Throughout the entire Hitachi Group, including companies resulting from business reorganizations and companies that have been integrated as a result of M&As, we are working to ensure information security, IT compliance, and business continuity for internal IT, and are encouraging the standardization and sharing of IT.

We are engaged in a thorough application of IT controls, by establishing IT rules and standards as well as by performing self-diagnostics and internal audits.

From the percentage of self-diagnostic results submitted
regarding IT controls for FY 2024

(BUs^#1 and Hitachi Group companies) 

To mitigate internal IT risks, we require BUs and Group companies to comply with IT rules that define essential requirements for IT controls, focusing on areas such as information security, IT compliance, and business continuity. In addition, to promote compliance with regulations, we have created self-inspection checklists to verify the level of compliance with IT rules and guidelines, and have introduced a system that requires each BU/Group company to regularly conduct self-inspections of their own IT and take necessary corrective measures. Furthermore, if deficiencies are identified through internal audits conducted by the auditing department, we request corrective actions from BUs and Group companies to strengthen IT controls.

The self-inspection system is not limited to Group companies in Japan, it also applies to Group companies outside Japan. To ensure that the system is thoroughly implemented at BUs and Group companies, we clearly defined in advance the target companies for each business group and specified that the business group is responsible for ensuring their subsidiary companies conduct self-inspections. As a result, the self-inspection implementation rate has remained above 90% since FY 2020. Aiming for an implementation rate of 100%, we are continually enhancing our efforts through cooperation with business group leaders.

Also, Hitachi provides BUs and Group companies with services (such as authentication and antivirus measures) that are necessary for compliance with IT rules and guidelines. In response to the increase in cyberattacks in recent years, we clarified guidelines on measures against software vulnerabilities that pose particularly high risks, and are providing services that support BUs and Group companies in implementing the measures. We are also using these services to help BUs and Group companies that find it difficult to take adequate measures on their own to improve their response capabilities.

As business integration through M&A and other events increase, we are strengthening measures to reduce IT risks at an early stage for related BUs and Group companies. Specifically, from the aforementioned self-inspection checklist, we will select priority items (such as vulnerability countermeasures) that integrated companies should comply with as a matter of priority. We require the parent company of the business group that conducts M&A to ensure that the self-inspection of priority items is performed by the integrated company and, if any deficiencies are found, ensure that corrections are made by the specified deadline.