Information Risk Management
Policies and Basic Approach
Mitsui & Co. declared "Information Technology (IT) policy" as a basic policy for IT utilization to promote further awareness raising of employees and enhancement of IT governance.
Information Security Policy
- Approach toward Information Security
Mitsui recognizes the importance of information security, and shall implement appropriate management of information assets, including information and ICT assets, for the purpose of timely and effective use of information in compliance with "Mitsui & Co., Ltd. Corporate Governance and Internal Control Principles", while striving to continuously improve such management on a global and group-wide basis.
- Compliance with Regulations (Establishing Compliance)
Mitsui shall comply with regulations, established standards, and other codes related to information security, and shall work towards the establishment and maintenance of compliant and suitable information security.
- Protection of Information Assets
Mitsui shall implement appropriate management for ensuring the confidentiality, integrity and availability of information assets, and work to protect its information assets from all possible threats.
- Response to Accidents
While working to prevent the occurrence of any accidents related to information security, in the unlikely event of an accident, Mitsui shall promptly take appropriate response measures including preventative steps against the reoccurrence of such an accident.
Effective from September, 2005
Amended on October, 2013
President and Chief Executive Officer
Mitsui & Co., Ltd.
Goals and Targets
- Designate significant affiliates for cyber security every year and monitor the state of compliance with the Mitsui & Co. Group Cybersecurity Standards.
Sustainability Governance and Oversight
The important principles for our global group information strategy are formulated in line with the corporate management policy through the discussions at the Information Strategy Committee which was established pursuant to the "Rules of Information Strategy Committee," and is chaired by the Chief Digital Information Officer (CDIO). The Information Strategy Committee met nine times in the fiscal year ended March 2023. The Committee monitored the progress of the "DX Comprehensive Strategy" formulated in the year ended March 31, 2021, which consists of DX Business Strategy, Data Driven (DD) Management Strategy, and DX HR Strategy, and discussed various initiatives such as structure expansion/inspection/training to respond to cyber-attacks, policies on next-generation human resources systems and trade operating systems, the vision of group companies data that should be utilized and the vision for the data management system, and the IT tools and knowledge Mitsui employees should acquire and educational measures.
Under the system centered around the Information Strategy Committee, we are enhancing the system of internal control including management of various possible risks such as information leakage and cyber-attacks through maintenance of the following rules, necessary in light of development and operation of information systems and information security.
- "Rules on Information System Management": rules on the process of procurement, introduction and operation of Information assets
- "Rules on IT Security": code of conduct for the system supervisory divisions regarding IT security
- "Rules on Information Management": basic policies in terms of information risk management system and information management
- "Rules on Protection of Personal Information": rules for the handling of personal information required for business execution (Applied only in Japan)
- "Rules on Cyber Security Countermeasures": rules for preventive measures against cyber-attacks and emergency countermeasures in the event of incident
- "Mitsui & Co. Group Cybersecurity Standards": basic cyber security measures aimed at being implemented in common across Mitsui Group companies.
Furthermore, the importance of cyber security measures in Mitsui's global group is increasing as cyber-attacks occurring day to day become more sophisticated, advanced and severe, such as targeted attacks targeting specific companies and organizations, ransomware (encrypting files and demanding ransom in exchange for their decryption), BEC (Business Email Compromise), and indiscriminate email attacks that aimed at unspecified targets, and once a year, a report is made to the Board of Directors after deliberation in the Information Strategy Committee and the Corporate Management Committee.
|Officer in charge||Toru Matsui (Representative Director, Senior Executive Managing Officer, Chief Digital Information Officer (CDIO), Chairperson of Information Strategy Committee)|
|Deliberative body||Information Strategy Committee|
|Department in Charge||Integrated Digital Strategy Div.|
Mitsui has established an integrated risk management system that has centralized control over Company-wide risks, which is centered around the Corporate Management Committee and the Portfolio Management Committee as an organization under the Corporate Management Committee. The Corporate Staff Divisions, which act as the secretariat, manage risks from a Company-wide perspective.
Risk related to information systems and information security is positioned as an important risk, and the following steps are taken.
- We establish relevant rules for safety of information systems and strengthening information security, appropriately ensure the confidentiality, integrity and availability of information and information systems owned by Mitsui and its subsidiaries, and manage risks such as information leaks by continuously indicating guidelines for improving the level of risk management.
- We have established the "Mitsui & Co. Group Cybersecurity Standards" to be followed by Group companies to strengthen cyber security measures in the Mitsui global group. Furthermore, a "Cybersecurity Baseline Survey" is conducted once per year in each affiliate to self-assess the state of compliance with the standards and third-party evaluation is also performed through a "Cybersecurity Assessment".
- Mitsui has formulated response policies to security incidents in advance according to the scale and severity of damage as a cyber BCP (business continuity plan).
Protecting Personal Information
We have appointed a Chief Managing Officer of the Personal Information Protection Management System (PMS) and established a PMS office to work at heightening awareness among all management and staff of the importance of personal information protection, in accordance with the Personal Information Protection Guidelines and Rules on the Protection of Personal Information. As we have a broad spectrum of involvement in diverse commodities and services, we handle a large amount of personal information, particularly in B2C (business-to-consumer) business fields. Accordingly, we take particular care to ensure that all data is protected. From the perspective of accident prevention, in addition to our education and training systems, we appoint a Personal Information Management Officer in each division. These officers regularly review the status of personal information management in the daily course of business and enhance it as needed. Regarding compliance with the EU GDPR (General Data Protection Regulation) that came into effect in May 2018, Mitsui has established internal rules to ensure proper management systems and operational rules for the handling of personal data that falls within the scope of application of the GDPR at each Business Unit. Furthermore, we have provided all officers and employees with information on the GDPR via the intranet, and have been engaging in operational management required by the GDPR such as compliance with the duty of keeping records of information processing activities. We recognize that a timely response according to global standards towards other overseas laws and regulations related to personal information, in addition to the GDPR, leads to the enhancement of our corporate value.
Mitsui drafts and executes measures in accordance with the cyber security framework of the National Institute of Standards and Technology of U.S., and takes measures separated into the three steps of "Hygiene", "Protect", and "Recovery" while utilizing the knowledge of Mitsui Bussan Secure Directions, which is a dedicated cyber security subsidiary.
Mitsui believes in the importance of cyber hygiene, and aims to maintain a healthy ICT environment, and also aims to raise the security awareness of officers and employees. From a system perspective, we engage in appropriate management of inventory for ascertaining the status of IT assets, and vulnerability management to determine and fix the cause of attacks. Furthermore, in educational activities with focus on people, we have launched a "Cybersecurity Portal" for officers and employees including those of affiliates for the purpose of raising cyber security awareness and preventing the spread of damage from cyber-attacks, and provide them with a variety of information such as the latest trends, case studies and appropriate actions and measures against cyber-attacks to be taken by officers and employees. In addition, we prepare and utilize "Cybersecurity e-Learning" for end-users and security personnel respectively.
Mitsui is shifting from "perimeter security" (security measures centered on the perimeter between the internal network and the external network based on the idea that "within the company is secure, but outside is dangerous") to "zero trust" (security measures that perform verification without trusting any access to information and systems to be protected regardless of whether inside or outside the network), and is strengthening security measures in various IT areas such as devices, data, network and the cloud etc. Furthermore, we are building, maintaining and expanding a system for around-the-clock global security monitoring and responding in the event of an incident.
Mitsui has established the MBK-CSIRT (Computer Security Incident Response Team) as the center of security measures, working with cyber-security leaders in each division to establish reporting and supporting systems, perform organized and continuous incident responses, and prevent recurrences. Furthermore, we have formulated response policies in the event of a security incident occurring according to the scale and severity of damage, and periodically conduct training to confirm effectiveness as needed.