Risk Management: Information Security
Our Approach
The use of digital data is essential for SUBARU in the course of its business activities. The use of digital data is not limited to traditional information systems but covers diverse realms, including facilities, products, and a whole range of services offered by SUBARU. Being aware of our social responsibility to handle digital data in these realms safely, we have established the Basic Cybersecurity Policy, undertaking information security protection activities Group-wide.
Scope of Information Security for the SUBARU Group
Basic Cybersecurity Policy
Objective
SUBARU CORPORATION and its Group companies (hereinafter referred to as “the SUBARU Group”) put in place a Basic Cybersecurity Policy to protect all our conceivable products, services, and information assets from threats arising in the course of our business activities and earn the trust of our customers and society as a whole.
Scope
This basic policy applies to all executives and employees of the SUBARU Group, and also to the employees and other staff of SUBARU’s subcontractors.
Initiatives
- The SUBARU Group will comply with laws, regulations, and standards, as well as security-related contractual obligations to our customers.
- The SUBARU Group will put in place and operate management systems and internal regulations concerning cybersecurity.
- The SUBARU Group will establish information security measures tailored to our information assets and strive to prevent and minimize information security incidents. Should such an incident occur, SUBARU will address it swiftly and appropriately, taking steps to prevent recurrence.
- The SUBARU Group will strive to ensure information security by providing both executives and employees with education and training, as well as undertaking other efforts to raise their awareness of this issue.
- The SUBARU Group will continually review and strive to improve the aforementioned activities.
Established in June 2018
Initiatives
In FYE March 2023, SUBARU conducted e-learning and video training programs based on cybersecurity management system documents in the three domains of In-Car (interior systems), Out-Car (exterior systems), and information systems.
- Objective:
- Promote understanding of cybersecurity and mitigate practical security risks
- Program Details:
- Education on internal rules requiring compliance in each of the three domains
- Program Participants:
-
For In-Car system developers: Approx. 39 individuals (the targeted 849 participants had completed all programs by FYE March 2023)
For general employees and those related to information systems: Approx. 3,902 individuals
Targeted attack email drills for SUBARU dealerships: Approx. 6,342 individuals
SUBARU also conducted security incident scenario training for incident response teams. As well, we regularly carry out internal audits based on our management system on an ongoing basis.
We have been strengthening collaboration with overseas Group companies since FYE March 2022 through regular information sharing and assessments based on company-wide cybersecurity regulations as well as by formulating improvement plans for vulnerabilities that have been identified.
In recent times, due to the significant impact of cybersecurity at the supply chain level on SUBARU’s business continuity, we have extended the 2022 edition of our industry guidelines to our business partners. We also continue to provide ongoing support, including visualizing response levels and offering consultations.
Personal Information Protection Initiatives
Within the SUBARU Group, to comply with personal data protection regulations both domestically, such as Japan’s Act on the Protection of Personal Information, and internationally, including the EU General Data Protection Regulation (GDPR), we have established internal structures, created regulations, and publicly disclosed our privacy policy.
We are also promoting activities across Group companies worldwide to establish management frameworks that enable the responsible utilization of personal information in compliance with these regulations.
Key Initiatives in FYE March 2023
1) Compliance with Japan’s Act on the Protection of Personal Information
- Training for all departmental and office general managers concerning the Act on the Protection of Personal Information (132 employees took part via e-learning)
- Specialized training for SUBARU and Group company personnel (attended by 538 individuals)
- Identification and improvement of management issues by taking stock of personal information held by all departments
- Confirmation of the status of compliance with related internal regulations in all departments (already reflects amendments to the Act on the Protection of Personal Information in 2020)Verified with a check sheet and continued implementing a PDCA cycle
- Confirmation of management status at 18 Group companies in Japan
2) Compliance with overseas personal information protection regulations
- Training for relevant departmental and office general managers concerning the Act on the Protection of Personal Information (23 employees took part via e-learning)
- Specialized training for SUBARU and Group company personnel (attended by 206 individuals)
- Inspection and verification of the handling of personal information overseas by relevant SUBARU departments and Group companies
In FYE March 2024, we will continue to monitor developments toward the enforcement of laws in Japan and other countries, as well as the implementation policies of those laws by relevant authorities to enhance the personal data protection efforts of SUBARU and our Group companies worldwide.