In recent years, social changes related to information management have been rapid, such as the steep increase of sophisticated cyber attacks and the strengthening of relevant laws and regulations in each country, posing a risk to corporate management. Managing and protecting personal information, customer information, and confidential information of the company itself and other companies in a proper manner is a natural duty of a company and constitutes a foundation of trust.
In addition to responding to such a business environment, the Daiichi Sankyo Group is promoting digital transformation (DX) forcefully as its business strategy, and is thus required to further intensify its efforts for information security.
The Group considers response to risks associated with information management as one of the most important matters in corporate activities. As such, the Daiichi Sankyo Group Corporate Conduct Charter clearly specifies “Information management” in Article 6.
Information Management Structure
The Daiichi Sankyo Group has designated a Chief Information Security Officer (CISO) in charge of information management along with a global policy on information security. Information referred to in the policy is not limited to electronic information, but also includes paper documents and oral and hearsay information. This policy also applies to information within the Group as well as to that of our business partners and customers. In addition to conducting a regular review related rules for increasing our corporate value by ensuring the safety and reliability of information and making effective use of it, Japan Daiichi Sankyo Group companies have worked on standardizing major rules to promote appropriate information management and strengthen information security.
Response to Information and Cyber Security
In an attempt to provide stable products and information to customers, the Daiichi Sankyo Group companies work on information security. The Daiichi Sankyo Group companies are endeavoring to establish a security management system based on ISO/IEC27001.
With the aim of taking appropriate measures to deal with the threat of cyber security attacks, which has grown in recent years, the CSIRT* has operated under the leadership of CISO.
* CSIRT: A framework for responding to computer security in companies, and the like is referred to as CSIRT (Computer Security Incident Response Team).
Strengthening Cyber Security Measures
With regard to computer viruses, in addition to implementing measures to prevent personal computers or servers from being infected, we have also installed a system to detect and block illegal communications to the website and a system to detect manipulation by a malicious attacker. Through these, the Company is taking measures to mitigate damage and detect breaches at an early stage.
Our CSIRT collects information regarding cyber security in cooperation with each Japan and overseas Daiichi Sankyo Group company, as well as external security teams, including CSIRTs of other companies, and develops security measures for the Daiichi Sankyo Group based on the information obtained. We believe it is important to work with other organizations in the same and other industries to deal with cyber threats. Through cooperative relationships with organizations outside the Company, the CSIRT plays a central role in our ongoing efforts to contribute to the improvement of information security not only within the Company, but also outside the Company.
Information Security Awareness Raising Initiatives across the Group
The Daiichi Sankyo Group is promoting information security education activities among employees.
As part of the information security education activities for employees, which are conducted according to the situation at each Group company, we continue to conduct e-learning about information security as well as awareness raising and reminding staff about targeted e-mail attacks and other cyber threats.
Dealing with Act on the Protection of Personal Information, Individual Number Act, and GDPR
Collecting personal information is a routine part of the business activities of pharmaceutical companies. However, due to the sensitive nature of this information, misuse can cause serious damage to individuals. Recognizing this fact, the Company and Japan Daiichi Sankyo Group companies have established internal rules related to information management and the protection of personal information and promote the safe management of information. In addition, training sessions for executives and employees of the Company and Japan Daiichi Sankyo Group companies are held to enhance their understanding. We implement measures to ensure personal information to be handled appropriately through monitoring by reviewing the recording status of high risk personal information databases. In Japan, with regard to the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (“Individual Number Act”), which was enacted in Japan in October 2015, we regularly evaluate the individual number safety management precautions of subcontractors and conduct field audits. In addition, e-learning programs are conducted for employees at the Company and Japan Daiichi Sankyo Group companies as part of our efforts to ensure compliance with this act.
Moreover, we have verified the relevance of compliance with General Data Protection Regulation (“GDPR”), operation of which started in May 2018 in Europe, on a global basis and thoroughly communicated the matter to all Group companies, and we have concluded contracts as necessary and modified websites accordingly. We are also taking steps to comply with other laws and regulations about personal information protection around the world.