Risk Management: Information Security
Our Approach
The use of digital data is essential for SUBARU in the course of its business activities. The use of digital data is not limited to traditional information systems but covers diverse realms, including facilities, products, and a whole range of services offered by SUBARU. Being aware of our social responsibility to handle digital data in these realms safely, we have established the Basic Cybersecurity Policy, undertaking information security protection activities Group-wide.
Scope of Information Security for the SUBARU Group
Basic Cybersecurity Policy
Objective
SUBARU CORPORATION and its Group companies (hereinafter referred to as “the SUBARU Group”) put in place a Basic Cybersecurity Policy to protect all our conceivable products, services, and information assets from threats arising in the course of our business activities and earn the trust of our customers and society as a whole.
Scope
This basic policy applies to all executives and employees of the SUBARU Group, and also to the employees and other staff of SUBARU’s subcontractors.
Initiatives
- The SUBARU Group will comply with laws, regulations, and standards, as well as security-related contractual obligations to our customers.
- The SUBARU Group will put in place and operate management systems and internal regulations concerning cybersecurity.
- The SUBARU Group will establish information security measures tailored to our information assets and strive to prevent and minimize information security incidents. Should such an incident occur, SUBARU will address it swiftly and appropriately, taking steps to prevent recurrence.
- The SUBARU Group will strive to ensure information security by providing both executives and employees with education and training, as well as undertaking other efforts to raise their awareness of this issue.
- The SUBARU Group will continually review and strive to improve the aforementioned activities.
Established in June 2018
Initiatives
In FYE March 2022, SUBARU conducted e-learning and video training programs based on cybersecurity management system documents in the three domains of In-Car (interior systems), Out-Car (exterior systems), and information systems.
- Objective:
- Promote understanding of cybersecurity and mitigate practical security risks
- Program Details:
- Education on internal rules requiring compliance in each of the three domains
- Course Participants:
- For In-Car system developers: Approx. 750
For general employees and those related to information systems: Approx. 550
Targeted attack email drills: Approx. 12,000
SUBARU also conducted security incident scenario training for incident response teams. As well, we regularly carry out internal audits based on our management system on an ongoing basis.
In FYE March 2022, we formulated cybersecurity regulations for the SUBARU Group with the aim of strengthening cooperation systems with Group companies overseas, and launched operation of our management system. In addition, to strengthen cybersecurity at the supply chain level, we are rolling out industry guidelines to our suppliers and providing consultation and other services.
Personal Information Protection Initiatives
At the SUBARU Group, Group companies in Japan and overseas are strengthening management systems to properly use and protect personal information. In FYE March 2022, we provided education on the protection of personal information and checked the status of operation to 18 Group companies in Japan.
SUBARU, in conjunction with the enactment of the Act on the Protection of Personal Information, undertook various initiatives, including establishing internal systems and rules, and publicly disclosing its privacy policy. Moreover, Group companies in Japan and overseas have begun to build a management system to properly use personal information.
In FYE March 2022, SUBARU implemented the following key initiatives in response to the Act on the Protection of Personal Information.
- Training for all departmental and office general managers concerning the Act on the Protection of Personal Information (140 employees took part via e-learning)
- Identification of management issues by taking stock of personal information held by all departments
- Confirmation of a check sheet on the status of compliance with related internal rules at all departments and the implementation of a continuous PDCA cycle
- Revision of related internal rules for compliance with the 2020 revisions to the Act on the Protection of Personal Information
In addition, we are working to ensure compliance with laws and regulations by having SUBARU dealerships in Japan that handle large amounts of customer personal information take similar initiatives and report cases on an ad-hoc basis to SUBARU.
Furthermore, in compliance with Japan’s Act on the Protection of Personal Information, the SUBARU Group has built a system to conform with the EU’s General Data Protection Regulation (GDPR).