1. HOME
  2. Sustainability
  3. Governance
  4. Information Security
sitemap

Information Security

Governance and Management Framework

At JSR, the Cybersecurity Management Office is the core unit responsible for overseeing information security across the entire JSR Group. The Cybersecurity Management Office continuously works alongside outside experts to maintain and manage information security for the entire Group, educate and raise awareness among employees, and strengthen our ability to respond to incidents such as cyberattacks.

With regard to personal information, we comply with Japan’s Act on the Protection of Personal Information and related laws and regulations, such as the GDPR (EU General Data Protection Regulation), and strive to strengthen the proper handling and management of personal information. The officer in charge of General Affairs serves as the Personal Information Management Officer, and the General Affairs Department and the Human Resources Development Department are the departments in charge of protecting personal information and advancing awareness and education of employees.

Policy and Basic Approach

JSR Group regards information security as an important management issue and has established the Information Security Policy. We will ensure proper management of information based on thoroughly disseminating this policy to all employees.

Information Security Policy

  • JSR Group, by complying with laws and regulations and by observing other social norms relating to the handling of information, will handle and protect information that belong to JSR Group, its customers, business partners and other third parties.
  • JSR Group will strive to develop and actively use its information assets for the efficient execution of its business. Officers and employees will only use these information assets for the purposes of their work and within the scope of their authority.
  • JSR Group will improve organizations and systems, provide education on information security, thoroughly disseminate this policy and related regulations, and implement measures to ensure information security.
  • JSR Group will implement appropriate human, organizational, and technological measures and work to prevent unauthorized access to information assets from outside the company, as well as leaks, falsification, loss, theft and destruction of information assets.
  • If an information security-related problem occurs, JSR Group will promptly identify the cause and take measures to minimize damage and prevent recurrences.
  • JSR Group will periodically assess and review its information security measures to respond appropriately to changes in external environments.

Metrics and Targets

JSR Group annually selects Group companies based on factors such as risk and business scale, and for the selected Group companies, we monitor the operational status of the JSR Group Security Guidelines, which stipulate the security measures required for information systems introduced by JSR Group, and the status of improvements in security levels.

We confirmed the operational status of the Guidelines and the status of improvements in security levels for all JSR Group companies selected this fiscal year, and confirmed steady progress overall. We will continue to advance the establishment of the Guidelines and the implementation of improvement plans.

Initiatives

1. Initiatives Related to Cybersecurity

(1) Technological Measures

JSR Group aims to be able to respond to sophisticated cyberattacks, and we are proactively introducing necessary technological measures. Our initiatives are as follows.

  • Installation of firewalls and network intrusion detection and prevention systems to block unauthorized external access
  • Implementation of a system to detect suspicious behavior such as cyber-attacks on all company computers and servers to detect and respond to threats in real time.
  • Maintenance of system security through regular scanning and prompt application of security patches for system vulnerabilities susceptible to external intrusion
  • Monitoring 24 hours a day, 365 days a year with a structure using a Security Operation Center (SOC) operated by an external specialized agency

(2) Human Measures

Information Security Handbook

In addition to publishing the Information Security Handbook, JSR regularly conducts security education for employees through e-learning so that they can further increase their sensitivity to information leakage risks and always act in accordance with the rules.
In addition, we regularly conduct cyberattack response drills that simulate large-scale damage from ransomware and other cyberattacks to strengthen our resilience against cyberattacks.

(3) Organizational Measures

JSR conducts security assessments and monitors the status of improvement at JSR Group companies. Based on the assessment results, lists of improvement points are created for sites that require improvement, and monitoring is conducted until the identified issues are resolved. Moreover, due to the increasing importance of risk management in the supply chain in recent years, we also conduct security assessments of our business partners. In addition, information such as the status of security incidents and status of various security audits is regularly reported to the Officers Committee to advance security governance throughout the organization.

2. Initiatives to Protect Personal Information

JSR Group recognizes the importance of protecting personal information in a society with highly advanced information and communications technologies, and we have formulated a Privacy Policy and Rules for Handling Personal Information based on the Act on the Protection of Personal Information in Japan. At the same time, we have established Rules for Handling Specific Personal Information in response to the introduction of Japan’s Individual Number system.
Within these rules, in accordance with relevant laws and our privacy policy, we ensure appropriate handling of specific personal information by defining precautions and security standards necessary to ensure the proper use and protection of this information at each of the stages of acquisition, storage, use, provision, disclosure, correction, suspension of use, and deletion.

Furthermore, for Group companies that handle personal data covered by the EU’s General Data Protection Regulation (GDPR), we are providing support for the construction and operation of a structure to ensure GDPR compliance in data acquisition, processing, and transfer.

For example, in FY2024, following changes in the structure of JSR Group, we revised the Intra-Group Data Processing and Data Transfer Agreement, which had been concluded based on the Standard Contractual Clauses (SCC) established by the European Commission, and some Group companies that had not previously signed the agreement were added as contracting parties to this protection agreement. This ensures that the entire Group’s data protection structure is aligned with the latest standards and secures the legality and security of cross-border data transfers. As a result, we have strengthened the foundation for smoothly advancing global data utilization by achieving thorough compliance with laws and regulations, enhancing audit readiness and reducing risks, and standardizing operations through unified operational rules.