Governance (2) Information security risk management system The Fujifilm Group has implemented information security governance for the entire group, with information security management organization set up under the chief information security governance officer, who is the executive officer in charge of the ESG Division. We also appoint the executive officer responsible for ICT as the chief ICT security officer who oversees the ICT security management organization and implements countermeasures for cyber security risks which are becoming increasingly important. The groupwide information security strategies are determined by the ESG Committee, chaired by the president of Fujifilm Holdings. Issues concerning these strategies are also regularly reported by the ESG Committee to the Board of Directors, which supervises compliance and risk management across the entire group. Measures regarding the information security are implemented by the information security managers in each organization. (3) Cybersecurity response system To ensure that all information on our products and services exchanged with our customers is secure and to safeguard business continuity, the Fujifilm Group has set up the Fujifilm Security Operation Center (Fujifilm SOC) to monitor information security for the entire Group. It has also set up the Fujifilm Cybersecurity Incident Response/Readiness Team (Fujifilm CERT) to be responsible for comprehensive surveillance of the entire Fujifilm Group, detect any signs of security incidents rapidly and respond swiftly to any incident to prevent damage from spreading. Highly sophisticated protective measures based on the concept of zero trust network access and connected continuously to a cloud server provide solid security in a user-friendly environment, ensuring both convenience and safety. With the risk of cyberattacks growing every day, groupwide action is being taken to identify all internal issues to be resolved in the event of a sophisticated attack. Our systems’ defense measures are being reviewed and strengthened from the outbreak of an incident and the initial response through to the recovery phase. (4) Employee training The Fujifilm Group believes that it is important for each and every employee to acquire the necessary knowledge and maintain a high level of awareness in order to prevent information security incidents and incidents or violations related to the handling of personal data. For this reason, e-learning programs on personal data protection are being conducted every year for all employees. Additionally, we conduct training on cyberattacks, including targeted attack emails, by actually sending emails posing as phishing emails to employees. This suspicious email handling training, aimed at increasing sensitivity to security through the experience of receiving such emails, has been conducted every year since 2011. 3. Identifying information security risks and countermeasures (1) Establishing an information security management system The Fujifilm Group ensures a uniform global security level led by our regional headquarters in Japan, the US, Europe, Southeast Asia, and China, based on the Information Security Guidelines and the Global Information Security Regulations, which complies with ISO/IEC 27001, the standards for an information security management system. The Information Security Guidelines define concrete security management methods that are globally applicable and each company manages their security accordingly. The guidelines include, for example, device encryption, mandating antivirus software installation, ID management and access control by building an authentication platform, and mandating installation of an email filtering system to prevent information leakage. 41 FUJIFILM Holdings Corporation Sustainability Report 2023