Information Security

Basic Approach and Governance

Based on the recognition that the proper handling and protection of information is a social responsibility, the Olympus Group has established the Information Security Policy and is working to ensure information security.
Information security is integrated into our business plan as a major risk, and the Board of Directors and Audit Committee oversee all critical corporate risks, including information security. The Board of Directors and Executive Officers administer enterprise risk management for the entire Group, and information security is one of the core areas. Risk management for each region and function is based on the instructions of the executive officers, and priority measures for information security in business plan are implemented by the heads of each business and function based on risk assessment. Among the Executive Officers, the CAO assumes executive responsibility in the area of information security, and the Chief Information Security Officer (CISO) strengthens the governance of business execution under CAO's delegation. The CAO reports regularly on the status of information security to the Global Executive Committee and the Board of Directors. The information security governance structure under the CISO, as shown in the diagram below, encompasses all of the Olympus Group's businesses and functions worldwide.
We have a governance structure in place to ensure that our businesses and functions work together globally to implement measures and controls based on initiatives in the four information security areas of information security governance and strategy, product security, enterprise information security, and data protection.
In order to achieve effective information security governance, we are actively and continuously working to maintain and improve the comprehensive level of information security, including monitoring the operational status through regular internal information security assessments and regular information security education for all executives and employees.

Four Areas of Information Security
Information security governance and strategy Manage information security risks and formulate strategies.
Product security Ensure security of products across their life cycles, including the supply chain.
Enterprise information security Ensure enterprise information security, including cyber security, IT security, and physical security.
Data protection Ensure management of property damage risks by incorporating risk control processes that are compliant with legal obligations, and which include appropriate data classification and specification of privacy requirements, within our business procedures.

Promotion Structure

To ensure the appropriate management and protection of information security concerning the Olympus Group's business, the information security management structure is formed under the CISO with clear responsibility assignments. Under the direction of the CISO, and under a global governance structure that incorporates four information security areas, the Olympus Group will work to manage and ensure information security and fulfill its accountability to stakeholders.
In addition, the CAO, who is the executive officer in charge of the Olympus Group's information security function, reports to the Board of Directors, which supervises the execution of duties by executive officers. The current CAO has a wide background that includes experience in information security and cyber security involving project managing implementation of an IT system and IT security risk assessments.

Report on Information Security to the Group Executive Committee

Reports are made to the Group Executive Committee every month to ensure that management decisions are made promptly.

Report on Information Security to the Group Executive Committee

Initiatives (Management)

Information Security Risk Management

In order to carry out appropriate information security risk management, the Olympus Group implements the PDCA (Plan-Do-Check-Act) cycle, which includes assessment, analysis, planning and implementation based on functional areas, and review of implementation results, according to the necessary hierarchy. In the assessment process, we incorporate information from multiple third-party perspectives, including domestic and overseas regulatory ministries and agencies, government agencies related to information security, independent agencies, industry organizations, and threat intelligence vendors, as well as strive to gain a global understanding of our own situation.
In addition, in order to formulate effective countermeasures for the analyzed risks, we classify the risks appropriately and examine them from multiple perspectives, including our own initiatives, collaboration with relevant organizations, and risk assurance.

Risk Management Processes

The Olympus Group conducts third-party assessments, including a penetration test to evaluate vulnerabilities, as well as global monitoring of information security incidents, and takes measures to address risks according to any observed incidents.
The following table shows the global occurrence of information security incidents over the last three years.

Incidents FY2019 FY2020 FY2021
Total number of information security breaches or other cybersecurity incidents 0 0 0
Total number of information security breaches involving customers' personally identifiable information 0 0 0
Total number of customers affected by company's data breach 0 0 0
Total amount of fines/penalties paid in relation to information security breaches or other cybersecurity incident 0 0 0

Risk Mitigation

Incident Response

To respond to IT security incidents, we have clarified the global rules for IT security incidents, and the Information Security Governance Committee shares information on incidents as the situation demands. In order to maintain the effectiveness of our incident response system, we conduct training at least once a year. In light of the recent frequency of cyber attacks targeting companies that are responsible for social infrastructure, the incident response plan is constantly updated as necessary to ensure global information security.
Regarding product security, we have established a system to collect information on threats and vulnerabilities related to our products and analyze security risks, and are working to implement security measures as soon as possible.
As for data protection, we are implementing appropriate protection by classifying the importance of data from the perspective of compliance and risk control, as well as related laws and regulations, and introducing appropriate management methods.

Business Continuity Plans

In IT security, it is difficult to completely eliminate the occurrence of incidents. In addition to preparing measures to prevent incidents from occurring from various angles, the Olympus Group has established a system for rapid detection, analysis, containment and recovery without delay. Based on recent events such as cyber-attacks, the results of assessments of critical assets related to business continuity, and analysis of risk factors, we are working to formulate more advanced information security measures. Although there have been no significant incidents at present, we are improving our plans to enable prompt incident response based on the recognition of the increasing risk of cyber attacks targeting manufacturing and medical institutions.

Information Security Education

In order to ensure that information security is thoroughly implemented in our business operations, it is important to cultivate each employee's security awareness and the sense of ethics that is a prerequisite for such awareness. The Regional Information Security Manager appropriately monitors the implementation of education for all employees and strives to improve information security literacy. Education through e-learning and other means, as well as awareness of the information security policy and incident reporting process, is being implemented in all regions. For example, in Japan, we are providing e-learning to all executives and employees based on the rule of IT Security Incident Handling established in 2020, which sets specific standards for handling incidents.