MOL has established a system to combat the ongoing menace posed by cybersecurity threats with the aim of ensuring cybersecurity and reinforcing security for MOL Group firms in Japan and overseas as well as for our vessels.
We also take a comprehensive approach to strengthening security against cyber-threats, which includes organizing information security awareness training.
We established the position of Chief Digital & Information Officer (CDIO) to oversee moves to strengthen our information security systems. As the senior executive responsible for digital security, the CDIO instructs security managers and supervises implementation of information security measures; establishment of incident response systems; and the formulation and promotion of security enhancement policies such as training and education for MOL and MOL Group companies. Group company MOL Information Systems, Ltd. is responsible for information security management and supports the Group in the field of information systems, including the construction and maintenance of systems and networks to enhance security measures.
The Board of Directors is responsible for overseeing information security efforts, and appoints the CDIO.
MOL organized an organization for Serious ICT Incidents to swiftly and comprehensively respond to ICT incidents including cyber security risks. And we not only established an emergency communication flow in the group, but also share information to prevent the occurrence of incidents.
We set out unified group-wide criteria to judge the severity of ICT incidents. In case of emergency, we gather information on the incident according to the severity level set by the criteria.
This led to the establishment of the "Emergency Headquarters for Serious ICT Incidents," under which not only management, but also the Corporate Planning, Secretaries & General Affairs, Corporate Communication, Marine Safety, Human Resources, Finance, and Information System divisions will respond quickly and appropriately to any threat or incident, in accordance with their roles.
Please refer to "Sustainability Data" for the number of serious ICT incidents.
We have established an internal entity called "MOL-CSIRT" to investigate any suspected fraudulent emails, malware or cyber-threats; to send reminder alerts in these cases; and to create awareness-raising programs utilizing the lessons learned from previous incidents. The aim is to mitigate the risk of cyberattacks against MOL and group company users in Japan and overseas. In addition, we regularly collect information on cyber risks and the latest security trends in collaboration with Japan's Ministry of Land, Infrastructure, Transport and Tourism and private organizations such as Transportation ISAC JAPAN, Nippon CSIRT Association and JPCERT/CC, utilizing it to update our information security measures.
We strive to upgrade security and governance continually at MOL Group companies in Japan and overseas while ensuring full Group-wide compliance with internal security policies. We convene regular meetings attended by CIOs and relevant managers from Group companies to share the latest security information and to raise awareness of information security issues.
At the 98th Maritime Safety Committee held by the International Maritime Organization (IMO), it was recommended that cyber risk management be included in the safety management system (SMS)*1 for ship operation.
In response, MOL is working to establish a Cyber Security Management System (CSMS)*2, encompassing the guidelines, and develop technological measures for cyber security and organizational system from a cross-sectional perspective.
In addition, we are constructing a network to ensure 24/7 online connectivity for MOL Group vessels while at sea to mitigate risks arising from cyberattacks, while also developing and implementing security countermeasures.
Corporate losses from ransomware attacks are on the rise. Recognizing that our company is also a likely target, we are working on preventive measures and damage reduction activities against ransomware attacks. Based on the results of an assessment conducted by an external security vendor and subsequent risk analysis, we have instituted a policy on ransomware countermeasures. Currently, we are progressing with plans to keep upgrading security in this area.
We provide regular security-related training to help increase awareness of security threats among executives and employees, including at contractors and partner firms. This involves conducting annual online training modules and anti-phishing drills for all employees, including vessel crewmembers and our people in Group companies worldwide.
For the results of e-learning, please refer to "Sustainability Data".
Facing the threat of serious ICT incidents due to cyberattacks that have become increasingly sophisticated in recent years, we conduct regular incident response drills involving the CEO (as GM of the Emergency Headquarters for Serious ICT Incidents), the CDIO, the head of the division overseeing the response team, the presidents of Group companies, system administrators, and other personnel. We also take part in cross-sector exercises organized by the National center of Incident readiness and Strategy for Cybersecurity (NISC).