Information Security Policy

In order to ensure the confidentiality, integrity and availability of its information systems, the Sumitomo Forestry Group is raising the security level of its systems through the enhancement of both the operational rules and technology aspects of information security. Recognizing that the protection of customer information is of particular and utmost importance, the Group continues to conduct employee training to ensure dissemination of the rules and verifies their level of awareness. Furthermore, we are continuously improving these initiatives to maintain a system that can respond to the latest threats at all times.

Development of Security Operations System

In terms of operational rules, we have compiled guidelines and checklists covering Group companies in Japan. The person responsible for the department in charge of information systems at each Group company in Japan conducts checks of the information security level every year. Moreover, we developed the same level of guidelines for overseas Group companies.

Increasing Employee Knowledge of Information Security

All employees of the Group companies in Japan, including temporary employees and part-time workers, are required to take training on information security every year through the intranet. It is required to pass the test to complete the course. Furthermore, in fiscal 2024, we conducted information security audits in collaboration with the Internal Audit Department in order to investigate on-site compliance with the guidelines and strengthen security measures. The audit covered 37 branch departments of Sumitomo Forestry and 10 Group companies in Japan.

Strengthening Information Security Measures

For the technical aspects of information security, the Group has introduced encrypted computer start-ups and data export restrictions on computers that are taken outside the Company.

We responded to the dramatic increase in information security risks brought on by the promotion of work from home during the COVID-19 pandemic. Sumitomo Forestry developed a VPN^*1 environment employing strong information security measure, which was expanded to all of the Group companies. Additionally, in fiscal 2023, we developed a support system for overseas Group companies and have been working to strengthen information security measures in line with the guidelines. In fiscal 2024, overseas Group companies continued efforts to raise their information security standards to the level defined by Sumitomo Forestry. For companies that have not yet met the targets, we will continue working toward achieving the standard level by the end of fiscal 2025.

Sumitomo Forestry had no information leaks, cyberattacks or other such issues in fiscal 2024 that had impact on our business operations.

*1A Virtual Private Network (VPN) is technology to expand a private network by configuring a virtual tunnel between users who connect over the Internet, etc.

Systems for Protecting the Privacy of Customers (Protection of Personal Information)

Sumitomo Forestry has formulated internal rules to safeguard the personal information of customers, such as the Personal Information Protection Policy and the Personal Information Protection Regulations. In addition, the Divisional Manager of the Corporate Division, who also serves as the Executive Officer responsible for general administration is designated as the chief executive in charge of protection of personal information, the head of each department is assigned as the supervisor and an information security officer is placed in each department. In these ways, the Company has established a protection system that extends from the Head Office through to each office.

The Company has also established a help desk within the Customer Service Department for inquiries regarding the handling of personal information. In addition, collective training is provided for the head and general administration representative of each department. E-learning is provided for all other employees and efforts are made to increase awareness among subcontractors in order to prevent personal information leaks. It is also mandatory for employees at Group companies to undergo e-learning training.

Systems for Managing Information Security

Management System at the Executive Management Level

The General Manager of the IT Solutions Department, under the supervision of the Divisional Manager of the Corporate Division, who also serves as the Executive Officer in charge of IT solutions and information security, is responsible for promoting information security measures for the Sumitomo Forestry Group, such as the formulation and management of rules and regulations, the proposal and implementation of technical measures, the education and training of employees, and the investigation of accidents and implementation of countermeasures. The IT Strategy Committee is convened by the General Manager of the IT Solutions Department and includes the President and the heads of each division. At its meetings, regular reports are provided on social trends related to information security and the status of implementation of the Sumitomo Forestry Group’s measures, and instructions are given for further action.

Management System On-site

The person responsible as the information security supervisor in each department provides guidance and management for the execution of that department's operations and assigns an information security officer as the working-level manager for the department's information security.

Furthermore, the Group also holds regular meetings of the Information Security Promotion Personnel Council and the Affiliates IT Personnel Council, which are attended by the persons responsible for information security at departments of Sumitomo Forestry. The council raises awareness and ensures thorough compliance to the guidelines as well as promotes the introduction of information security systems.

The Risk Management Committee stipulates as one of its items for priority management the risk of confidential information leaks due to an outside attack and other causes. The committee shares information and discusses ways to prevent and reduce the impact of such leaks at committee meetings held regularly every quarter. In fiscal 2025, we have newly added "Strengthening Information Security at Outsourced Partners" (supply chain measures) as a priority item and are actively working on this initiative. These activities are reported to the Board of Directors and a system to reflect this in business execution is put in place.

The BCM Subcommittee installed under the Risk Management Committee conducts activities aimed to raise the efficacy of measures to mitigate Group-wide, IT-related business interruption risks.

Dalian Sumirin Information Technology Service (ITS) Co., Ltd., which provides housing CAD design both inside and outside the Sumitomo Forestry Group, system operation, back-office services, and other BPO services, has acquired ISO27001 certification for its information security management system.

In fiscal 2023, we sent IT governance officers from the Head Office to our overseas Group company in the U.S., and we are working to improve our IT governance management system, including information security. In fiscal 2024, the Timber and Building Materials Division obtained ISO 27001 certification for its information security management system in connection with the industry-specific quotation service (JUCORE Estimate) that it launched.

Initiatives to Strengthen Information Security

With threats to information security growing because of the spate of incidents involving leaks of personal information, targeted email attacks and other incidents, Sumitomo Forestry Group introduced EDR*¹ (next-generation security software) at Group companies in Japan including Sumitomo Forestry, and stepped up PPAP*² countermeasures following upgrades to email security infrastructure. In this manner, we continue to invest in solutions that will further enhance the information security of the Group. We have been executing information security diagnostics through simulated attack methods at least once a year on any system infrastructure with Internet access. In addition, a training program about targeted email attacks is implemented for all employees in Japan.

*1Abbreviation for Endpoint Detection and Response. A security solution that detects suspicious behavior on the user's computer or server (endpoint) and facilitates a quick response

*2A method of sharing files where the sender first sends a password protected zip file by email and then follows up with a second email containing the password to access the file. An abbreviation for (P)assword, (P)assword, P(A)ssword protection, (P)rotocol

Establishment of CSIRT

Sumitomo Forestry established a CSIRT*¹ in October 2022 to conduct monitoring for prevention of security incidents and to have an organization in place to implement appropriate response in case of an incident. In November 2023, we joined the Nippon CSIRT Association. In addition, we conduct annual practical training on response scenarios in case of an information security incident. We will continue to improve our incident response capabilities, mitigate information security risks, and promote information sharing and collaboration.

*1Abbreviation for Computer Security Incident Response Team. A dedicated team that addresses incidents considered to pose security threats