Risk and Compliance

KIOXIA Group is enforces global compliance with laws and regulations, internal rules, social and ethical norms, and progresses our activities of risk and compliance.

Policy and structure of Risk and Compliance

At KIOXIA Group, we strive to ensure compliance with all relevant laws and regulations, with social and ethical norms, and with our own internal rules. We do underpins this with our commitment to fair competition and to serving the interests of our customers to the best of our ability.

KIOXIA has established the system that Risk and Compliance Committee has all authority and responsibility toward issues of risk and compliance. We classifies risks into categories including compliance-related risks, finance / accounting-related risks and business risks, and has established committees and review groups for each risk category in order to enable agile management. Each committee and review group reports activity situation to Risk and Compliance Committee on a timely basis.

Risk and Compliance Committee  (As of FY2018)

Risk and Compliance Committee (As of FY2018)

Whistleblower System

In order to create an open work environment and reduce risk, in addition to encouraging day-to-day communication within each workplace, KIOXIA group in Japan is enhancing its whistleblower system. We established this whistleblower system (hereinafter called “Risk Hotline”) to collect internal information on violations related Standard of Conduct, particularly those concerning laws and regulations. In March 2019, we established the "Outside Lawyer Hotline" as a second whistleblower system to enable employees to utilize the system more easily. The existence of these systems have been communicated to all employees through internal websites and other media. The system is designed to protect the anonymity of whistleblowers and ensure that they are not treated disadvantageously.

The number of reports received and consultations undertaken by the "Risk Hotline" and “Outside Lawyer Hotline” in FY2018 was 57.

Of the reports received, those reporting inappropriate situations or concerns about inappropriate situations were reported to the relevant division so that instructions for improvement could be provided or alerts could be issued. In cases involving consultations and questions about duties of the informants themselves, we gave advice on how to deal with the situation.

For reports other than the anonymous reports described above, in principle we explained the status of our responses to the informants. Except in cases where consent has been obtained from the employee, the names or contact addresses of the informants are never disclosed.

Revision of KIOXIA Group Standards of Conduct and Compliance Training

KIOXIA provides compliance education through e-learning. In FY2018, employees received accounting compliance education and learned the importance of accounting knowledge and accounting awareness.

Compliance with the Anti-Monopoly Legislation & Anti-Corruption Measures

KIOXIA Group enforces compliance with anti-monopoly legislation and is strengthening its measures to tackle corruption globally.

Antimonopoly and Anti-bribery Efforts

In the light of recent global regulatory trends, KIOXIA Group has been making rigorous efforts to prevent cartelization and bribery. In FY2018 specifically, the initiatives involve KIOXIA Group companies worldwide performing self-audits based on internal anti-trust and anti-bribery guidelines. Through these audits, KIOXIA Group aims to identify compliance levels at the companies concerned and to provide thorough compliance education.

KIOXIA promotes rigorous compliance with business-related laws and regulations by providing education, effectively utilizing databases that contain relevant information, and performing periodic self-audits. In addition, KIOXIA’s compliance initiatives are objectively evaluated by external lawyers once a year. We make improvements aimed at reducing risks identified by those third parties in order to continue to enhance our compliance structure.

Furthermore, KIOXIA is processing its raising of compliance awareness among staff based on our own Standards of Conduct. In Japan, employees received e-learning training on sales-related risks during February and March in 2019, in order to raise the standard of sales-related legal risk management.

Political Contributions

The KIOXIA Group Standards of Conduct stipulates that KIOXIA Group shall not provide inappropriate benefits or favors to any politician or political organization.

As part of its social contribution to society, and when thought to be necessary, KIOXIA does make transparent donations to political parties, in order to encourage the adoption of policies that will support our business and aid the health development of parliamentary democracy. Where we make donations to political parties, procedures in accordance with internal rules are followed and, in the case of donations made in Japan, we ensure we are compliant with Japan’s Political Funds Control Law.

Donations and Provision of Funds

While the KIOXIA Group forbids the incurring of inappropriate expenses, we do stipulate that appropriate donations may be made to appropriate organizations. We therefore donate to various organizations, taking into consideration factors such as the contribution made by the organization to society, its causes and the community aspects of its activities.

Continuing to Sever Relationships with Antisocial Groups

All KIOXIA Group companies have taken various measures to ensure that all links with antisocial groups are severed. More specifically, we have developed and implemented “Basic Public Relations Management Rules” and appointed public relations management officers for each department. When conducting transactions with a new customer, the public relations management officers of that department confirm that the customer has no relations with antisocial groups. If during those background checks the need arises for further investigation of the customer, Human Resources and Administration Division verifies whether there is any evidence of the customer's relationship with antisocial groups. We also periodically conduct surveys on customers that we already have business relations with. Transaction contracts normally include a clause regarding the exclusion of organized crime syndicates, which enables a contract to be cancelled without notice when the business partner is identified as being part of an antisocial group.

We also continuously ensure that employees understand the importance of excluding antisocial groups from the business they carry out.

Information Security Management

Information Security Policy

KIOXIA Group regards as important assets information such as personal data, customer information, management information, and technical and production information handled during the course of business activities. We accordingly adopt policies which we ensure that all corporate information is managed in a confidential manner and that the information is not disclosed, leaked or used inappropriately. These include a fundamental policy whose stated aim is "to manage and protect such information assets properly, with top priority on compliance." The policy is stipulated in the chapter "Information Security" of the KIOXIA Group Standards of Conduct, and managerial and employee awareness of this is encouraged.

In response to regulatory changes and changes in the social environment, KIOXIA revises those policies on an ongoing basis so as to rigorously manage its information security.

Structure of Information Security Management

Addressing information security as a management priority, KIOXIA Group has established, under the supervision of the Chief Information Security Officer, an information security management structure under which the head of each organization, such as the head of each business site, as well as the president of each group company, is responsible for information security. The Risk and Compliance Committee deliberates matters that are deemed key in ensuring information security throughout the company. The Chief Information Security Officer formulates and enacts measures to ensure that internal rules related to information security are enforced in a problem-free, effective and definitive manner. The Information Security Management Executive appoints Information Security Implementation Manager who is responsible for operation of the information security management system.

The Information Security Management Executive provides guidance and assistance to all group companies under the control to ensure that they implement information security at a level equivalent to that of The KIOXIA Group.

KIOXIA has also established a similar management structure for the protection of personal data, and has a department external to the Secretariat (the Internal Audit Division) conduct audits in accordance with JIS Q 15001.

Information Security Management Structure

Information Security Management Structure

Information Security Measures

KIOXIA Group implements information security measures from four perspectives (see the table below). The IT & Business Transformation Division incorporates these measures into regulations and guidelines and makes them fully known to all KIOXIA Group companies through notices and briefings.

Implementation of Information Security Measures from Four Perspectives

Category Description
(1) Organizational measures:
Establish an organizational structure and rules
  • žPeriodic reviews of information security-related regulations
  • žDevelopment and maintenance of structure
  • Implementation of audits, etc.
(2) Personal and legal measures:
Ensure adherence to rules
  • Regulation of information protection duties and disciplinary measures for any breach of rules of employment
  • Provision of periodic employee education and training
  • Contractor information security evaluation and conclusion of confidentiality agreements, etc.
(3) Physical measures:
Support implementation of rules in terms of physical security
  • Carry-in/carry-out control of information devices
  • Facility access control, room / facility entry control
  • Locking of highly important information, etc.
(4) Technical measures:
Support implementation of rules in terms of technology
  • Virus protection and hard disk encryption of personal computers
  • Checking the vulnerabilities of servers accessible to the public and enhancing their protection
  • Monitoring and controlling unauthorized access from the outside and information leakage, etc.

To protect against cyber-attacks, which are becoming more sophisticated every year, we have strengthened our efforts to block suspicious e-mails and trained all employees in the handling of targeted attack e-mails. In addition, we have enhanced our network monitoring and in-house systems to quickly cope with any virus incursion into the company systems.

Education, Inspection and Audit of Information Security Management

KIOXIA considers the autonomous implementation of PDCA (Plan-Do-Check-Act) cycle by each division to be vital for ensuring the company’s information security. With this in mind, every divisions conducts an annual self-audits of its compliance with internal rules, for the purpose of formulating their own improvement plan. All domestic and overseas Group companies also conduct annual self-audits in order to improve the level of information security at each of them.
Moreover, KIOXIA Group conducts annual training for all officers, as well as for permanent and temporary employees, in order to enforce strict compliance with in-house regulations. Other programs include introductory training for new graduate employees, and training for the employees of subcontractor companies.

Response to Incidents Such as Leakage of Confidential Information

In the event an information security incident occurs, such as the leakage of confidential information, KIOXIA responds promptly in accordance with its information security incident reporting structure.

When an employee becomes aware of the occurrence or potential occurrence of an incident involving the leakage of corporate information, the employee promptly reports it to the Implementation Manager. Upon receipt of the employee’s report, the Implementation Manager draws up all necessary measures, such as an investigation into the cause and consideration of actions to prevent recurrence. In the case of the occurrence or potential occurrence of a serious leakage of confidential information that may entail a violation of laws or ordinances, KIOXIA implements measures in accordance with the applicable laws or ordinances, such as disclosure, following discussion among the relevant corporate staff divisions.

Information Security Incident Reporting Structure (As of FY2018)

Information Security Incident Reporting Structure (As of FY2018)

Status of Incidents Such as Leakage of Confidential Information

In FY2018, there were no incidents in which sensitive information held by KIOXIA Group companies was leaked, nor were there any complaints from relevant external individuals or regulatory bodies concerning personal data. We will continue to prevent information security incidents, and are fully prepared for any situation.

Risk Management with Business Continuity Plan (BCP)

Failure to respond appropriately to large-scale disasters such as earthquakes, typhoons, and floods could result in the long-term closure of operations, triggering significant financial losses, ultimately affecting our stakeholders. KIOXIA Group implements measures to ensure the safety of employees and their families, to support the recovery of disaster areas, and maintain business sites and factories.