Risk Management

Information Risk Management

Policies and Basic Approach

Mitsui & Co. declared "Information Technology (IT) policy" as a basic policy for IT utilization to promote further awareness raising of employees and enhancement of IT governance.

Information Security Policy

  1. Approach toward Information Security
    Mitsui recognizes the importance of information security, and shall implement appropriate management of information assets, including information and ICT assets, for the purpose of timely and effective use of information in compliance with "Mitsui & Co., Ltd. Corporate Governance and Internal Control Principles", while striving to continuously improve such management on a global and group-wide basis.
  2. Compliance with Regulations (Establishing Compliance)
    Mitsui shall comply with regulations, established standards, and other codes related to information security, and shall work towards the establishment and maintenance of compliant and suitable information security.
  3. Protection of Information Assets
    Mitsui shall implement appropriate management for ensuring the confidentiality, integrity and availability of information assets, and work to protect its information assets from all possible threats.
  4. Response to Accidents
    While working to prevent the occurrence of any accidents related to information security, in the unlikely event of an accident, Mitsui shall promptly take appropriate response measures including preventative steps against the reoccurrence of such an accident.

Effective from September, 2005
Amended on October, 2013

Kenichi Hori
President and Chief Executive Officer
Mitsui & Co., Ltd.

Sustainability Governance and Oversight

The important principles for our global group information strategy are formulated in line with the corporate management policy through the discussions at the Information Strategy Committee which was established pursuant to the "Rules of Information Strategy Committee," and is chaired by the Chief Digital Information Officer (CDIO). The Information Strategy Committee met nine times in the fiscal year ended March 2022. The Committee monitored the progress of the "DX Comprehensive Strategy" formulated in the year ended March 31, 2021, which consists of DX Business Strategy, Data Driven (DD) Management Strategy, and DX HR Strategy, and reviewed and discussed various initiatives such as structure expansion/inspection/training to respond to cyber-attack, Mitsui's intranet renewal, next-generation personnel system policy, outlines of amendments to the Act on the Protection of Personnel Information and our responses, and digital marketing initiative policy, etc. Under the system centered around the Information Strategy Committee, we are enhancing the system of internal control including management of various possible risks such as information leakage and cyber-attacks through maintenance of the following rules, necessary in light of development and operation of information systems and information security.

  • “Rules on Information System Management”: rules on the process of procurement, introduction and operation of Information assets
  • “Rules on IT Security”: code of conduct for the system supervisory divisions regarding IT security
  • “Rules on Information Management”: basic policies in terms of information risk management system and information management
  • “Rules on Protection of Personal Information”: rules for the handling of personal information required for business execution (Applied only in Japan)
  • “Rules on Cyber Security Countermeasures”: rules for preventive measures against cyber-attacks and emergency countermeasures in the event of incident

Officer in charge Yoshio Kometani (Representative Director, Executive Vice President, Chief Digital Information Officer (CDIO), Chairperson of Information Strategy Committee)
Deliberative body Information Strategy Committee
Department in Charge Integrated Digital Strategy Div.

Protecting Personal Information

We have appointed a Chief Managing Officer of the Personal Information Protection Management System (PMS) and established a PMS office to work at heightening awareness among all management and staff of the importance of personal information protection, in accordance with the Personal Information Protection Guidelines and Rules on the Protection of Personal Information. As we have a broad spectrum of involvement in diverse commodities and services, we handle a large amount of personal information, particularly in B2C (business-to-consumer) business fields. Accordingly, we take particular care to ensure that all data is protected. From the perspective of accident prevention, in addition to our education and training systems, we appoint a Personal Information Management Officer in each division. These officers regularly review the status of personal information management in the daily course of business and enhance it as needed. Regarding compliance with the EU GDPR (General Data Protection Regulation) that came into effect in May 2018, Mitsui has established internal rules to ensure proper management systems and operational rules for the handling of personal data that falls within the scope of application of the GDPR at each Business Unit. Furthermore, we have provided all officers and employees with information on the GDPR via the intranet, and have been engaging in operational management required by the GDPR such as compliance with the duty of keeping records of information processing activities. We recognize that a timely response according to global standards towards other overseas laws and regulations related to personal information, in addition to the GDPR, leads to the enhancement of our corporate value.

Personal Information Protection Guidelines


Launch of Mitsui DX Academy

The Mitsui DX Academy was launched to develop human resources who will promote Digital Transformation (DX). The Academy consists of three elements: DX Skills Training, which aims to make digital a basic standard for all officers and employees, including information security measures; Boot Camp, which aims to develop DX Business Professionals* through practical DX projects (OJT); and DX Executive Education, which aims to acquire cutting-edge DX skills and knowledge and to network with advanced DX experts.

* DX Business Professionals are essential for promoting our DX, as they have a strong understanding of both the business and digital technologies, and can act as a bridge between Business Professionals who are experts in their respective jobs, and Technology Professionals who are top digital experts. Mitsui plans to produce more than 100 DX Business Professionals in-house globally by the fiscal year ending March 2024.

Cyber Security Portal and e-Learning

In order to raise cyber security awareness and prevent the spread of damage from cyberattacks, we have released the “Cyber Security Portal” to our executives and employees, including those of our affiliate companies, and are providing them with various information on recent trends in cyber security, case studies, and appropriate actions and measures against cyber-attacks. In addition, we are working to raise awareness of cyber security by creating and using Cyber Security e-Learning for end-users and security personnel respectively.

Cyber Security

In line with the advancement of information and communications technology (ICT) and digitalization in the business of Mitsui and affiliated companies, we are implementing security measures in each area of IT, including devices, networks, servers, and cloud computing, while utilizing the expert knowledge of our subsidiaries specialized in the area of cyber security. At the same time, we are building, maintaining, and expanding our 24/7 security monitoring and contingency response systems on a global basis. We have established responses to security incidents according to the scale and severity of the damage, and regularly conduct drills to confirm the effectiveness of these responses as necessary. In addition, we conduct annual surveys on the status of cyber security measures at each of our major affiliate companies and make recommendations for improvement to raise the level of cyber security measures throughout the group.