Top Page > Sustainability > Governance (Governance and compliance to support businesses) > Information Security

Information Security

Approach

MOL has established a system to combat the ongoing menace posed by cybersecurity threats with the aim of ensuring cybersecurity and reinforcing security for MOL Group firms in Japan and overseas as well as for our vessels.
We also take a comprehensive approach to strengthening security against cyber-threats, which includes organizing information security awareness training.

System

We established the position of Chief Digital & Information Officer (CDIO) to oversee moves to strengthen our information security systems. As the senior executive responsible for digital security, the CDIO instructs security managers and supervises implementation of information security measures; establishment of incident response systems; and the formulation and promotion of security enhancement policies such as training and education for MOL and MOL Group companies. Group company MOL Information Systems, Ltd. is responsible for information security management and supports the Group in the field of information systems, including the construction and maintenance of systems and networks to enhance security measures.
The Board of Directors is responsible for overseeing information security efforts, and appoints the CDIO.

*1 Supervises the implementation of information security measures by our company and group companies, the establishment of incident response systems, and the formulation and promotion of policies to strengthen security through training and education.
*2 Strengthen security under the direction of the security officer.
- (1) Always collectinformation about malware, unauthorized access, hardware and software vulnerabilities, and threats related to information systems managed by our company at all times.
- (2) Promote security measures for all information assets such as networks, information systems, and PCs.
- (3) When a security incident occurs, the security officer instructs the executives and employees, the system owner, and the system administrator to take action. Analyze the security incidents that have occurred, summarize the scope of impact, measures taken, and measures to prevent recurrence, and report them to the security officer.
- (4) Plan and implement education and training to deepen understanding of information security among executives and employees

Emergency Headquarters for Serious ICT Incidents

MOL organized an organization for Serious ICT Incidents to swiftly and comprehensively respond to ICT incidents including cyber security risks. And we not only established an emergency communication flow in the group, but also share information to prevent the occurrence of incidents.
We set out unified group-wide criteria to judge the severity of ICT incidents. In case of emergency, we gather information on the incident according to the severity level set by the criteria.
This led to the establishment of the "Emergency Headquarters for Serious ICT Incidents," under which not only management, but also the Corporate Planning, Secretaries & General Affairs, Corporate Communication, Marine Safety, Human Resources, Finance, and Information System divisions will respond quickly and appropriately to any threat or incident, in accordance with their roles.
Please refer to "Sustainability Data" for the number of serious ICT incidents.

Computer Security Incident Response Team (CSIRT)

We have established an internal entity called "MOL-CSIRT" to investigate any suspected fraudulent emails, malware or cyber-threats; to send reminder alerts in these cases; and to create awareness-raising programs utilizing the lessons learned from previous incidents. The aim is to mitigate the risk of cyberattacks against MOL and group company users in Japan and overseas. In addition, we regularly collect information on cyber risks and the latest security trends in collaboration with Japan's Ministry of Land, Infrastructure, Transport and Tourism and private organizations such as Transportation ISAC JAPAN, Nippon CSIRT Association and JPCERT/CC, utilizing it to update our information security measures.

Initiatives

Initiatives at Group companies in Japan and overseas

We strive to upgrade security and governance continually at MOL Group companies in Japan and overseas while ensuring full Group-wide compliance with internal security policies. We convene regular meetings attended by CIOs and relevant managers from Group companies to share the latest security information and to raise awareness of information security issues.

Vessel-targeted initiatives

At the 98th Maritime Safety Committee held by the International Maritime Organization (IMO), it was recommended that cyber risk management be included in the safety management system (SMS)^*1 for ship operation.
In response, MOL is working to establish a Cyber Security Management System (CSMS)^*2, encompassing the guidelines, and develop technological measures for cyber security and organizational system from a cross-sectional perspective.
In addition, we are constructing a network to ensure 24/7 online connectivity for MOL Group vessels while at sea to mitigate risks arising from cyberattacks, while also developing and implementing security countermeasures.

*1 Guidelines on actions for crewmembers to take, provided to prevent marine accidents caused by human errors.
*2 The management system established and documented for ship management companies and seafarers onboard vessels to effectively implement cyber security policies.

Ransomware Countermeasures

Corporate losses from ransomware attacks are on the rise. Recognizing that our company is also a likely target, we are working on preventive measures and damage reduction activities against ransomware attacks. Based on the results of an assessment conducted by an external security vendor and subsequent risk analysis, we have instituted a policy on ransomware countermeasures. Currently, we are progressing with plans to keep upgrading security in this area.

Information security education

Education for all employees

We provide regular security-related training to help increase awareness of security threats among executives and employees, including at contractors and partner firms. This involves conducting annual online training modules and anti-phishing drills for all employees, including vessel crewmembers and our people in Group companies worldwide.
For the results of e-learning, please refer to "Sustainability Data".

Incident Response Drills

Facing the threat of serious ICT incidents due to cyberattacks that have become increasingly sophisticated in recent years, we conduct regular incident response drills involving the CEO (as GM of the Emergency Headquarters for Serious ICT Incidents), the CDIO, the head of the division overseeing the response team, the presidents of Group companies, system administrators, and other personnel. We also take part in cross-sector exercises organized by the National center of Incident readiness and Strategy for Cybersecurity (NISC).