The TOTO Group recognizes that the protection and appropriate safety management of its information assets and all other management assets held by the TOTO Group are an extremely important social responsibility. The TOTO Group ensures that all of its employees understand this policy, strives to provide products and services that customers feel secure using, and continuously improves its security. Through these efforts, the TOTO Group aspires to be a company that is trusted by its customers.
We apply the Supplier Code of Conduct to our suppliers. The Code establishes clear information security requirements, including measures to prevent information leakage.
The TOTO Group considers information security as a key management challenge and has established a governance structure linked to a company-wide risk management system that is overseen by the Board of Directors. The Risk Management Committee comprehensively manages and monitors company-wide risks, and the Representative Director delegates authority regarding risks related to information security, including cybersecurity, to the Committee. Accordingly, the Committee monitors these risks. It reports to the Board of Directors once a year (for a management review), thereby ensuring the effectiveness of the management’s oversight system. (For more details on our company-wide risk management system, visit the Risk Management page.)
IT Strategy Promotion Committee (meets twice a year)
This is a specialized committee that has been delegated authority by the Representative Director to specifically deliberate and promote the overall IT strategy, including information security, with the Director in charge of Information System Planning serving as the chair.
Consisting of the president, other relevant directors and relevant division heads as its members, the Committee consistently manages and implements the entire process, from developing overall policies from a medium- to long-term perspective to monitoring the progress of implementation plans.
Information Security Promotion System
*Chairperson: Executive Officer in charge of Information System Planning
Vice Chairperson: General Manager of Information System Planning Division
Committee Members: Related Executive Officers including the President, and General Managers of related divisions
The TOTO Group has established fundamental rules for its information security management system and conducts its business in accordance with the TOTO Group Security Policy. Under the information security management system, the director in charge of information security supervising division serves as the supervising manager. Led by the responsible divisions, the system conducts information security risk assessments, sets information security objectives, formulates promotion plans, and liaises with the internal audit division. With the guidance of the information security supervising manager, members repeat the PDCA cycle and the Risk Management Committee conducts regular reviews to develop a highly effective management system.
Tomoyuki Taguchi, who is a director with a background in information security, serves as the Chief Information Security Officer and is responsible for controlling the information security management system. He possesses specialist knowledge in the fields of IT and digital technology, as well as legal and risk management, and has been in charge of the Information System Planning Division and the Risk Management Supervising Division since April 2018, gaining extensive experience in the field of information security.
Initiatives to Increase Effectiveness
Conducting Self-inspections and Risk-based Audits
All Group companies, both in Japan and overseas, are required to perform regular self-inspections. The Group has adopted a risk-based approach that focuses internal audits on sites requiring improvement based on the inspection results.
We comply with international standards for information security (e.g., NIST) and continue to perform objective and technical verifications.
Introduction of Attack Surface Management (ASM)
In fiscal 2025, the ASM was introduced with the assistance of an external specialist company. Since then, system vulnerabilities have been constantly analyzed and prioritized to implement countermeasures against cyberthreats.
Regular Assessments and Testing
Vulnerability assessments are conducted on all externally accessible servers (once a year). Additionally, experts perform penetration testing on critical servers that handle personal information (once every two years).
Countermeasures against Cyberattacks
System-based defenses are in place, including the implementation of antivirus software, EDR, data encryption, and various security devices (e.g., firewalls and behavior-based malware detection).
The TOTO Group has established TOTO-CSIRT, a specialist organization, and the Contact Center in Crisis and Emergency to ensure early resolution and to minimize damage in the event of exposure to IT-related risks, including cyberattacks and information leakage. The Group has established a system in which we work with an external specialist company (SOC) to monitor threats 24/7 during normal operations, and in the event of an emergency, management takes immediate command based on the established criteria for risk response level. By doing so, we are building robust resilience to minimize the impact on our business and fulfill responsibilities to our stakeholders.
24/7 Monitoring and Response
Our in-house specialist organization, TOTO-CSIRT, works with an external specialist company (SOC), which provides constant monitoring, to ensure the early detection and defense of threats.
Risk-based Escalation
The impact of incidents is defined on a three-tier scale (Levels A to C). We have established a workflow in which a task force led by the president will take charge of the response in the event of a critical incident (Level A).
Reporting Obligation of All Group Employees
To prevent delays in the initial emergency response, all Group employees are required to promptly report incidents to the Contact Center in Crisis and Emergency. (Visit “Establishment of Hotlines” on the Compliance page.)
The TOTO Group believes that raising the awareness of each employee is essential to preventing incidents. In accordance with the TOTO Group Security Policy, the Group continuously provides education to executives and employees (including temporary staff etc.) at all its Group companies in Japan and overseas to clearly establish each individual’s responsibility for the appropriate use of information assets.
Systematic Educational Programs and their Results
E-learning for All Group Employees (Once a Year)
The program materials include the latest examples of cyberattacks, as well as educational contents on security risks and ethics (consideration on bias) associated with the use of generative AI and are reviewed annually. The materials have been translated into multiple languages, and the e-learning course is conducted at all Group companies both in Japan and overseas. Through rigorous course management, we achieve a 100% program participation rate every year.
Practical Training and Continuous Information Transmission
The Group continues to conduct simulated drills against targeted attack emails (once a year) and publish security newsletters (four times a year) to share the latest attack methods and security alert.
The TOTO Group recognizes that the protection and appropriate safety management of its customer information and all other personal information held by the TOTO Group are an extremely important social responsibility. The TOTO Group ensures that all of its employees understand this policy and implements measures for promoting the protection of personal information. Through these efforts, the TOTO Group aspires to be a company that is trusted by its customers around the world.
In compliance with the Act on the Protection of Personal Information and the Act on the Use of My Numbers, the Group reviews its personal information protection guidelines as necessary and ensures that all Group employees fully understand the policy through e-learning and other means.
The Group strives to ensure personal information protection and management, as well as awareness raising, by establishing management systems for each division and Group company and conducting regular self-inspections, such as regular reviews of management ledgers. To ensure the thorough management of its contractors, the Group also requires them to conduct self-inspections as needed.
The Group has developed guidelines for the GDPR, the EU’s personal information protection law, and has made them known to all TOTO Group sites, including those overseas. At the same time, the Group implemented the necessary measures, primarily at its sites within the EU. It is also implementing appropriate measures to comply with personal information protection-related laws in other countries and regions.
お気に入りに保存しました