaki Group recognizes that ensuring information security is a corporate social responsibility and considers it an important management challenge related to business continuity. In order to manage and protect information handled by the Group as an important asset, we have established the following information security policy and aim to ensure proper operations in our business activities.

Information Security Management Structure

Led by the Head Office DX Strategy Division, we are bringing together the strengths of all internal companies to strengthen the Group’s cyber security. We have also established structures to manage the information systems of each internal company within the Head Office DX Strategy Division, and implement security measures based on Company policy.
　We have established a dedicated framework under the Corporate Risk Management System to handle information security management for the Group. We adhere to a management cycle with an emphasis on rules, training, and technology measures to address constantly changing information security risks while systematically implementing, maintaining, and enhancing information security measures.
　In addition, Benic Solution Corporation, a subsidiary that handles the Group’s data center, has acquired ISO 27001 certification, an international standard for information security management, and strives to uphold a high level of operational reliability.
　We implement vulnerability analyses of the servers of our demilitarized zone (DMZ) network, which connects internal systems with the outside network, both in-house and with the help of security vendors. Furthermore, we have implemented systems to prevent unauthorized access to data from outside as well as information leaks from inside and to stop the spread of computer viruses as well as systems to check for illicit activity.

Director Responsible for DX Strategy (CISO): Hiroshi Nakatani, Representative Director, Senior Corporate Executive Officer
Executive Officer Responsible for Cyber Security: Hironobu Urabe, General Manager of DX Strategy Division and Executive Officer

• The Director in charge of DX strategy takes on the role of CISO and chairs the　Information Security Committee.
• The General Manager of the DX Strategy Division oversees the execution of the cyber security strategy as executive officer and has jurisdiction over the Cyber Security Group, which is the management department. Further, the Cyber Security Group within the DX Strategy Division is the Information Security Supervisory Department and is responsible for cyber security practices.
• Incidents and response status related to cyber security are reported to the Director responsible for DX (CISO) through the Information Security Committee by the General Manager of the DX Strategy Division who is the officer in charge of the Cyber Security Group.

We conduct regularly education and training focused on information security for Kawasaki Group employees.
　This instruction covers laws and social customs as well as corporate rules and examples of incidents, and course content is tailored by position, with content for newly hired employees, general employees, and managerial staff. Training includes regular drills using simulations of targeted attack phishing emails to help employees learn how to avoid damaging situations, such as cyberattacks and online crime, which can occur in the course of daily business operations.
　In fiscal 2022, 9,803 employees took the information security training, while 2,308 employees underwent training drills using targeted attack phishing emails.

There were no cases of violations pertaining to information security in fiscal 2022.

Product Security

The Kawasaki Group’s products continue to evolve to provide more advanced features and services by connecting to networks and the cloud. Meanwhile, as the risk of cyberattacks increases due to the advance of digitalization, we are committed to maintaining and improving product security to protect our customers and their businesses.
　Supplementary to our compliance with domestic and international laws and regulations, standards, and agreements with customers, we have established the Kawasaki Group Product Security Policy as our policy for providing safe and secure products and services by preventing breaches from cyberattacks. In addition, we maintain guidelines to ensure proper security in activities throughout the entire product lifecycle, from product and service planning, development, and manufacturing to their operation. The Kawasaki Group has also established a dedicated organization to oversee product security which manages product security processes to ensure that they function properly.

Information Security Report

We issued Kawasaki Group Information Security Report 2023.
This report is published with the purpose to disclose the Kawasaki Group's initiatives on information security for our stakeholder's understanding. It is based on "Cybersecurity Management Guidelines Ver.3.0" made by the Ministry of Economy, Trade and Industry, Japan.

Personal Information Protection

Kawasaki abides by its Privacy Policy, a basic policy for protecting personal information. This policy is disclosed. Further, we control personal information by such means as appointing a personal information administrator, establishing corporate regulations titled Personal Information Protection Rules, and issuing the Personal Information Protection Manual, which explains the rules clearly for employees. In 2020 we established the Kawasaki Group Policy on the Protection of Personal Information, laying out Group-wide rules for the proper handling of personal information.
　In accordance with the revision of the Act on the Protection of Personal Information of Japan in April 2022, we revised relevant corporate regulations, the Privacy Policy and the Personal Information Protection Manual. For the control of personal information, such measures are taken as constructing the security control systems for the personal information possessed by each division and preparing and regularly updating the personal data handling ledger in which the handling status of such personal information can be checked.
　With regard to personal information in the Company's possession, we have put in place a structure that ensures a prompt response to requests from individuals related to their own personal information, such as requests for disclosure or discontinuance of utilization.
　While cyberattacks targeting the Kawasaki Group with the potential to lead to virus infection are on the increase, there were no substantial incidences of damage from information leaks from the Group's network in fiscal 2022.

Response to the General Data Protection Regulation

The Kawasaki Group has established corporate regulations regarding compliance with the European Union’s and UK’s General Data Protection Regulation (GDPR), laying out rules for the proper handling of personal information covered by the GDPR.