Information Security
Basic Approach
DNP's strength lies in the information security technology and know-how it has cultivated through the utilization of information assets entrusted to it by companies and consumers, as well as its own information assets.
To fulfill our social responsibility as a company that handles a large amount of information assets, we will ensure the utmost security in the management and protection of information assets, while providing new value through safe and highly reliable products and services.
Policy
Promotion Structure
DNP has established the Information Security Committee and the Information Security Headquarters at its headquarters to inspect and provide guidance to business units and group companies. The committee is chaired by Managing Director of headquarters.
In addition, the Information Security Committee has been established in each businessunits units and group company, with the head of each organization acting as chairman and personal information management officer. Under this committee, managers and inspection officers are appointed for each issue, such as education, security area measures, and information system measures. We have also been establishing Information Security Committees at overseas group companies since 2015.
Furthermore, in October 2021, we established the DNP CSIRT (Computer Security Incident Response Team) at our headquarters as a cybersecurity response organization, and are working to ensure rapid response to unforeseen incidents and maintain business continuity.
Under this management promotion framework, DNP is continuously strengthening information security and cybersecurity measures based on three pillars—organizational, personnel, and physical and technical measures—across the perspectives of prevention, detection, response, and recovery.
Indicators/Goals
Based on its fundamental approach to "information security," DNP sets priority indicators and target values, and uses them to drive continuous efforts.
| Indicator | Targets | FY2025 Results |
|---|---|---|
| 1. Implementation rate of information security compliance assessment 2. Implementation rate of inspections and guidance for divisions implementing measures to prioritize personal information, etc. 3. Attendance rate of information security education and training 4. Security vulnerability testing rate for publicly available internet sites |
1.100% implementation rate for business units
and group companies 2.100% implementation rate for target divisions 3.100% participation rate in target divisions 4.100% implementation rate for target sites |
1.100% (96 units/companies) 2.100% (36 times) 3.100% (approximately 44,000 participants) *Participants include support staff, etc. 4.100% (implemented for 397 systems) |
Strategy and Risk Management
Based on the concept of “Security by Design,” we incorporate security measures from the planning and design stages, utilize objective evaluations by external organizations to verify their effectiveness, and continuously pursue improvements.
At the same time, against the backdrop of increasingly sophisticated and sophisticated cyberattacks driven by the expansion of AI and data utilization associated with digital transformation (DX), technological innovations, and geopolitical risks, we recognize that it is difficult to completely prevent these risks. Accordingly, we are working to strengthen resilience based on the assumption that incidents will occur.
Organizational Measures
Maintaining internal procedures and rules
Personal information protection includes the development of the Personal Information Protection Policy and the Regulations within the Group. We also developed the Basic Personal Information Policy and Basic Personal Information Regulation, under which 9 standards have been established concerning information security, including those for document control, computer usage, outsourcing and procurement,restricted areas, education, website and social media. We rapidly send out notices and establish or revise our rules in response to new threats and risks, and we strive to ensure that employees are thoroughly informed about them.
Establishment of a management system
DNP obtained the Privacy Mark in July 2008 as a business operator compliant with the Japanese Industrial Standard "Requirements for Personal Information Protection Management Systems" (JIS Q 15001). DNP is committed to thorough compliance with laws and regulations and is promoting the establishment of a management system compliant with this standard. Furthermore, all business units and group companies that handle personal information in their business activities are actively pursuing Privacy Mark and ISO/IEC 27001 certifications.
Human Measures
Strengthening information security through human resources development
DNP provides ongoing education and training tailored to each level, from all employees to management, as well as continuous education and training for personnel specifically responsible for strengthening information security. We prepare teaching materials in 10 languages, including Japanese, to make sure our education covers all employees.
In addition, with a view toward the development of "Plus-Security" workforce who are able to implement the necessary and sufficient security measures while also engaging in their regular assignments, DNP provides cybersecurity educational programs to approximately 30,000 employees of the DNP Group in Japan and overseas who have email addresses.
Promoting Information Security Measures in the Industry
To enhance personal information protection throughout the printing industry, DNP dispatches employees with sophisticated technical knowledge to the Information Security Subcommittee of the Japan Federation of Printing Industries. These employees participate in the planning and preparation of educational materials and in the organization of seminars. (Two DNP employees have been stationed there since 2004.)
Practical training for essential personnel involved with cyber attack countermeasures
Cyber Knowledge Academy, a Group company, has introduced the training system TAME Range from Israel Aerospace Industries (IAI), of Israel, which is an advanced country in cybersecurity, and holds lectures and exercises that incorporate a variety of actual cases ranging from typical attack methods to the most-recent incidents.
To date, we have trained cybersecurity specialists by holding lectures, drills and various types of training for more than 8,900 security personnel from government agencies and approximately 410 organizations, including those in the information and communications, aviation and electric power sectors, not to mention eligible employees of the DNP Group (as of May 2026)
Physical and Technical Measures
Measures in divisions handling personal information
Various measures are in place at the Data Processing Offices handling personal information and other important data, including controls for entering/leaving a building (room) using biometrics to ensure that unauthorized persons cannot access the facilities, surveillance cameras that keep improper behavior in check and pocket-free uniforms for on-site workers so that data cannot be taken off-site. We also separate the locations where information is written to media, employ checks using metal detectors, implement and verify access logs, and reduce the number of employees engaged in the work of writing to recording media. These and other measures serve to further strengthen control.
Measures at operational bases using smart card employee IDs
DNP is promoting a variety of information security measures using smart card employee IDs. We are increasing the number of operational bases with a security gate system in which employees need the smart card to enter and leave the building or factory. We are also adding a function enabling the integrated management of a multi-purpose machine usage logs by the manager on a server by requiring authentication via smart card when printing.
Initiatives for the safe delivery of information
DNP has introduced a tool to prevent the wrong transmission of email with such functions as destination identity verification, the temporary holding of outgoing mail. The aim is to prevent information leaks through wrong transmission when employees send email outside the Group. In addition, we are operating a system that securely transfers the personal data of clients via a network.
Vulnerability analysis
DNP conducts vulnerability tests twice a year for all internet servers handling personal information that are run by the Group to ensure more secure and robust website creation and management.
DNP has also introduced a rating service that utilizes various types of data to objectively evaluate, analyze and visualize risks related to cyber security and promotes continuous monitoring and improvement of these risks.
Related Measures
Response to Cyber Attacks
Response through DNP CSIRT (Computer Security Incident Response Team)
As a supervising organization responsible for overall cybersecurity, DNP Group CSIRT will implement the following activities for the entire Group in Japan and overseas in addition to performing its basic functions of strengthening security.
- Visualize ICT infrastructure and implement countermeasure instructions based on security vulnerability information and confirm the status of application.
- Design of and proficiency in countermeasures in the event of any unforeseen circumstances (incidents)
- Instructions and support for various organizations in the event of any unforeseen circumstances (incidents)
- Education, practical exercises and awareness of cybersecurity
- Collaboration with external organizations such as the National Cybersecurity Office (NCO) and Nippon CSIRT Association
- Enrollment in and application of cyber risk insurance
Introduction of Zero Trust Network
Recent years have witnessed rapid changes in corporate activities and people’s lives spurred by such factors as the promotion of DX, the use of external clouds, and the adoption of remote work that has accelerated due to the COVID-19 pandemic. In response to these changes and with a view toward increasing security for the use of digital networks, DNP has adopted a Zero Trust Network, the concept of not trusting anything, strengthened internet access security and bolstered endpoint security for each type of terminal, such as personal computers and servers.
We will get a full picture of the zero-trust concept and continue to strengthen access control and vulnerability management, while also increasing the sophistication of our zero-trust procedures by, for example, establishing a 24-hour/365-day monitoring system. Through these efforts, we will work to enhance security measures on a global basis.
Training in measures against targeted attack emails
Advanced Persistent Threat (APT) mail are a criminal technique in use for more than 10 years. Recently, however, the content of these emails has become more elaborate and this type of email has emerged as a major threat both in Japan and abroad. DNP has been responding to the threat by implementing four drills every year that employees who have corporate email accounts, including the employees of overseas group companies, participate in. The drills not only enable employees to understand the characteristics of targeted attack emails and take appropriate steps when attack emails are received, but they also prevent targeted attacks and minimize any damage such as information leaks.
Global deployment of information security management
DNP is striving to strengthen governance by transitioning from systems that were previously utilized individually by each overseas base to a shared system that maximizes use of the cloud. This transition will ensure conformance with security standards across the entire DNP Group at domestic and overseas bases, which have different environments and cultures.
Additionally, to promote information security management at overseas group companies, we are independently creating our own educational tools in 10 languages, including Japanese, as we promote initiatives globally to improve the information security literacy of our employees.