Risk Management: Cybersecurity
Our Approach
The use of digital data is essential for SUBARU in the course of its business activities. The use of digital data is not limited to traditional information systems but covers diverse realms, including facilities, products, and a whole range of services offered by SUBARU. Being aware of our social responsibility to handle digital data in these realms safely, we are undertaking cybersecurity protection activities Group-wide. In addition, in light of the current situation regarding the use of digital data, the Basic Cybersecurity Policy was revised in July 2024.
Scope of Cybersecurity for the SUBARU Group
Basic Cybersecurity Policy
Objective
SUBARU CORPORATION and its Group companies (hereinafter referred to as “the SUBARU Group”) put in place a Basic Cybersecurity Policy to protect all our conceivable products, services, and information assets from threats arising in the course of our business activities and earn the trust of our customers and society as a whole.
Scope
This basic policy applies to all executives and employees of the SUBARU Group, and also to the employees and other staff of SUBARU’s subcontractors.
Initiatives
- The SUBARU Group will comply with laws, regulations, and standards, as well as security-related contractual obligations to our customers.
- The SUBARU Group will put in place and operate management systems and internal regulations concerning cybersecurity.
- The SUBARU Group will establish cybersecurity measures tailored to our information assets and strive to prevent and minimize cybersecurity risks.
- The SUBARU Group will conduct monitoring for cybersecurity threads. Should a cybersecurity incident occur, SUBARU will address it swiftly and appropriately, taking steps to prevent recurrence.
- The SUBARU Group will strive to ensure cybersecurity by providing both executives and employees with education and training, as well as undertaking other efforts to raise their awareness of this issue.
- The SUBARU Group will continually review and strive to improve the aforementioned activities.
Revised in July 2024
Management System
SUBARU has established an organizational structure for the entire Group to maintain and improve cybersecurity. This includes appointing a Chief Information Officer (CIO) selected by the Board of Directors and the formation of the Cybersecurity Meeting with the CIO as its presiding manager. The Cybersecurity Meeting deliberates on cybersecurity activities discussed by each subcommittee and decides how to respond to cybersecurity issues in the SUBARU Group, formulate cybersecurity audit plans, and review rules and policies. In addition, the SUBARU Security Incident Response Team (SBR-SIRT) monitors security information on protected assets in times of normalcy, and in an emergency, works to quickly and appropriately protect and restore protected assets.
Targets and Metrics
Based on the belief that cybersecurity is the foundation of optimal governance, the SUBARU Group is engaged in the following activities to protect all stakeholders.
(1) Expanding the scope of SUBARU policies and rules to the supply chain
(2) Continuously strengthening cyber-resilience to support value creation
(3) Strengthening factory security to support monozukuri reforms
(4) Reinforcing vehicle cybersecurity to keep pace with vehicle development and complying with laws and regulations of each country
Recognition Cybersecurity Risks
Within cybersecurity, we recognize that security, especially in the supply chain, is an important risk directly related to the overall safety and sustainability of a company. Inadequate security at this level could lead to the leakage of confidential information, the suspension of a business partner's business, or even the suspension of SUBARU's business, as well as product quality issues and a loss of trust. Therefore, it is critical to strengthen security measures throughout the entire supply chain. SUBARU Group will continue to provide customers with "Enjoyment and Peace of Mind" and prevent damage to the SUBARU brand value by strengthening cooperation with business partners, effectively managing these risks through regular security assessments and risk management, and increasing the resilience of the supply chain.
Initiatives
Support for Cybersecurity
Training Programs
In FYE March 2023, SUBARU conducted e-learning and video training programs based on cybersecurity management system documents in the three domains of In-Car (interior systems), Out-Car (exterior systems), and information systems.
Objective: Promote understanding of cybersecurity and mitigate practical security risks
Program details: Education on internal rules requiring compliance in each of the three domains
Course participants: For in-car system developers: 103
For general employees and those related to information systems: 4,748
Targeted attack email drills for SUBARU dealerships: 9,192
Conducting Internal Audits and Strengthening Security at Business Partners
As well, we regularly carry out internal audits based on our management system on an ongoing basis.
We have been strengthening collaboration with overseas Group companies since FYE March 2022 through regular information sharing and carrying out improvement activities in response to assessments based on company-wide cybersecurity regulations.
In recent times, due to the significant impact of cybersecurity at the supply chain level on SUBARU’s business continuity, we have launched activities to interview business partners about the status of their security measures and provide advice on how to strengthen security when necessary.
Personal Information Protection Initiatives
Within the SUBARU Group, to comply with personal data protection regulations both domestically, such as Japan’s Act on the Protection of Personal Information, and internationally, including the EU General Data Protection Regulation (GDPR), we have established internal structures, created regulations, and publicly disclose our privacy policy.
We are also promoting activities across Group companies worldwide to establish management frameworks that enable the responsible utilization of personal information in compliance with these regulations.
Key Initiatives in FYE March 2024
1) Compliance with Japan’s Act on the Protection of Personal Information
- Specialized training for relevant SUBARU officers and SUBARU and Group company personnel (515 attendees)
- Identification and improvement of management issues by taking stock of personal information held by all departments
- Confirmation of a check sheet on the status of compliance with related internal rules at all departments and the implementation of a continuous PDCA cycle
- Proposals and support for improvement based on the state of management at 18 Group companies in Japan
- Survey to understand the state of dealerships in Japan to improve the level of dealership management
2) Compliance with overseas personal information protection regulations
- Specialized training for relevant SUBARU officers and SUBARU and Group company personnel (196 attendees)
- Inspection and verification of the handling of personal information overseas by relevant SUBARU departments and Group companies
In FYE March 2025, we will continue to monitor developments toward the enforcement of laws in Japan and other countries, as well as the implementation policies of those laws by relevant authorities to enhance the personal data protection efforts of SUBARU and our Group companies and dealerships worldwide.