Information, Product, and Cyber Security
Basic Concept
The Olympus Group considers information, product, and cyber security (hereinafter, information security) risks to be important risks that not only directly affect our business but also could have a serious impact on our customer medical institutions and even on medical care itself. Also, appropriate information security risk management and incident response are becoming increasingly important in terms of maintaining and enhancing the Company's sustainable growth and the competitive advantage of our products and services. With regard to addressing information security risks, we believe it is important that the measures are being driven on a whole companywide basis, not limiting them to information security dedicated departments. As well as the importance of internal collaboration, it is also crucial to actively communicate and collaborate with our customer medical institutions, business partners, industry associations, and government agencies.
We visualize risks from the perspective of corporate risk management, with uniform standards across the global Group, and implement risk management for each related function. In addition, through the implementation of a comprehensive and harmonized new governance model and strategy, we are particularly focused on achieving the following:
- Increase resilience to cyber-attacks not only in our general IT systems, but also in our products and services, their development and manufacturing environments.
- Continuously ensure product security throughout the entire product lifecycle, including the supply chain, to ensure a consistent supply of products and services.
- Protect, manage, and securely utilize data of various types and confidentiality levels while further enhancing privacy protection based on the latest trends and regulations in each country and region.
Information Security Governance
In accordance with the corporate governance structure for overall management, the governance of our information security is realized by the execution function headed by our Chief Executive Officer (CEO) and the Board of Directors (BoD), which supervises the execution function. In terms of the execution function, the CEO owes accountability for information security to the BoD and external stakeholders. The Chief Information Security Officer (CISO), under the supervision of the CEO, and a dedicated organization are responsible for the Group-wide risk management of information security and the formulation and implementation of strategies based on that risk management. In the supervisory function, the BoD is ultimately responsible for supervision as part of the corporate governance for overall management, and the Audit Committee, in particular, is responsible for supervision as part of the audit of the execution of duties by executive officers and others. The CEO and the CISO, which are execution functions, report to the BoD on the status of information security for the entire Olympus Group on a regular basis and as needed in response to changes in the environment. Furthermore, more frequently and regularly reporting to the Audit Committee are made.
In terms of a more detailed execution structure, depending on varied requirements in security capability and capacity by function, the following three-layer model is being applied to the security organizational development with a view to both effectiveness and efficiency: the Governance Layer, which oversees the formulation and execution of Group-wide information security strategies; the Management/CoE Layer, which oversees the formulation and execution of plans within each function and department based on the formulated strategies; and the Execution Layer, which is responsible for execution within each function and department.
We have clarified the responsibilities and collaboration methods for information security based on the following two domains. Enterprise Security (information security including general IT systems and data governance) and Product Security (information security of our products and services). As for promoting understanding of and ensuring compliance with important laws, regulations, and internal rules related to the protection of personal information (Privacy Compliance,) we are promoting the enhancement of the structure under the supervision of the Chief Compliance Officer (CCO). (For more information on compliance, please refer to this page.)
For risk management, the CISO and the dedicated organization conduct a Group-wide risk assessment, considering various external factors, such as trends of cyber-attacks outside the Company and best practices in the industry. Based on the risk assessment, the CISO and the dedicated organization formulate a medium-term strategy taking into account our business strategy, customer requirements, and legal and regulatory trends. Each function and department then implement risk mitigation measures based on the established strategy, thereby ensuring that risk mitigation is based on uniform standards and balanced throughout the Group.
In the event of a cyber-attack, it is important to have a crisis management system that can respond promptly, coordinate with the entire Group and related organizations, and facilitate appropriate management decisions on a Group-wide basis. Therefore, in addition to IT-SIRT in each region and PSIRT, which are responsible for rapid incident containment and recovery, we are working to build a Global SIRT structure that supports collaboration among the regions and functions/departments, coordination with related organizations, and decision making by the executive management team.
Number of Information Security Incidents and Breaches*1
The table below shows the number of incidents and breaches globally over the past three years. In the fiscal year ended March 31, 2022, IT systems in some regions in EMEA (Europe, the Middle East, and Africa) and the Americas (the United States, Canada, and Latin America) were subject to unauthorized access. Incident response was implemented in the affected areas, and various security enhancements were made based on the results of the analysis of those incidents. While no evidence of loss, misuse, or leakage of the Company's data was confirmed as a result of the unauthorized access in the EMEA region, some data may have been compromised in the Americas region. We have notified those who may have been affected.
Item | FY2022 | FY2023 | FY2024 |
---|---|---|---|
Number of information security breaches or other cybersecurity incidents | 4 | 4 | 2 |
Related Information
- Olympus Group Information, Product, and Cyber Security Policy
- The Olympus Group Personal Information Protection Policy (Translation)
- Management Policies: Business Risks
- (Reference) Participation in a Simulation Drill for a Cyber Attack (Medical Cyber Security Council, May 19, 2021) - Japanese only
*1 The figures in the table are based on the disclosure standards of GRI 418-1 (2016). In case it is difficult to disclose a definite figure due to ongoing investigation or monitoring of the possible impact of an incident, the figure is shown as "-".