- Strengthen Cyber Resilience
Toshiba Group is engaged in businesses centered on energy, social infrastructure, electronic devices, and digital solutions, helping support people’s lives. We consider it our responsibility to leverage the knowledge and experience we have acquired through manufacturing since our founding, not just in the physical world but also in the online connected society that extends into all areas, in order to strengthen cyber security, protect society, and deliver peace of mind.
KPIs and Achievements
Self-assessment of cyber security management maturity*1
| FY2023 Achievement | 3.58 |
|---|---|
| FY2024 Target | Higher than previous fiscal year (upon reaching 4, remain at 4 or higher) |
| FY2024 Achievement | 3.62 |
| FY2025 Target | Higher than previous fiscal year (upon reaching 4, remain at 4 or higher) |
| FY2023 Achievement | 3.58 |
|---|---|
| FY2024 Target | Higher than previous fiscal year (upon reaching 4, remain at 4 or higher) |
| FY2024 Achievement | 3.62 |
| FY2025 Target | Higher than previous fiscal year (upon reaching 4, remain at 4 or higher) |
Number of AI experts*2
| FY2023 Achievement | 2,300 |
|---|
| FY2023 Achievement | 2,300 |
|---|
Percentage of employees using AI*3
| FY2024 Target | 30 % |
|---|---|
| FY2024 Achievement | 32 % |
| FY2025 Target | 40 % |
| FY2024 Target | 30 % |
|---|---|
| FY2024 Achievement | 32 % |
| FY2025 Target | 40 % |
- At key Group companies, Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, Toshiba Plant Systems & Services Corporation, Toshiba Development & Engineering Corporation (renamed Toshiba Unified Technologies Corporation on April 1, 2025), and NuFlare Technology, Inc.
- At Toshiba, Toshiba Energy Systems & Solutions Corporation, Toshiba Infrastructure Systems & Solutions Corporation, Toshiba Electronic Devices & Storage Corporation, Toshiba Digital Solutions Corporation, Toshiba Tec Corporation, Toshiba Elevator and Building Systems Corporation, and Toshiba Lighting & Technology Corporation
- Applies to employees across all Toshiba Group companies in Japan who use a PC in their daily work.
Toshiba Group’s cybersecurity visions
Toshiba Group has adopted a concept of “cyber resilience,” which encompasses information, product, control, and data security. The word “resilience” means the ability to bounce back or recover quickly. The term “cyber resilience” means the ability to minimize negative impact and recover quickly in preparation for security incidents such as cyberattacks. To realize cyber resilience, we have defined a set of parameters that contribute to the minimization of the security incident impact on IT systems: 1) P, or preparation for security incidents, 2) M, or mitigation of loss due to security incidents, and 3) R, or the time required to respond to and recover from security incidents. It is required to enhance P and M and reduce D.
Cyber Resilience and Incident Response Process Flow
Information Security Management
Policy on Information Security
Toshiba Group regards all information, such as personal data, customer information, management information, technical and production information handled during the course of business activities, as its important assets and adopts a policy to manage all corporate information as confidential information and to ensure that the information is not inappropriately disclosed, leaked or used. In view of this, Toshiba has a fundamental policy “to manage and protect such information assets properly, with top priority on compliance.” The policy is stipulated in the chapter “Corporate Information and Company Assets” of the Standards of Conduct for Toshiba Group, and managerial and employee awareness on the same is encouraged.
In response to regulatory changes and changes in the social environment, Toshiba Group revises the related rules on an ongoing basis so as to rigorously manage its information security.
When providing personal information and confidential information to outsourcing contractors, we request them to maintain confidentiality and comply with relevant laws and regulations in the same manner as Toshiba does, and to implement thorough training for employees handling the information.
We include in the contract terms the possibility of terminating contract and seeking damages in case of violations of confidentiality obligations or personal information protection obligations as stipulated in the contract.
Structure of Information Security Management
Addressing information security as a management priority, Toshiba Group appointed the Chief Information Security Officer (CISO) and each corporate staff division and Toshiba Group company has established, under the supervision of the CISO, an information security management structure.
The Cyber Security Committee deliberates matters that are necessary to ensure information security throughout Toshiba Group. The CISO formulates and enacts measures in order to make sure that internal rules related to information security are enforced in a problem-free, effective, and definitive manner.
At each division inside Toshiba, key Group companies, and subsidiaries and affiliates*1, the head of the organization serves as Information Security Management Executive, bearing responsibility for information security at their respective organization. The Executives provide guidance and assistance to Group companies in Japan and overseas under their control to ensure that they implement information security at a level equivalent to that of Toshiba.
Toshiba Group Information Security Management Structure
- Key Group companies and Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, and Toshiba Plant Systems & Services Corporation
- CSIRT: Computer Security Incident Response Team
Information Security Measures
Toshiba Group implements information security measures from four perspectives (see the table below). The Corporate Technology Planning Division incorporates these measures into regulations and guidelines and makes them fully known to all Toshiba Group companies through notices and briefings.
Furthermore, our Risk Compliance Committee treats cybersecurity as a key risk. The committee assesses the potential impact of cybersecurity risks and the status of our internal controls to determine priority measures.
| Category | Description |
|---|---|
| (1)Organizational measures: Establish an organizational structure and rules |
|
| (2)Personal and legal measures: Ensure adherence to rules |
|
| (3)Physical measures: Support implementation of rules in terms of physical security |
|
| (4)Technical measures: Support implementation of rules in terms of technology |
|
| Category | Description |
|---|---|
| (1)Organizational measures: Establish an organizational structure and rules |
|
| (2)Personal and legal measures: Ensure adherence to rules |
|
| (3)Physical measures: Support implementation of rules in terms of physical security |
|
| (4)Technical measures: Support implementation of rules in terms of technology |
|
- EDR:Endpoint Detection and Response
To protect against cyber-attacks, which are becoming more sophisticated with every passing year, we introduced a function to block suspicious e-mails, enhanced our anti-virus measures for information equipment such as IoT devices, and trained all employees in handling targeted attack e-mails. We also utilize external threat intelligence to understand terminal vulnerabilities and prevent attacks before they occur. Additionally, our Security Operation Center (SOC) and CSIRT have established documented procedures for monitoring and incident response.
The expansion of cloud services and remote work has also increased the number of potential targets for cyberattacks. We are working to strengthen internal and external countermeasures, including by collecting and analyzing information on servers and network devices available on the internet, introducing mechanisms to understand vulnerabilities and configuration errors, and using attack simulation tools to assess the risk of security products introduced by the Company.
Under our information security management structure, we annually verify that all internal systems, such as systems that manage customer data, are being operated in accordance with the rules, including setting of access privileges and implementation of vulnerability countermeasures. To ensure that our most critical information is comprehensively protected, we maintain a database of the storage locations and management status for all data classified as “Top Secret” and “Confidential.”
Education, Inspection, and Audit of Information Security Management
Toshiba Group covers a diverse portfolio of businesses. To ensure Group-wide information security, it is vital for each Group company to rotate the PDCA (Plan-Do-Check-Act) cycle independently. Accordingly, Toshiba Group carries out an annual self-audit of its compliance with internal rules to identify issues and plan improvements. The Corporate Technology Planning Division evaluates the results of the audits and related improvements carried out by each Toshiba division, key Group companies, and subsidiaries and affiliates*1, and provides support and guidance where necessary.
In FY2024, the following key points were identified: (1) ID/password management, (2) reduction and organization of company information and management of external storage media, (3) security management at Group companies, and (4) manufacturing system security. In addition, with regard to key point (4), with ransomware countermeasures in mind, we confirmed the EDR (Endpoint Detection and Response) implementation status for devices connected to the Toshiba network and the status of virus scans for USB storage media. We confirmed that, overall, security was being maintained and managed effectively, and we reported these results to the Toshiba CISO. We will continue to review and advance our fundamental initiatives.
Toshiba Group companies in Japan have obtained ISMS certification*2 and PrivacyMark certification*3 according to their business areas, and have undergone external audits by ISMS certification bodies and the Japan Institute for Promotion of Digital Economy and Community (JIPDEC). ISMS certification has been obtained by 14 business divisions of Toshiba Group companies in Japan, including Toshiba Corporation. The PrivacyMark has also been obtained by 14 Toshiba Group companies in Japan, including Toshiba Corporation.
Moreover, Toshiba Group conducts yearly training for all officers, as well as permanent and temporary employees, in order to enforce strict compliance with in-house regulations. There are also programs about information security such as basic training, and introductory training for new graduate employees.
- key Group companies, and subsidiaries and affiliates Key Group companies and Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, and Toshiba Plant Systems & Services Corporation
- ISMS certification A third-party certification system for the information security management system compliant with ISO/IEC 27000 series
- PrivacyMark certification A certification mark granted through third party assessment to businesses that have a system to ensure appropriate handling of personal information in compliance with Japan Industrial Standards (JIS) Q 15001: Personal Information Protection Management System–Requirements
Toshiba Group companies in Japan that have obtained ISMS certification
| No. | Certification Registration No. | Company Name | Certification Body |
|---|---|---|---|
| 1 | IC09J0282 | Toshiba Corporation (Komukai Complex, Security & Automation Systems Division) | Japan Audit and Certification Organization for Environment and Quality(JACO) |
| 2 | BSKS0018 | Toshiba Corporation, Defense & Electronic Systems Division, Komukai Complex (As of June 2025, the registration is scheduled to be changed from the current listing under Toshiba Infrastructure Systems & Solutions Corporation) | The Foundation for Defense Industries and Facilities Organization (BSK) System Certification Center |
| 3 | JQA-IM0111 | Toshiba IT-Services Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 4 | JQA-IM0130 | Toshiba Information Systems (Japan) Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 5 | JQA-IM1860 | Toshiba Digital Engineering Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 6 | JQA-IM0308 | Toshiba Digital Solutions Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 7 | IC15J0407 | Toshiba Digital Marketing Initiative Corporation | Japan Audit and Certification Organization for Environment and Quality(JACO) |
| 8 | JQA-IM0513 | Toshiba Tec Corporation (Shizuoka Business Center (Mishima)) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 9 | JQA-IM1163 | Toshiba Tec Corporation (Shizuoka Business Center (Ohito)) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 10 | JVAC-IM0006 | Toshiba Tec Solution Services Corporation | Japan Value-Added Certification Co., Ltd. (J-VAC) |
| 11 | JQA-IM0653 | Toshiba Unified Technologies Corporation (As of June 2025, the registration is scheduled to be changed from the current listing under Toshiba Development & Engineering Corporation) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 12 | IC21J0538 | Toshiba Business Expert Corporation(Business Support Division) | Japan Audit and Certification Organization for Environment and Quality(JACO) |
| 13 | IC11J0335 | TEC Information Systems Corporation | Japan Audit and Certification Organization for Environment and Quality(JACO) |
| 14 | JQA-IM0418 | Enterprise Business System Solutions Corporation (EBSS) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| No. | Certification Registration No. | Company Name | Certification Body |
|---|---|---|---|
| 1 | IC09J0282 | Toshiba Corporation (Komukai Complex, Security & Automation Systems Division) | Japan Audit and Certification Organization for Environment and Quality(JACO) |
| 2 | BSKS0018 | Toshiba Corporation, Defense & Electronic Systems Division, Komukai Complex (As of June 2025, the registration is scheduled to be changed from the current listing under Toshiba Infrastructure Systems & Solutions Corporation) | The Foundation for Defense Industries and Facilities Organization (BSK) System Certification Center |
| 3 | JQA-IM0111 | Toshiba IT-Services Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 4 | JQA-IM0130 | Toshiba Information Systems (Japan) Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 5 | JQA-IM1860 | Toshiba Digital Engineering Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 6 | JQA-IM0308 | Toshiba Digital Solutions Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 7 | IC15J0407 | Toshiba Digital Marketing Initiative Corporation | Japan Audit and Certification Organization for Environment and Quality(JACO) |
| 8 | JQA-IM0513 | Toshiba Tec Corporation (Shizuoka Business Center (Mishima)) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 9 | JQA-IM1163 | Toshiba Tec Corporation (Shizuoka Business Center (Ohito)) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 10 | JVAC-IM0006 | Toshiba Tec Solution Services Corporation | Japan Value-Added Certification Co., Ltd. (J-VAC) |
| 11 | JQA-IM0653 | Toshiba Unified Technologies Corporation (As of June 2025, the registration is scheduled to be changed from the current listing under Toshiba Development & Engineering Corporation) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
| 12 | IC21J0538 | Toshiba Business Expert Corporation(Business Support Division) | Japan Audit and Certification Organization for Environment and Quality(JACO) |
| 13 | IC11J0335 | TEC Information Systems Corporation | Japan Audit and Certification Organization for Environment and Quality(JACO) |
| 14 | JQA-IM0418 | Enterprise Business System Solutions Corporation (EBSS) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
*Toshiba Infrastructure Systems & Solutions Corporation has been integrated into Toshiba Corporation on April 1, 2025.
Toshiba Group companies in Japan that have obtained PrivacyMark certification
| No. | Certification Registration No. | Company Name | Certification Body |
|---|---|---|---|
| 1 | 10300060 | Toshiba Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| 2 | IC09J0282 | Toshiba I.S. Consulting Corporation | Japan Information Technology Services Industry Association(JISA) |
| 3 | 11820188 | Toshiba IT-Service Corporation | Japan Information Technology Services Industry Association(JISA) |
| 4 | 11820322 | Toshiba I.S. Corporation | Japan Information Technology Services Industry Association(JISA) |
| 5 | 22000458 | Toshiba Energy Systems & Solutions Corporation | Software Association of Japan(SAJ) |
| 6 | 14650015 | Toshiba Health Insurance Society | Medical Information System Development Center |
| 7 | 10780014 | Toshiba Automation Systems Service Co., Ltd. | Japan Information Processing Development Corporation(JIPDEC) |
| 8 | 11820014 | Toshiba Information Systems (Japan) Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| 9 | 10824951 | Toshiba Data Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| 10 | 11820144 | Toshiba Digital Engineering Corporation | Japan Information Technology Services Industry Association(JISA) |
| 11 | 11820136 | Toshiba Digital Solutions Corporation | Japan Information Technology Services Industry Association(JISA) |
| 12 | 10861314 | Toshiba Digital Marketing Initiative Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| 13 | 10820088 | Toshiba TEC Solution Services Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| 14 | 10862070 | Toshiba Business Expert Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| No. | Certification Registration No. | Company Name | Certification Body |
|---|---|---|---|
| 1 | 10300060 | Toshiba Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| 2 | IC09J0282 | Toshiba I.S. Consulting Corporation | Japan Information Technology Services Industry Association(JISA) |
| 3 | 11820188 | Toshiba IT-Service Corporation | Japan Information Technology Services Industry Association(JISA) |
| 4 | 11820322 | Toshiba I.S. Corporation | Japan Information Technology Services Industry Association(JISA) |
| 5 | 22000458 | Toshiba Energy Systems & Solutions Corporation | Software Association of Japan(SAJ) |
| 6 | 14650015 | Toshiba Health Insurance Society | Medical Information System Development Center |
| 7 | 10780014 | Toshiba Automation Systems Service Co., Ltd. | Japan Information Processing Development Corporation(JIPDEC) |
| 8 | 11820014 | Toshiba Information Systems (Japan) Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| 9 | 10824951 | Toshiba Data Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| 10 | 11820144 | Toshiba Digital Engineering Corporation | Japan Information Technology Services Industry Association(JISA) |
| 11 | 11820136 | Toshiba Digital Solutions Corporation | Japan Information Technology Services Industry Association(JISA) |
| 12 | 10861314 | Toshiba Digital Marketing Initiative Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| 13 | 10820088 | Toshiba TEC Solution Services Corporation | Japan Information Processing Development Corporation(JIPDEC) |
| 14 | 10862070 | Toshiba Business Expert Corporation | Japan Information Processing Development Corporation(JIPDEC) |
Response to Incidents Such as Leakage of Confidential Information
In the event an information security incident such as the leakage of confidential information, Toshiba responds promptly in accordance with the Information Security Incident Reporting Structure.
When an employee becomes aware of an incident or potential incident involving the leakage of corporate information, the employee immediately reports to the CSIRT. In response, the CSIRT Leader devises necessary measures, such as an investigation into the cause and review of actions to prevent recurrence. In the event of a serious leakage or potential leakage of confidential information that may constitute a violation of laws and ordinances, Toshiba implements measures such as disclosure following discussion among the related corporate staff divisions in accordance with the applicable laws and ordinances.
Information Security Incident Reporting Structure
- Key Group companies and Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, and Toshiba Plant Systems & Services Corporation
Status of Incidents Such as Leakage of Confidential Information
In FY2024, there were no leaks of important information held by Toshiba Group.
There were also no personal data-related complaints or appeals filed by regulatory authorities or other external parties. We will continue to take every precaution to prevent incidents related to information security.
For details on information security management, please refer to our Cyber Security Report.
Strengthening privacy governance
Toshiba Group has formulated the "Toshiba Group Privacy Statement" as a declaration of its management stance on the use of privacy information across its data service businesses, towards promoting the trust of society and the realization of a trusted data society.
As digital transformation (DX) becomes a global trend, we are strengthening privacy governance, at that same time as we seek to make full use of the power of data to create valuable products and services.
Toshiba Group positions respect for privacy as part of respect for human rights.
Sharing Security Policies with Suppliers and Business Partners
When selecting suppliers and business partners, we evaluate their ability to manage data appropriately. If contracts involve data sharing, we require specific information security management measures and conduct compliance audits as necessary.
We also hold regular cyber security seminars for our suppliers and business partners. We communicate the matters described in the Toshiba Group Cyber Security Policy and Guidelines and demand stronger security response capabilities. In addition, we have established a contact point for security-related consultations, and both Toshiba and our suppliers and business partners are working to improve their security levels.
These security and privacy policies are published externally as the Standards of Conduct for Toshiba Group and the Privacy Policy, and any changes are immediately posted on our website. When Toshiba Group rules and policies change, we provide explanations and notices within the Toshiba Group and update each company's rules and policies accordingly.
AI Governance
Toshiba Group formulated the Toshiba AI Governance Statement to promote the development, provision and use of trustworthy AI. The statement is based on Toshiba Group's management philosophy and summarizes the philosophy regarding AI from seven perspectives, which include “Respect for human dignity,” “Developing AI and cultivating talent,” and “Emphasis on fairness.” For example, “Emphasis on fairness” states “Respecting human rights, Toshiba will work to research, develop, provide and operate AI with consideration given to fairness to avoid unjustified discrimination.”
Toshiba Group is accelerating digital transformation (DX) and is promoting the resolution of various social issues by applying AI to infrastructure systems important to society. Based on the ideas in this statement, we will expand the range of human resources who can develop, provide, and operate AI, strengthen the creation of mechanisms to maintain the quality of AI systems, and proceed with the construction of Toshiba Group's AI governance.
AI Talent Development
Toshiba Group aims to achieve carbon neutrality and a circular economy through digitalization, and is working to increase the number of AI engineers necessary to promote DX.
For example, we launched The “Toshiba AI Engineer Training Program” in collaboration with the Graduate School of Information Science and Technology at the University of Tokyo in the first half of FY2019. We have trained around 500 highly-skilled AI experts by holding training sessions for approximately 50 people each, twice a year.
In addition, in recognition of the importance of everyone involved in our business deepening their understandings of AI and working together, we are promoting AI literacy development and fostering a culture of AI utilization among all domestic employees of the Toshiba Group. The percentage of employees using AI in their daily work has reached 32%, exceeding the FY2024 target of 30%, and we are continuing to strengthen and develop AI experts. We have also set up programs based on employees’ knowledge and requirement levels, such as basic courses to provide AI knowledge, practical courses to perform hands-on training using AI tools, and courses specializing in deep learning, as part of our efforts to enhance in-house education. The Toshiba Group’s AI experts are active in various business fields, contributing to improving the environmental performance of products and services as well. For the details of the Toshiba Group’s initiatives regarding the development, provision, and operation of reliable AI systems, as well as the development of AI experts, please visit the “Toshiba AI” website (Toshiba AI Governance, AI Talent Development).
See below for details of cyber resilience and information security initiatives.