Information, Product, and Cyber Security Policy

Article1: Purpose

Olympus is committed to providing products and services that are essential to healthcare services and that help make people’s lives healthier, safer, and more fulfilling.
To help make this possible, Olympus strengthens the cyber resiliency of Olympus’ products and services throughout the product life cycle, and the cyber resiliency of Olympus’ business operations including enterprise systems.
The purpose of the "Information, Product and Cyber Security Policy" (hereinafter referred to as the "Policy") is to clarify the principles for Olympus to strengthen cyber resiliency.

Article2: Scope of application

This policy shall cover the Olympus’ information, product, and cyber security. It shall apply to all Olympus’ products, services, all information assets related to information security, and all users authorized to access Olympus’ systems and data, including but not limited to employees, contractors, subcontractors, and other third parties.

Article3: Definition of terms

Terminology Definition
1 Cyber resiliency The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resource.
2 Information assets Systems, programs, data, or other knowledge that are valuable to Olympus. E.g., processes, trade secrets, data used in development and manufacturing, customer data, and personal data; created by Olympus or received from third parties in business activities.

Article4: Information, product, and cyber security risk awareness and leadership

Olympus shall recognize information, product, and cyber security risk as one of the key risks that could seriously impact our business and healthcare services in which our products and services are involved.

Article5: Establishment of a management system for information, product, and cyber security risks

Olympus shall establish an information, product, and cyber security management system based on the corporate strategies. In doing so, it shall be consistent with the risk management systems of other functions of the Olympus.
Olympus will follow industry best practices to continuously improve Information, product, and cyber security levels.

Article6: Implementation of information, product, and cyber security management

Olympus shall conduct information, product, and cyber security risk assessments, and establish and implement a security management process to develop plans to reduce identified security risks, monitor implementation status, and improve plans.
Olympus’ employees shall be knowledgeable about information, product, and cyber security and take appropriate actions to protect the information assets of the Olympus group.

Article7: Supply chain security

Olympus shall identify information, product and cyber security risks in the supply chain and cooperate with supply chain partners to implement security risk management that does not stop healthcare services.

Article8: Establishment a structure to prepare for and respond to incidents

Olympus shall organize a structure and management process to proactively detect and discover vulnerabilities in our products or services.
Olympus shall organize a management system to provide appropriate distribution of remediation or mitigation and information disclosure in timely manner whenever vulnerability identified in our products and services.
Olympus shall organize an emergency response structure in case of an incident.
Olympus shall develop a recovery plan and response process for rapid business recovery and confirm and review its effectiveness through exercises.

Article9: Communication with healthcare industry

Olympus shall collaborate with customer healthcare institutions, business partners, as well as industry associations and government agencies, to proactively disclose and share information and conduct training to strengthen our ability to resist cyber threats.