Governance Cybersecurity

Policy and Basic Mindset

UBE Group Information Management Guidelines

We protect information and properly disclose our corporate information.

  1. We strive to protect personal information and the information of our business partners.
  2. We use every precaution for the handling of undisclosed corporate information (insider information) and the Group’s confidential information.
  3. We promptly and fairly disclose and supply accurate corporate information to stakeholders.

UBE Group Basic Policy for Information Security

The UBE Group will build a robust information security system and permanently prevent cyber security damage, thereby enhancing corporate credibility, developing relationships with stakeholders, and enhancing corporate value. In addition, the Group aims to earn the trust and recognition of society by appropriately disclosing, utilizing, and protecting data as well as appropriately managing the data assets of companies.

Scope

This policy applies to the UBE Group (UBE Corporation and its consolidated subsidiaries). It also applies to group companies that are not included in the scope of consolidation but share the network.

Goal

With a high level of security literacy among all employees and a robust information security system through the introduction of advanced security measures, we aim to be a leading security-oriented corporate group that can withstand various cyberattacks. To achieve this, we will implement the following measures.

  1. We will strengthen education and training to further improve security awareness among all employees.
  2. We will strengthen physical security measures at all business sites to prevent unauthorized intrusion.
  3. We will strengthen our technical security measures in response to evolving cyber threats and increase our cyberattack resilience.

Commitment

  • Maintain zero security incidents with external impact per year.
  • Maintain a 100% participation rate in information security education
  • By the end of FY2027, an information security assessment score of 900 by SecureScketCH
  • By 2027, 100% compliance rate with regulations and standards in each workplace
  • By 2027, targeted attack e-mail training: 5% or less open rate, 75% or more open notification rate
  • By 2027, Vulnerability assessments of all Group companies.

Responsible Departments and Review

The Information Systems Department is responsible for overseeing and managing this policy.

This Policy is subject to regular review once every three years, in alignment with the Medium-Term Management Plan. Any revisions, whether as part of a scheduled review or required during the period, will be deliberated and approved by the Information Security Committee.

Personal Information Protection (Privacy Policy)

The UBE Group has established the following Privacy Policy, and is taking initiatives to implement, maintain, and improve its measures for personal information protection.

  1. The UBE Group has established and shall comply with rules concerning the appropriate handling of personal information, taking into consideration the details and scale of the Group’s business. These rules pertain to the acquisition, usage, transfer, safekeeping, provision, and deletion of personal information.
  2. The UBE Group shall practice regulatory compliance with laws and ordinances concerning personal information protection.
  3. The UBE Group will carry out safety measures to ensure against incidents such as the loss, destruction, falsification, and leakage of personal information. Furthermore, the Group will act quickly to implement necessary corrective actions should any such incident occur.
  4. The UBE Group will regularly reassess and improve its policy on personal information protection.

Management System

Information Security Operation System

The UBE Group designates an Information Security Officer as the person with the highest responsibility for information security. The Information Security Committee supports and advises the Information Security Officer by proposing and discussing critical matters related to information security. This provides a framework for the Group to implement various initiatives designed to maintain information security.

figure

Targets and Performance

With the goal of continuing to be trusted and valued by society, the UBE Group has set Key Performance Indicators (KPI) related to information security. We conduct various initiatives (for example, 1. Improving employee security literacy, 2. Strengthening and developing security countermeasures) to achieve our targets.

Indicators (KPI) Scope FY2024 FY2025 FY2030 (Medium- to long-term)
Performance Target Target Target
Number of security incidents affecting external parties UBE Group (UBE Corporation and consolidated subsidiaries) and companies outside of consolidated targets using common networks 0 0 0 0
Information security evaluation score (points, deviation value) using Secure SketCH* UBE Corporation (non-consolidated) 853 points, 66.0 827 or more points, 65.0 or higher 870 or more points, 66.5 or higher 930 points, 67.0 or higher
  • *Secure SketCH: Provided by NRI Security Technologies, Inc., this security evaluation service (the largest in Japan, utilized by over 7,000 corporations) provides a quantitative visualization of a company’s security evaluation, scoring it using points and a deviation value (compared to the average for companies in the chemical industry of a similar scale)

Initiatives

The department in charge of information security designates targets for each countermeasure (KPI) and strengthens security measures.

Enhancing employee security literacy

  • Information Security Education
    We conduct annual e-Learning for all employees.
  • Targeted Attack E-mail Drills
    We conduct drills and follow-up checks conducted twice annually for all employees that use email.
  • Security Incident Response Drills
    We organize a Computer Security Incident Response Team (CSIRT), which conducts annual drills simulating a predicted viral infection and checks systems to ensure minimal damage due to security incidents.
  • IT-BCP Drills
    We prepare for the unlikely possibility of a disaster related to our data centers by verifying system environments and structures to reboot business systems at backup sites.

Strengthening and developing security countermeasures

  • We utilize a tool for evaluating countermeasures provided by an external third party to check the status of responses to each security guideline, compare them to industry averages, and improve measures that are falling behind.
    (METI’s Cybersecurity Management Guidelines, NIST’s Cyber Security Framework, etc.)
  • In accordance with new threats, evolving countermeasure technology, and industry trends, we add new security countermeasures when appropriate.
    (Attack Surface Management, Cloud Security Check, etc.)
  • We verify the status of the UBE Group’s global security countermeasures (including physical security countermeasures) and devise countermeasures to ensure we meet a higher standard.
  • We cooperate with the SCM Committee to understand the status of security countermeasures at major suppliers (conducting security inspections) and provide advice on methods for such countermeasures to enhance the security level across the entire supply chain.

Internal Audits

We regularly audit our status regarding internal information security as well as conformity and compliance with ISO and other standards. Audit reports and recommendations regarding revisions are given to information security supervisors.