Risk and Compliance

KIOXIA Group enforces global compliance with laws and regulations, internal rules, social and ethical norms, and progresses our risk and compliance activities.

Policy and Structure of Risk and Compliance

At KIOXIA Group, we strive to ensure compliance with all relevant laws and regulations, with social and ethical norms, and with our own internal rules. We underpin this with our commitment to fair competition and to serving the interests of our customers to the best of our ability.

KIOXIA has established a system whereby our Risk and Compliance Committee has all authority and responsibility with regard to issues of risk and compliance. We classify risks into categories including compliance-related risks, finance / accounting-related risks and business risks, and have established committees and review groups for each category to enable agile management. Each committee and review group reports on activities and status to the Risk and Compliance Committee on a timely basis.

Risk and Compliance Committee

Risk and Compliance Committee

Whistleblower System

In order to create an open work environment and reduce risk, in addition to encouraging day-to-day communication within each workplace, KIOXIA group operates a whistleblower system.

All employees are informed about this system through internal websites, emails and other means. The system is designed to protect the anonymity of whistleblowers and ensure that they are not treated disadvantageously.

The number of reports received and consultations undertaken through the whistleblower system in FY2019 was 83.

Of the reports received, those referencing inappropriate situations or concerns about inappropriate situations were reported to the relevant division so that instructions for improvement could be provided or alerts could be issued.

In cases involving consultations and questions about the duties of the informants themselves, we gave advice on how to deal with each situation.

For reports other than those that were anonymously submitted, in principle we explained the status of our responses to the informants.

Except in cases where consent has been obtained from the employee, the names or contact details of the informants are never disclosed.

Revision of KIOXIA Group Standards of Conduct and Compliance Training

KIOXIA provides compliance education through e-learning. In FY2019, employees received accounting compliance education and learned the importance of accounting knowledge and accounting awareness.

Compliance with Anti-Trust Law & Anti-Corruption Measures

KIOXIA Group enforces compliance with anti-trust law and is strengthening measures to tackle corruption globally.

Anti-trsut and Anti-bribery Efforts

In the light of recent global regulatory trends, KIOXIA Group has been making rigorous efforts to prevent cartelization and bribery. In FY2019 specifically, the initiatives involve KIOXIA Group companies worldwide performing self-audits based on internal anti-trust and anti-bribery guidelines. Through these audits, KIOXIA Group aims to identify compliance levels at the companies concerned and to provide thorough compliance education.

 

KIOXIA promotes rigorous compliance with business-related laws and regulations by providing education, effectively utilizing databases that contain relevant information, and performing periodic self-audits.

In addition, KIOXIA’s compliance initiatives are objectively evaluated by external lawyers once a year. We make improvements aimed at reducing any risks identified by those third parties in order to continue to enhance our compliance structure.

Furthermore, KIOXIA is taking steps to raise compliance awareness among staff based on our own Standards of Conduct. In Japan, employees received e-learning training on sales-related risks during February and March 2020, in order to raise the standard of sales-related legal risk management.

Political Contributions

The KIOXIA Group Standards of Conduct stipulates that KIOXIA Group shall not provide inappropriate benefits or favors to any politician or political organization.

As part of its social contribution to society, and when deemed to be necessary, KIOXIA does make transparent donations to political parties, in order to encourage the adoption of policies that will support our business and aid the healthy development of parliamentary democracy.

Where we make donations to political parties, procedures in accordance with internal rules are followed and, in the case of donations made in Japan, we ensure we are compliant with Japan’s Political Funds Control Law.

Donations and Provision of Funds

While the KIOXIA Group forbids the incurring of inappropriate expenses, we do stipulate that appropriate donations may be made to appropriate organizations. We therefore donate to various organizations, taking into consideration factors such as the contribution made by the organization to society, its causes and the community aspects of its activities.

Continuing to Sever Relationships with Antisocial Groups

All KIOXIA Group companies have taken various measures to ensure that all links with antisocial groups are severed.

 

More specifically, we have developed and implemented “Basic Public Relations Management Rules” and appointed public relations management officers for each department. When conducting transactions with a new customer, the public relations management officers of that department confirm that the customer has no relations with any antisocial groups. If during those background checks the need arises for further investigation, our Human Resources and Administration Division will verify whether there is any evidence of the customer's relationship with antisocial groups.

We also periodically conduct surveys on customers that we already have business relations with. Transaction contracts normally include a clause regarding the exclusion of organized crime syndicates, which enables a contract to be cancelled without notice when the business partner is identified as being part of an antisocial group.

We also continuously ensure that employees understand the importance of excluding antisocial groups from the business they conduct.

Information Security Management

Information Security Policy

KIOXIA Group regards as important assets information such as personal data, customer information, management information, and technical and production information handled during the course of business activities. We accordingly adopt policies aimed at ensuring that all corporate information is managed in a confidential manner and that it is not disclosed, leaked or used inappropriately. These include a fundamental policy whose stated aim is "to manage and protect such information assets properly, with top priority on compliance." The policy is stipulated in the chapter "Information Security" of the KIOXIA Group Standards of Conduct, and managerial and employee awareness of this is encouraged.

In response to regulatory changes and changes in the social environment, KIOXIA revises those policies on an ongoing basis so as to rigorously manage its information security.

Structure of Information Security Management

Addressing information security as a management priority, KIOXIA Group has established, under the supervision of the Chief Information Security Officer, an information security management structure under which the head of each organization, such as the head of each business site, as well as the president of each group company, is responsible for information security.

The Risk and Compliance Committee deliberates matters that are deemed key in ensuring information security throughout the company. The Chief Information Security Officer formulates and enacts measures to ensure that internal rules related to information security are enforced in a problem-free, effective and definitive manner.

The Information Security Management Executive appoints the Information Security Implementation Managers, and is responsible for operation of the information security management system.

The Information Security Management Executive also provides guidance and assistance to all group companies under its control to ensure that they implement information security at a level equivalent to that of the KIOXIA Group.

KIOXIA has also established a similar management structure for the protection of personal data, and has a department external to the Secretariat (the Internal Audit Division) which conducts audits in accordance with JIS Q 15001.

Information Security Management Structure (As of FY2019)

Information Security Management Structure (As of FY2019)

Information Security Measures

KIOXIA Group implements information security measures from four perspectives (see the table below). The Cyber Security Center and the IT & Business Transformation Division incorporate these measures into regulations and guidelines and make them fully known to all KIOXIA Group companies through notices and briefings.

Implementation of Information Security Measures from Four Perspectives

Category Description
(1) Organizational measures:
Establish organizational structure and rules
  • Periodic reviews of information security-related regulations
  • Development and maintenance of information security management structure
  • Performing of audits, etc.
(2) Personal and legal measures:
Ensure adherence to rules
  • Regulation of information protection duties and disciplinary measures for any breach of rules of employment
  • Provision of periodic employee education and training
  • Contractor information security evaluation and conclusion of confidentiality agreements, etc.
(3) Physical measures:
Support implementation of rules in terms of physical security
  • Carry-in/carry-out control of information devices
  • Facility access control, room / facility entry control
  • Securing of highly important information, etc.
(4) Technical measures:
Support implementation of rules in terms of technology
  • Virus protection and hard disk encryption of personal computers
  • Checking any vulnerabilities of servers accessible to the public and enhancing protection
  • Monitoring and controlling unauthorized access from the outside and information leakage, etc.

To protect against cyber-attacks, which are becoming more sophisticated every year, we have strengthened our efforts to block suspicious e-mails and trained all employees in the handling of targeted e-mail attacks. In addition, we have enhanced our network monitoring and in-house systems to quickly cope with any virus incursion into the company systems.

Education, Inspection and Audit of Information Security Management

KIOXIA considers the autonomous implementation of PDCA (Plan-Do-Check-Act) cycle by each division to be vital for ensuring the company’s information security. With this in mind, every division conducts an annual self-audit of its compliance with internal rules, for the purpose of formulating their own improvement plan.

All domestic and overseas Group companies also conduct annual self-audits in order to improve the level of information security at each of them.

Moreover, KIOXIA Group conducts annual training for all officers, as well as for permanent and temporary employees, in order to enforce strict compliance with in-house regulations.

Other programs include introductory training for new graduate employees, and training for the employees of subcontractor companies.

Response to Incidents Such as Leakage of Confidential Information

In the event an information security incident occurs, such as the leakage of confidential information, KIOXIA responds promptly in accordance with its information security incident reporting structure.

When an employee becomes aware of the occurrence or potential occurrence of an incident involving the leakage of corporate information, the employee promptly reports it to the Implementation Manager. Upon receipt of the employee’s report, the Implementation Manager draws up all necessary measures, such as an investigation into the cause and consideration of actions to prevent recurrence. In the case of the occurrence or potential occurrence of a serious leakage of confidential information that may entail a violation of laws or ordinances, KIOXIA implements measures in accordance with the applicable laws or ordinances, such as disclosure, following discussion among the relevant corporate staff divisions.

Information Security Incident Reporting Structure (As of FY2019)

Information Security Incident Reporting Structure (As of FY2019)

Status of Incidents Such as Leakage of Confidential Information

In FY2019, there were no incidents in which sensitive information held by KIOXIA Group companies was leaked, nor were there any complaints from relevant external individuals or regulatory bodies concerning personal data. We will continue to work to prevent information security incidents and to be fully prepared for any situation.

Risk Management with Business Continuity Plan (BCP)

Failure to respond appropriately to large-scale disasters such as earthquakes, typhoons, and floods could result in the long-term closure of operations, triggering significant financial losses, ultimately affecting our stakeholders. KIOXIA Group implements measures to ensure the safety of employees and their families, to support the recovery of disaster areas, and maintain business sites and factories.

The blackout that occurred in some districts of Yokkaichi on June 15, 2019 affected some operations at the KIOXIA Yokkaichi Plant. To minimize the impact on our customers, KIOXIA is implementing measures to prevent a recurrence and to mitigate any negative impact, including discussions with the electric power provider and the formulation of procedures for quick restoration in preparation for emergencies.