Information Security Management

The use of digital technology is expanding across an increasingly wide range of fields. At the same time, the volume of information and data is also increasing dramatically with the forms in which it is held and used continuing to diversify. In this business environment, in addition to the risks associated with information leaks and violations of laws due to the improper handling of information, there is also a higher risk of increasingly sophisticated cyberattacks, which could bring supply chain operations to a halt. Positioning information security management as one of its important management tasks, the NSK Group has established the NSK Group Basic Policy on Information Security and is working to reduce a variety of risks while strengthening its response to relevant laws and regulations. Moreover, we are promoting initiatives for more robust mechanisms and organizational structures, such as network countermeasures, against increasingly sophisticated cyberattacks.

The NSK Group has established a basic information security policy and put in place subordinate rules and regulations. We review and expand this policy, as well as rules and regulations, in line with the enforcement and revision of statutory and regulatory requirements and changes in our operating environment. Moreover, we are working to ensure that information security rules and risk countermeasures are implemented throughout the organization via increased awareness, development, and education, as well as periodic checks on the status of their penetration.

The NSK Group is enhancing its managerial resources with the power of digital technology and continuously transforming its business. This is a key priority in our Mid-Term Management Plan 2026, MTP 2026. We established the Information Security Division (IT Governance Department, Information Security Enhancement Group) under the Digital Transformation Division Headquarters at NSK Ltd., the Group headquarters, to enable the safe use of digital technology and to globally deploy information security enhancement measures that take into account the relationship between digital technology and cybersecurity. Moreover, information security-related risks are supervised under the Corporate Risk Management System and are discussed by the Board of Directors as an issue that concerns the Group as a whole. The Information Security Division regularly holds global meetings, working in cooperation with information security management committees in Japan, the Americas, Europe, China, ASEAN and Oceania, India, and South Korea. NSK is working to improve the information security management level of the entire NSK Group, and to plan and implement information security measures.

Furthermore, NSK has established a CSIRT^* organization to quickly and appropriately respond to cyberattacks, aimed at preventing the spread of damage and facilitating swift recovery. NSK is also a member of the Nippon CSIRT Association.

* CSIRT is an abbreviation for Computer Security Incident Response Team, an organization that rapidly responds to computer security incidents.

* Official guidelines: A globally adopted guideline framework developed by professional cybersecurity organizations

By utilizing globally adopted guidelines and frameworks (NIST Cyber Security Framework 2.0, CIS Controls, etc.) developed by professional cybersecurity organizations, NSK is forging a balanced approach to information security management in the context of people and organizations, processes, and technologies, while incorporating the concept of cyber resilience and working to strengthen these initiatives.

NSK has established a PDCA cycle for its information security management system, which includes periodic inventory and risk assessment of information assets and the formulation of plans for addressing and improving risk issues. As a result, we have acquired and maintain ISO/IEC 27001 certification, an international standard.

We are advancing technical measures to detect suspicious activities and security threats on information devices and networks. Information about detected incidents is analyzed by the Security Operations Center,*¹ which then implements countermeasures. With this structure, we have established mechanisms for swiftly responding to security incidents. In addition, vulnerabilities that affect the entire NSK Group are monitored utilizing security rating services*² and attack surface management (ASM).*³
In view of the significant impact of recent security incidents on the supply chains of other companies, we also carry out information security inspections at suppliers and strive to enhance their security level. Efforts are also underway to enhance the incident response structure at NSK plants to enable not only an IT response, but an OT*⁴ response to incidents, as well.

*1 Security Operations Center is an organization dedicated to detecting, analyzing, and taking countermeasures to cybersecurity threats.
*2 Security rating services quantify a company’s security measures to provide ratings that are useful in external and internal risk assessment and the formulation of countermeasures.
*3 Attack surface management is a series of processes executed to discover IT assets that are accessible from outside the organization (via the Internet) and to continuously identify and assess the vulnerabilities and other risks they present.
*4 Operational technology (OT) consists of plant and other facility control systems. Whereas IT deals specifically with information, OT is considered unique in that it interacts with the physical environment.

NSK conducts annual drills simulating incidents triggered by cyberattack. In FY2024, we participated in the NISC/NCA collaborative drill* held by the Nippon CSIRT Association to verify whether our response structure would function effectively in the event of an actual incident. We also collaborate with regional system management departments to provide training on targeted attack emails to all employees who use a PC. Incident response drills at plants simulate attacks that have taken down internal plant systems and OT systems. We assess responses designed to ensure production continuity in the event of an emergency and make improvements to address identified issues. 

* NISC/NCA collaborative drills are cyber drills executed jointly by the National center of Incident readiness and Strategy for Cybersecurity (NISC) and Nippon CSIRT Association (NCA). NISC conducts an annual all-sectoral critical infrastructure provider drill (cybersecurity tabletop exercise) every December for NCA members.

Educational content is displayed to employees who do not handle a suspicious email properly, in order to help employees thoroughly understand the appropriate actions to be taken.

The NSK Group has established rules for classifying and appropriately handling information according to the confidentiality level of information assets, paying close attention to the handling of confidential information and striving to prevent information leaks. As far as the NSK Group’s training and education endeavors are concerned, the Group is working to maintain and raise employee awareness toward information security through periodic e-learning courses for employees in and outside Japan. We are also conducting training by employee category, including officers and Systems Management Department members, as well as for employees entering the company or personnel posted overseas.