Sustainability | GovernanceInformation Security

Our Approach

In order to ensure the continuous improvement of information security, the TDK Group has built a global information security management structure based on its Basic Policy on Information Security and conducts activities accordingly.

Basic Policy on Information Security

General Direction

This Policy shall apply to the TDK Group.
The TDK Group shall work on maintenance and enhancement of the security of information, recognizing that it is indispensable to secure personal information and trade secrets (including information on or received from customers) appropriately, and ensure the correctness and accuracy of financial information as well as business continuity in order for us to make ourselves highly reliable and more satisfactory to our stakeholders.
We all shall execute the following six actions as the concrete guidelines of actions.

Action Guidelines

  1. Observance of Laws and Regulations
    In the handling of information, we shall observe laws and regulations concerning “the prevention of alteration, leakage, unauthorized access, and unlawful use of information, ” “requiring reliability of information and correctness in disclosure,” and “protecting personal information,” and “business requirements including terms and conditions of contracts with customers” in the respective countries and regions.
  2. Information Security Management System
    We shall establish a system to manage and govern information security organically and define its role and responsibility.
  3. Implementation of Measures for Risk Management
    We shall find out threats and vulnerability in light of confidentiality, completeness, and availability and implement sufficient measures in response to the risks. In addition, we shall make sure to implement the measures for information security with the company regulations set in accordance with this Policy.
  4. Provision of Resources
    The management shall provide management resources necessary to execute this Policy.
  5. Continuous Improvement of Information Security
    We all shall endeavor to continue to improve the information security in response to changes in risks arising from transformation in internal and external circumstances.
  6. Strict Actions
    Should there be a violation of this Policy or the company regulations, the management shall take a strict action in accordance with the Code of Conduct and the Work Rules.

Established July 1, 2005
Revised on April 15, 2016 (2nd edition)

Governance

TDK has set up the Information Security Committee under the Executive Committee to adopt measures in response to information security risks in the Group as a whole. The Information Security Committee is chaired by a corporate officer and reports to the Representative Director, President and CEO once every quarter and to the Audit & Supervisory Board members twice a year.
In addition, to strengthen information security governance throughout the TDK Group as a whole, TDK has set up deliberative bodies comprising representatives in each region around the world.

Information security management organization (As of April 1, 2024)

TDK requests the appointment of an information security administration manager in each company and operates a system by which a report is submitted to the Information Security Committee whenever, for example, an information security incident occurs or an employee notices something suspicious. In addition, based on the above governance setup, we stipulate the reporting route in response to the level of seriousness and emergency of an incident. In the case of a serious incident occurring or being detected, the Information Security Committee would respond swiftly in conjunction with the Crisis Management Committee.

Information Security Education

To maintain and enhance information security throughout the entire TDK Group, we implement information security education and email training for all employees more than once a year.

Strategy

Since such occurrences as the stoppage of production, sales, marketing, R&D, and other activities due to cyberattacks and the loss of trust and reliability due to the leakage of information have a serious business impact, TDK considers information security to be an important management issue.
To prevent the occurrence of damage and to minimize damage in the event of an incident, TDK is strengthening information security measures based on the Cybersecurity Framework of the US National Institute of Standards and Technology (NIST) ((1) govern, (2) identify, (3) protect, (4) detect, (5) respond, (6) recover).

[Principal Measures]

  • Building of Zero Trust ((2) identify, (3) protect, (4) detect)
    To prevent the occurrence of damage and to minimize damage in the event of an incident, we will tackle the building of Zero Trust. Zero Trust means constantly restricting and monitoring access to all users, devices, and networks, thus preventing attacks from outside and controlling internal proliferation.
  • Supply-chain security ((1) govern)
    To prevent TDK’s business activities from coming to a halt, we will get a grasp of the state of information security and make improvements not only at TDK but at all TDK Group companies.
  • Measures to counter the risk of internal irregularities ((3) protect, (4) detect, (5) respond)
    To prevent the loss of trust and reliability due to the leakage of information, we will prevent internal irregularities by using AI monitoring tools, etc.
  • Incident response ((5) respond, (6) recover)
    We have established the Computer Security Incident Response Team (CSIRT) as an organization to respond to information security incidents in a manner that minimizes damage and enables speedy recovery, and we have stipulated our response setup and response plan should an information security incident occur in the Computer Security Incident Response Plan (CSIRP).

Furthermore, we will continue to expand education and training for employees, such as targeted email attack training, and respond to risks that cannot be covered by the system with the might of the entire TDK Group.

Risk Management

Regarding external risks, we carry out constant monitoring from the Internet side from the perspective of hackers launching cyberattacks and swiftly take action in the case of risks of high vulnerability requiring countermeasures. The results of this monitoring are reported to management, including reports to the president, once every quarter.
Regarding internal risks, we report measures to counter the takeout of information by employees to the Enterprise Risk Management (ERM) Committee and receive a review.

Metrics and Targets

Medium- to Long-Term Targets

  • Zero Trust
    To prevent the occurrence of damage and to minimize damage in the event of an incident, we will tackle the building of Zero Trust. Zero Trust means constantly restricting and monitoring access to all users, devices, and networks, thus preventing attacks from outside and controlling internal proliferation. We will build Zero Trust appropriate to TDK’s business environment.
Fiscal 2025 : Stipulate a definition of TDK Zero Trust and achieve the targets for the first fiscal year in every company of the TDK Group.
Fiscal 2027 : Realize the achievement levels of TDK Zero Trust stipulated in fiscal 2025.

Goals and Achievements in Fiscal 2024

Fiscal 2024 Goals Achievements
Assessment of vulnerabilities by an external disclosure environment evaluation system :
800 or more points out of a total of 950 points for all assessed systems (Grade A)
Achieved 800 or more points (Grade A) for all assessed systems.

[Main Achievements]

TDK strengthened information security measures in accordance with the NIST Cybersecurity Framework.

  • We evaluated vulnerabilities in all TDK Group companies as seen from the Internet (using an external disclosure environment evaluation system) and identified and improved vulnerabilities ((2) identify, (3) protect, (4) detect).
  • We checked the state of information security in our supply chain and supported improvements ((2) identify, (3) protect).
    TDK’s initiatives were introduced in the case list of Declaration of Partnership Building efforts compiled by Japan’s Small and Medium Enterprise Agency:
  • We blocked unauthorized cloud services by means of a mechanism to detect the state of use of dangerous cloud services ((2) identify, (3) protect, (4) detect).
  • We implemented training related to information security incidents ((5) respond, (6) recover).
  • As a measure to counter the risk of internal irregularities, we endeavored to prevent internal irregularities by introducing AI monitoring tools ((3) protect, (4) detect, (5) respond).
  • We renewed our subscription to cyber-risk insurance ((6) recover).
  • We implemented information security education and email training ((3) protect).

Evaluations and Future Activities

In fiscal 2024 we carried out constant monitoring from the Internet side from the perspective of hackers launching cyberattacks and, based on cooperation among all TDK Group companies, shared information on the state of progress of improvements regarding risks of high vulnerability requiring countermeasures, built competitive and cooperative relations, and took swift action, so we were able to achieve our goals.
Going forward, we will consider the building of Zero Trust to be a priority theme, clearly define TDK’s Zero Trust for all TDK Group companies, and build an even sounder information security setup.

Initiatives

We will consider the building of Zero Trust to be a priority theme, clearly define TDK’s Zero Trust for all TDK Group companies, and build an even sounder information security setup.
Zero Trust means constantly restricting and monitoring access to all users, devices, and networks, thus preventing attacks from outside and controlling internal proliferation. We will build Zero Trust appropriate to TDK’s business environment.

  • Supply-chain security
    To prevent TDK’s business activities from coming to a halt, we will deploy the following measures in all TDK Group companies and promote an understanding of the state of information security and improvements not only at TDK but in the supply chain as well:
  • Checking of the information security management setup and operational rules by questionnaires
  • Checking of vulnerabilities using an external disclosure environment evaluation system
  • Checking of actual operational conditions by individual surveys

[Introduction of TDK’s Declaration of Partnership Building initiatives]

TDK’s initiatives relating to supply-chain security were introduced in the case list of Declaration of Partnership Building efforts compiled by Japan’s Small and Medium Enterprise Agency:

Identification and improvement of vulnerabilities

We carry out constant and global monitoring from the Internet side from the perspective of hackers launching cyberattacks and swiftly take action in the case of risks of high vulnerability requiring countermeasures. Furthermore, one or more times a year we implement third-party vulnerability diagnosis in the TDK Group so as to identify and improve vulnerabilities in the management of information security.

Strengthening of response to security incidents

We have established the Computer Security Incident Response Team (CSIRT) as an organization to respond to information security incidents and have stipulated our response setup and response plan should an information security incident occur in the Computer Security Incident Response Plan (CSIRP).
The TDK Group has formulated a Business Continuity Plan Relating to Information Security (IT-BCP) and stipulates in advance how to respond in the case of an information security incident arising. In addition, we implement IT-BCP training one or more times a year and, in light of the results, regularly review the plan.

Protection of personal data

Based on the TDK Privacy Policy, TDK endeavors to protect personal data and privacy. In addition, we stipulate the TDK Personal Data Protection Basic Policy as part of the TDK Privacy Policy, which is applicable to all personal data handled by TDK.

Related link

The TDK Group considers personal data also to be one aspect of information security, and we endeavor to properly manage personal data through our information security setup. We check the state of personal data management annually and make corrections and improvements in accordance with the results.
We have established the Personal Data Protection Subcommittee under the Information Security Committee. This subcommittee, which has been designated as the body in charge of protecting personal data, serves as the contact for inquiries related to the handling of personal data.

Filing of Complaints Regarding Privacy Violations

In fiscal 2024 there were no reports or receipt of complaints in Group companies concerning the infringement of customer privacy or the loss of customer data. We also do not use customer data for secondary purposes.