Information is a critical corporate asset in promoting the use of data and advanced digital technologies. The Daiichi Sankyo Group has implemented effective security measures against the risk of leakage and falsification of confidential information and production line stoppage, among other risks through the creation of a robust cyber environment.
Improvement and Strengthening of Information Security Management System
To ensure a stable supply of products and provide reliable information to customers, we have established a global information security policy.
We have also established a Head of Global Information Security role, and are taking information security measures on a global scale under this role's leadership. In addition, the CDXO*1, the chief officer of the digital domain together with information management functions, supervises digital transformation for the entire organization and oversees the conduct of its operations.
The information and system assets referred to in the information security policy include information on our business units, as well as our business partners and customers, and the data, media, information systems, and industrial systems that include the information. Additionally, we have standardized information management measures among Group companies in Japan and are continuously assessing them to ensure thorough information management. Meanwhile, in terms of information security, we aim to implement further enhancements of global security measures. To that end, we have established the Daiichi Sankyo Group Information Security Standard and are assessing compliance with it. We are making continuous improvements based on the results of these assessments.
In addition, starting in FY2023, such functions have been transferred to the digital transformation management department, “Global DX”, and information security for the entire Group is being further strengthened jointly with digital functions. In order to protect information resources from security threats, it is paramount to continuously raise the awareness of all employees. To educate employees about cyber-attacks and targeted e-mails, etc., an information security awareness campaign is executed on an ongoing basis at each of the Group Companies.
*1Chief Digital Transformation Officer
Measures for Cyber Security
The CSIRT*2, the framework for dealing with incidents relating to computer security in enterprises, is managed under the leadership of the Head of Global Information Security in order to respond to the increasing number of cyber-attacks in recent years.
With the cooperation of external security partners, the security monitoring system is operating 365/24/7, and a system is in place to respond swiftly to incidents that have occurred. It is important to collaborate with other organizations in the same industry as well as other industries to manage the threat of cyber-attacks.
In collaboration with external security teams such as external specialist organizations and other companies' CSIRT, we collect information related to cyber security and proposes and promotes security measures for the Group.
Moreover, we aim to contribute to improving security not only within the Group, but also for the entire society by building cooperative relations with external organizations.
Accordingly, the Group is continuously engaging in activities centered on CSIRT.
*2Computer Security Incident Response Team
Measures for Operational Technology (OT) Security
To fulfill our mission of providing a stable supply of top-quality pharmaceutical products, we are implementing operational technology security (OT security) measures. These measures guard against risks of cyber-attacks to controllers and systems involved in the manufacturing process of pharmaceuticals.
Specifically, we are promoting security measures by designing a standard model based on recommended security technology measures for manufacturing sites, and evaluation and management processes for identifying and managing OT security risks. With these measures, we minimize risks in quality control that could jeopardize stable supply, helping provide pharmaceuticals to our patients.
Personal Information Security Initiatives
Personal information is essential to a company's business activities, but by its very nature, may cause irreparable harm to individuals if mishandled. Based on the Daiichi Sankyo Group Privacy Policy, a global standard for protecting personal information, we have established internal rules that comply with the laws and regulations of each country and region to ensure the safe management of personal information. We also regularly conduct training sessions to ensure that all employees are thoroughly trained to handle personal information in the most appropriate manner.
In addition, with regard to handling Individual Numbers in Japan, nicknamed “My Number” information, we regularly evaluate the security management status of “My Number” information at our vendors and conduct on-site audits.
Furthermore, we take appropriate measures such as providing e-learning programs in Japan to ensure that we understand our basic policies and management system.
Moreover, regulations regarding personal information are being tightened around the world, as evidenced by Europe's General Data Protection Regulation (GDPR). We are working toaddress the personal information protection laws and regulations that will be enforced in the relevant countries and regions.
We will continue to work on reducing risks and identifying issues at an early stage to prevent violations of the personal information protection laws and regulations.