Information Security

Basic Approach to Information Security

MOL Group is committed to ensuring information security across the entire organization in accordance with the "MOL Group ICT Governance Policy" and the "MOL Group ICT Security Policy," in response to increasingly sophisticated and complex security threats.
We promote the establishment and continuous enhancement of information security frameworks across all business entities, including domestic and overseas group companies and vessels. In doing so, we implement strict controls to minimize risks such as unauthorized access, information leaks, destruction, and tampering, thereby ensuring the availability of operational systems as well as the integrity and confidentiality of all data.
In addition, we maintain a constant monitoring system to detect and respond promptly to potential cyberattacks and other threats. We also clarify the responsibilities of all executives and employees regarding information security and work to instill a strong sense of security awareness and behavior through training and education conducted at least once a year.

---

System

We established the position of Chief Digital & Information Officer (CDIO) to oversee moves to strengthen our information security systems. As the senior executive responsible for digital security, the CDIO instructs security managers and supervises implementation of information security measures; establishment of incident response systems; and the formulation and promotion of security enhancement policies such as training and education for MOL and MOL Group companies. Group company MOL Information Systems, Ltd. is responsible for information security management and supports the Group in the field of information systems, including the construction and maintenance of systems and networks to enhance security measures.
The Board of Directors is responsible for overseeing information security efforts, and appoints the CDIO.

• *1 Supervises the implementation of information security measures by our company and group companies, the establishment of incident response systems, and the formulation and promotion of policies to strengthen security through training and education.
• *2 Strengthen security under the direction of the security officer.
  • (1) Always collectinformation about malware, unauthorized access, hardware and software vulnerabilities, and threats related to information systems managed by our company at all times.
  • (2) Promote security measures for all information assets such as networks, information systems, and PCs.
  • (3) When a security incident occurs, the security officer instructs the executives and employees, the system owner, and the system administrator to take action. Analyze the security incidents that have occurred, summarize the scope of impact, measures taken, and measures to prevent recurrence, and report them to the security officer.
  • (4) Plan and implement education and training to deepen understanding of information security among executives and employees

---

Emergency Headquarters for Serious ICT Incidents

MOL organized an organization for Serious ICT Incidents to swiftly and comprehensively respond to ICT incidents including cyber security risks. And we not only established an emergency communication flow in the group, but also share information to prevent the occurrence of incidents.
We set out unified group-wide criteria to judge the severity of ICT incidents. In case of emergency, we gather information on the incident according to the severity level set by the criteria.
This led to the establishment of the "Emergency Headquarters for Serious ICT Incidents," under which not only management, but also the Corporate Planning, Legal, Secretaries & General Affairs, Corporate Communication, Marine Safety, Human Resources, Finance, and Information System divisions will respond quickly and appropriately to any threat or incident, in accordance with their roles.
Please refer to "Sustainability Data" for the number of serious ICT incidents.

---

Computer Security Incident Response Team (CSIRT)

We have established an internal entity called "MOL-CSIRT" to investigate any suspected fraudulent emails, malware or cyber-threats; to send reminder alerts in these cases; and to create awareness-raising programs utilizing the lessons learned from previous incidents. The aim is to mitigate the risk of cyberattacks against MOL and group company users in Japan and overseas. In addition, we regularly collect information on cyber risks and the latest security trends in collaboration with Japan's Ministry of Land, Infrastructure, Transport and Tourism and private organizations such as Transportation ISAC JAPAN, Nippon CSIRT Association and JPCERT/CC, utilizing it to update our information security measures.

---

Initiatives

Initiatives at Group companies in Japan and overseas

We strive to upgrade security and governance continually at MOL Group companies in Japan and overseas while ensuring full Group-wide compliance with internal security policies. We convene regular meetings attended by CIOs and relevant managers from Group companies to share the latest security information and to raise awareness of information security issues.

---

Vessel-targeted initiatives

At the 98th Maritime Safety Committee held by the International Maritime Organization (IMO), it was recommended that cyber risk management be included in the safety management system (SMS)^*1 for ship operation.
In response, MOL is working to establish a Cyber Security Management System (CSMS)^*2, encompassing the guidelines, and develop technological measures for cyber security and organizational system from a cross-sectional perspective.
In addition, we are constructing a network to ensure 24/7 online connectivity for MOL Group vessels while at sea to mitigate risks arising from cyberattacks, while also developing and implementing security countermeasures.

• *1 Guidelines on actions for crewmembers to take, provided to prevent marine accidents caused by human errors.
• *2 The management system established and documented for ship management companies and seafarers onboard vessels to effectively implement cyber security policies.

---

Strengthening Global ICT Security Measures

To enhance ICT security across the entire group, we are building a global monitoring framework. This includes the centralized collection and management of system logs and the use of AI-driven analysis to detect early signs of anomalies. A Global Security Operation Center (SOC) has been established to provide 24/7 monitoring. In the event of an incident, the SOC works in close coordination with MOL-CSIRT to enable a swift and effective response.

---

Information Security Vulnerability Analysis

We continuously collect vulnerability information from sources such as JPCERT/CC, IPA, NISC, the Transportation ISAC, and security vendors. Based on the severity and urgency of the information, we issue alerts and response requests to relevant system administrators and group companies to promote early remediation and reduce risk.
To visualize security risks associated with the group's internet-facing assets, we have implemented Attack Surface Management (ASM). This allows us to regularly check for vulnerabilities in IT assets accessible from outside the organization. For any vulnerabilities detected, we work closely with ICT personnel at group companies to implement tailored countermeasures.

---

Internal Assessment of ICT Infrastructure and Information Security Management Systems

To ensure information security and drive continuous improvement, we have established a group-wide security baseline, which is reviewed and updated annually. Based on this baseline, we conduct annual security assessments of each group company to verify their level of compliance. The results of these assessments are reported to the CDIO and relevant head office departments. For group companies that do not meet the required standards, we provide guidance and support to help implement necessary improvements.
In addition, we have established guidelines for ICT asset management and require each group company to regularly conduct inventories of their ICT assets. The collected asset data is centrally managed to ensure thorough lifecycle management and to enable faster responses to potential security risks.

---

Information security education

Education for all employees

We provide regular security-related training to help increase awareness of security threats among executives and employees, including at contractors and partner firms. This involves conducting annual online training modules and anti-phishing drills for all employees, including vessel crewmembers and our people in Group companies worldwide.
For the results of e-learning, please refer to "Sustainability Data".

Incident Response Drills

Anticipating the occurrence of serious ICT incidents caused by increasingly sophisticated cyberattacks in recent years, we conduct annual response drills involving key personnel such as the Head of the Incident Response Headquarters (President), the CDIO, heads of relevant departments responsible for countermeasures, presidents of group companies, and system administrators. We also participate in the comprehensive cross-sector cybersecurity exercises organized by the National Cybersecurity Office (NCO) of the Cabinet Secretariat.