A new "Corporate Information Security Division" was established under the direct control of the president, to oversee all the Group's information security management. Since April 2020, it has integrated three functions that were previously separate: management of confidential corporate information and personal data protection, information system security, and product security. On April 2021, we have enhanced the structure and add members of Corporate Information Security Division.

In addition, we will invest more than ¥50 billion to implement technical security measures and establish sustainable information security management system so that we can achieve Level 3 or higher^*1 of the Cybersecurity Maturity Model.

The Executive Officer in charge of Information Security is responsible for the Group's overall information security management. Under this officer's direction, the Corporate Information Security Division is in charge of planning and implementing the Group's information security management structure and rules as well as activities to ensure the security of information systems. The Division is striving to ensure information security by working closely with each business group and office, which is the organization that actually utilizes and manages the data and systems.

As other companies suffered cyberattacks that affected their factory productivity, Mitsubishi Electric also formed a section to ensure factory security, thereby bolstering preparedness.
In addition, as part of PSIRT activities^*2 to promote product security measures, we were accredited as a CNA^*3 in November 2020 and we now assign CVE IDs^*4 to vulnerabilities that affect Mitsubishi Electric products and publish them by ourselves. This has strengthened a framework to practice efficient vulnerability handling with external stakeholders.

In the event an incident were to occur, reports and instructions would be given in keeping with this framework and appropriate responses would be taken to prevent secondary damage.

Business groups and offices (offices, branches, works [production plants]) issue instructions and guidance on information security to affiliates in and outside Japan. Paying special attention to the circumstances and special characteristics of overseas affiliates, the Corporate Information Security Division will build close cooperative relations with overseas regional representative managers at sites in the Americas, Europe, China, and other Asian countries to ensure information security.

1. *1 Framework for Cybersecurity Maturity Model certification set forth by the US Department of Defense. Level 3 or higher means that excellent security measures and management systems are put in place.
2. *2 PSIRT is an abbreviation for Product Security Incident Response Team, which works on the security quality of products and services.
3. *3 CVE Numbering Authority. CVE is an abbreviation for Common Vulnerabilities and Exposures.
4. *4 Internationally used vulnerability identifiers

1. *1 CSIRT: Computer Security Incident Response Team
2. *2 PSIRT: Product Security Incident Response Team

Global Activities

To maintain and improve the information security level of the Mitsubishi Electric Group as a whole, including overseas affiliates, various inspections are conducted under the above information security framework, as prescribed in the Guidelines to Information Security Management Rules for Affiliated Companies.

Management Principles

The Mitsubishi Electric Group practices confidential corporate information management and personal information protection utilizing a continuous improvement approach implemented using the Plan, Do, Check, Act (PDCA) cycle, and employs four security measures to ensure proper management and protection of confidential corporate information and personal information from the organizational, human, physical, and technological perspectives.

Information Security Regulations and Guidelines

Committed to living up to its Declaration of Confidential Corporate Information Security Management and Personal Information Protection Policy, Mitsubishi Electric Corporation has established information security regulations and guidelines alongside the four security measures, and reviews them as necessary to stay in compliance with current laws. In addition, we have similar rules for personal information protection and affiliates.

Information Security Inspections

The Mitsubishi Electric Group performs the following inspections as part of the C (Check) stage of the PDCA cycle at head office management departments, business groups and offices, and affiliates. These inspections focus on checking whether confidential corporate information management and personal information protection activities are being implemented properly by the Mitsubishi Electric Group as a whole, and on confirming the status of those activities. We review measures based on the results, and this leads to the A (Act) stage of the PDCA cycle.

These inspections are set down in the Confidential Corporate Information Management Regulations, which cover Mitsubishi Electric Corporation, and in the Guidelines for Information Security Management Regulations, which cover affiliates in and outside Japan.