Governance
Basic stance and policy
As corporate DX strategies accelerate, new value is being created through enhanced interconnection of the physical world with information. We recognize that, in addition to enjoying the benefits DX offers, we can only sustain growth by taking on the critical challenge of managing risks related to cyberattack threats and information leaks that potentially involve information proprietary to the company and our customers and business partners. We must address risks associated with new initiatives, an example being intellectual property infringement spurred by recent rapid advances and applications of AI technologies.
Therefore, the Company has established the AISIN Group Information Security Basic Policy” and is committed to systematic and continuous information security measures.
Promotion Structure
Responsibility and authority for information security measures and personal information protection rest with the head of the DX Strategy Center, which devises information strategies and IT investment plans aligned with the company’s business strategy and plays a key role in promoting information security. Under the head of the DX Strategy Center, the Information Security Promotion Department, a specialized security organization, has been established. We have thus built a framework for enabling the entire Group to respond swiftly to cyberattacks, internal misconduct, and other information risks.
Information security policies and countermeasures are proposed by the Risk Management Committee to ensure shared awareness across the Aisin Group. This approach is designed to fortify security standards and ensure the reliable implementation of countermeasures.
Information security framework diagram
Strategy
Data entrusted to us by customers and business partners and our internal business information are critical assets, and we will therefore properly identify changes in threats to the management of our company and potentially troublesome technological advancements and implement comprehensive groupwide countermeasures.
Key initiatives
Information security measures
Our information security program rests on three pillars: structure, response, and education. By centralizing security measures at the Group headquarters and implementing them globally without exception, we are bolstering our response to increasingly sophisticated cyberattacks and internal threats such as information leaks and strengthening our compliance with security-related laws across various jurisdictions.
In the event of a critical security incident with the potential to halt production, we promptly report the matter to the head of the DX Strategy Center and relevant risk management departments to initiate the investigation and analysis of the incident and deploy countermeasures, ensuring swift resolution and uninterrupted business.
Structure
- We maintain a 24/7/365 monitoring system operated by specialized teams to address security threats across the entire Group.
- We have established the AISIN Group Security Guidelines, a globally recognized standard compliant with international standards like ISO 27001*4, the TISAX*5 system, and the JAMA/JAPIA Cybersecurity Guidelines. This prepares us to meet customer security requirements and drives mutual advancement across the entire supply chain.
ISO 27001: An international standard for Information Security Management Systems (ISMS). As of April 2022, six departments have obtained certification.
TISAX: Trusted Information Security Assessment Exchange / A system where certification bodies undergo audits based on the VDA Information Security Assessment Criteria (VDA ISA) established by the German Association of the Automotive Industry (VDA). As of April 2025, ten locations worldwide have obtained certification.
Aisin Group Security Guidelines
| Management Item | Response details |
|---|---|
| Organization | Promotion framework, rules, and procedures |
| Education | Educational programs, awareness, and training |
| Technological countermeasures | Asset management, access control, network, etc. |
| Physical security | Facilities, perimeter control |
| Incident/accident framework | Reporting framework and rules |
Countermeasures
- With support from external experts, we deploy the latest security technology across the entire Group to address increasingly sophisticated and advanced cyberattacks, internal information leaks, and other security threats.
- In anticipation of an expanding range of vehicles subject to various regulations, we are establishing a threat monitoring system centered on PSIRT. We are members of the Japan–US Automobile Information Sharing and Analysis Center (AUTO-ISAC) *6, through which we collect risk data from across the industry to use in furthering our own development. We are also working on security measures for vehicular products in compliance with ISO 21434 *7.
AUTO-ISAC: Automobile Information Sharing and Analysis Center, a North American automotive cybersecurity organization
ISO 21434: A key international standard for cybersecurity measures in vehicles
Education
Tightening security requires all employees to take ownership and recognize security as an unyielding concern and to act accordingly. To this end, we implement groupwide initiatives including tiered training, education during events like overseas assignments, suspicious email response drills, and awareness campaigns during Information Security Awareness Month. For example, we implement post-training comprehension tests and solicit cybersecurity slogans from employees worldwide. These are published in the “Cybersecurity News,” distributed across the entire group, to encourage individual participation and foster security awareness.
Examples of education and awareness initiatives
(1) Tiered training upon joining the company or with promotion (twice/year)
(2) Training for specific circumstances, such as overseas assignments or integrating employees on secondment
(3) Suspicious email response training for all employees (three times/year)
(4) Awareness raising conducted during the company’s Information Security Awareness Month (yearly) and distribution of internal newsletters (monthly)
Personal information protection
Compliance with various national and regional laws, including GDPR*8, is crucial to personal information protection. The acceleration of DX strategies has necessitated the transfer of personal information between countries. Aisin has, therefore, established a groupwide SCC Agreement*9 among its Group companies to enable the transfer of personal information around the entire Group.
We continue to closely monitor laws in each jurisdiction, provide education and awareness to all employees, and work to secure personal information in our possession.
Furthermore, we have established a system to promptly respond to requests for disclosure or correction of personal information in accordance with the laws of each country. Note that in FY2025, there were no significant incidents involving the loss or leakage of personal information.
GDPR: General Data Protection Regulation
SCC contract: standard contractual clause