2.2 ｜ Compliance and Risk Management 2.2.8 Information Security 1. The environment and risks surrounding information security The costs resulting from cyber attacks are quickly increasing across the world recently, and the threat of such attacks could be even greater over the long term. As a corporation specializing in medical systems and IT solution services, information leakage from cyber attacks may be regarded as a violation of laws and we may be subject to considerable fines and compensation for damages. At the same time, such information leakage could easily cause a loss of trust by those customers who use our products and services. Also, even if a cyber attack is pinpointed on a limited but vulnerable site, the resulting damage may cause disruption to business operations across the world as multiple business sites are usually connected via networks today. Therefore, we enhance the information security management system and measures described below, with the awareness that information security risks are long-term threats that could have a serious impact on our business. 2. Development of an information security management system (1) Basic policy The Fujifilm Group has laid down its Information Security Policy as a group-wide action policy covering the following six items. All the employees share this Policy. Information Security Policy The Fujifilm Group establishes the Information Security Policy towards the maintenance and improvement of Information Security as one of critical issues in business activities in order to continue to be a reliable corporation under our open, fair and clear corporate culture, and to fulfill our social responsibility. 1. Preparation and observance of information security rules We prepare documents such as regulations and guidelines and ensure that they are fully complied with to follow this Policy, as well as to comply with all applicable laws, and regulations enforced in the regions in which we conduct business. 2. Establishment of information security management organization We clearly define the organization structure and responsibilities to implement information security measures appropriately and reliably. Under our information security management organization, we, as a member of society, appropriately provide information and actively collect information from external information security organizations. 3. Information security education We endeavor to raise awareness through enlightenment, education and training to implement information security measures appropriately and reliably. 4. Continuous improvement of information security measures We review various measures as necessary for continuous improvement based on risk assessments to respond to changes in legal or regulatory requirements and new information security risks such as cyberattacks. We also maintain and improve supply chain security of business partners and other parties. 5. Maintenance and protection of information assets We protect critical information including customer information, information of business partners, and company technical information from threats of leak, falsification, and loss by observing our code of conduct. We endeavor to ensure information security of our products and services to protect customer information. In case of a security incident, we will minimize the impact by a prompt initial response such as the prevention of damage propagation, and taking recurrence prevention measures. 6. Compliance with laws and regulations We comply with information-security-related laws and regulations enforced in the regions in which we conduct business, as well as contracts with customers and business partners. Adopted May 2013. Revised April 2021 40 FUJIFILM Holdings Corporation Sustainability Report 2023