Komatsu recognizes that threats to information security are becoming increasingly sophisticated and complex each year. To enhance the overall information security level of the Group, we have clarified our policies regarding the establishment of management frameworks, protection of information assets, strengthening of system security, monitoring of networks and systems, and training and education for employees, and we are implementing corresponding activities.
In FY2024, there were no incidents that had a significant impact on our business.
Komatsu operates a global CSIRT (Computer Security Incident Response Team) that covers Komatsu’s operations worldwide to establish and maintain an organizational structure for information security, including the capability to respond to cyberattacks. The CSIRT is responsible for promoting preventive measures—such as threat intelligence gathering, implementation of technical countermeasures, and employee training—to reduce the likelihood of information security incidents. In the event of an incident, the CSIRT leads a swift response to minimize damage and restore systems as quickly as possible. Komatsu has also established Security Operation Centers (SOCs) in each global region to continuously monitor systems and networks.
Given that a prompt initial response is critical in mitigating the impact of cyberattacks, Komatsu has developed a structure for early detection and escalation. This includes a dedicated reporting channel for employees and a monitoring system operated by SOCs to detect signs of suspicious activity across global operations. These mechanisms enable the CSIRT to promptly receive alerts and lead a consistent and coordinated response—from initial containment and root cause analysis to the development of preventive measures to avoid recurrence. In the event of a major incident, the CSIRT immediately reports to the Risk Management Committee, which includes the President and members of the Board of Directors. This ensures that appropriate actions can be taken promptly based on senior management decisions.
Recognizing that cyberattacks pose a significant threat to business continuity, Komatsu has established incident response manuals and conducts regular cyber-BCP (Business Continuity Plan) drills to enhance its emergency readiness and ensure operational resilience.
To protect production operations, Komatsu has established Factory Security Incident Response Teams (FSIRTs) at each manufacturing site. FSIRTs are responsible for building response frameworks against cyber threats targeting factory networks and equipment, and for enhancing frontline capabilities through regular training. In the event of an incident at a production site, FSIRTs work closely with CSIRT to minimize impact and support a swift recovery of operations.
In response to the growing importance of product security, Komatsu promotes a "Secure by Design" approach by integrating security into product planning and design stages. The company also ensures proper management of vulnerability information and maintains response processes in the event vulnerabilities are identified, thereby securing products throughout the entire lifecycle.
These initiatives are reported regularly to the Risk Management Committee, and material issues are escalated to the Board of Directors. Through this governance framework, Komatsu ensures appropriate oversight and management of information security across the Group.
To appropriately protect the company's information assets, including personal and confidential information, Komatsu classifies and ranks information based on its importance, implements security measures such as access restrictions for storage locations and data encryption, and manages this information appropriately.
Komatsu recognizes that the proper protection of personal information—including that of customers, business partners, and employees—is essential for conducting business. We have established and comply with our "Global Privacy Policy" and ensure proper handling through e-learning programs and internal audits. We also work to protect personal information overseas in line with legal and societal requirements in each country and region, such as compliance with the General Data Protection Regulation (GDPR) in Europe.
To prevent information leaks caused by cyber threats such as unauthorized access and computer virus infections, Komatsu implements system measures based on a multilayered defense (Defense in Depth) approach. In particular, for access from outside the company—including telework—we have introduced access control mechanisms that combine multi-factor authentication (MFA) and device authentication. This ensures that users are not only personally verified but are also restricted to using only devices authorized for business use, thereby reducing the risk of unauthorized access.
To enhance early detection of cyber risks and strengthen response capabilities, Komatsu is undertaking the following ongoing initiatives:
First, with regard to vulnerability assessments, monthly evaluations are conducted on internet-facing servers and critical internal systems. These assessments include automated scanning, and the results are visualized and centrally managed using a control ledger. Identified vulnerabilities are addressed by the responsible system departments based on their priority.
Second, penetration testing is performed once or twice a year by external specialized vendors. The testing specifications and scope are reviewed as needed to support continuous improvement.
Through these initiatives, Komatsu is enhancing its capabilities to detect early signs of cyberattacks and to conduct appropriate analysis and response.
At Komatsu, appropriate handling of information is clearly defined as a standard of conduct to be followed by all employees, who are expected to actively engage in the proper protection and management of information. Recognizing that information security requires not only organizational and system-level measures but also individual responsibility, Komatsu promotes adherence to fundamental practices and continuous improvement of employee knowledge. In the event of a security incident, employees are required to promptly report to the CSIRT. To ensure that these principles and behaviors are well understood and practiced, Komatsu provides regular e-learning programs for all employees. In addition, targeted email attack simulations are conducted several times a year to strengthen awareness and preparedness.
These e-learning programs and training exercises are conducted not only in Japan but also at overseas subsidiaries, as part of Komatsu’s efforts to strengthen information security across its global operations.
By conducting audits related to information security, Komatsu is working to enhance the overall information security level across the Komatsu Group. These audits are carried out by Komatsu employees with specialized expertise, who also provide advice to increase their effectiveness. By serving as independent third parties with no direct interest, the audits maintain independence and fairness.
Komatsu requests that not only our company and group companies but also dealers and partner companies that share our business secrets manage information security in line with our policies. We also provide ongoing and effective support. We recommend periodic checks and interviews using checklists and the use of designated information security materials to our dealers and partner companies regarding system measures and proper information management methods. Through these activities, we share the necessity of proper information system management for handling business secrets and ensuring stable business continuity with all stakeholders, aiming to reduce risks.