025 gloria blue nega

Theme 3 : Growing with Society


Information Security

Cyberattacks and other threats to Information security are growing more advanced and sophisticated. They highlight the increasing importance of information security measures. Komatsu’s Worldwide Code of Business Conduct states that, based on the understanding that information and information infrastructure are valuable assets of the Komatsu Group, the companies of the Komatsu Group must follow applicable laws and in-house rules and ensure that each individual employee properly protects and manages information. Komatsu takes measures to comply with the Information Security Regulations and other rules and regulations.
In FY2020, no serious incidents concerning information security, such as the leakage of personal data, occurred within the Komatsu Group.

1. Risk management and its promotion

As a part of the management system led by the risk management supervisor, the Risk Management Committee shares and discusses company-wide information security issues. The president of the Information Strategy Division, who is also a leader in charge of ICT, is the vice-chairperson of the Risk Management Committee so that it is able to address more specialized areas of information security. The Committee shares and resolves more important information security issues. Whenever a serious issue emerges, it will be swiftly reported to officers including the president and directors, the Board of Directors and other organizations concerned, and appropriate actions will be taken.
The Information Strategy Division formulates measures to address information security risks as necessary and annually presents them to the Strategy Review Committee consisting of officers including the president and directors. These measures would be included in the mid-term ICT investment plan.

2. Protection of personal data

Komatsu believes that appropriately protecting the personal data of its customers, business partners, employees and others is a social responsibility it bears. Komatsu formulates and publishes its principles for the protection of personal data. Through the e-learning opportunities, internal audits and other activities, we thoroughly ensure the appropriate handling of personal data. Overseas, we adapt our efforts to protect personal data to national and regional laws such as the EU’s General Data Protection Regulation (GDPR) and the expectations of society.

3. System measures

Komatsu has built a multilayer defense system combining many system measures to protect information from unauthorized access, virus infection and other threats and to prevent the leakage of data resulting from these threats. For example, we have multiple required processes whenever a person accesses the system from the outside to telework to strictly authenticate individual users.

4. Education and training

All Komatsu employees must take regular e-learning courses to increase the knowledge and awareness of all employees handling data and to ensure they are able to handle data properly.
To address the risk of suspicious emails, we organize multiple drills every year where employees simulate the handling of targeted email attacks. Suspicious email drills are also conducted at some affiliates both in Japan and overseas. We are working globally to raise the level of our information security.

Course title Target (in Japan)
e-learning data security (basic) New employees including new graduates and mid-career workers
e-learning data security (reacting to new threats) All employees using computers and other information devices
Targeted email attack drill All employees using computers and other information devices (partly including overseas employees)

5. Information security auditing

The information security of Komatsu Group companies is audited to increase the level of information security throughout the Komatsu Group. Komatsu employees with specialized knowledge audit and advise to increase the effectiveness of these efforts. Conducting audits as a third party with no direct interests helps to ensure independence and impartiality.
In principle, the information security of each group company is audited every three years and Komatsu stays updated on the status of the information security of the group companies.

6. Efforts to improve information security throughout the supply chain

Komatsu asks its employees, Komatsu Group companies and other companies that cooperate in our supply chain with whom we share confidential business information to follow Komatsu’s information security principles as we continue to effectively support them.
Komatsu and everyone involved in its businesses that handles confidential business information share an understanding of the importance of properly managing data. We all work to minimize risk in pursuit of stable business continuity. To this end, we engage in activities such as regular interviews of cooperating companies regarding the status of their data management, presenting, where appropriate, inspection items regarding the business data kept in information technology equipment and recommending information security teaching materials.

komatsu csr, env, 情報戦略本部, 総務部