FUJIFILM Holdings

CSR activity report

Governance

Improve and maintain governance structures by further disseminating an open, fair and clear corporate culture.

Targets for FY2030 Major activities of FY2020 Self-
evalution
Aim for zero cases of misconduct and major legal violations by disseminating an open, fair and clear corporate culture
  • Revision of Corporate Governance Guidelines
  • Establishment of the Fujifilm Group AI Policy
  • Establishment of the Fujifilm Group Global Healthcare Code of Conduct and providing education to employees engaged in related businesses
  • Surveying all Group employees on understanding of Company policies and awareness of compliance
  • Strengthen consolidated management of compliance activities by operating companies FUJIFILM & FUJIFILM Business Innovation under an FH initiative and by execution of measures aimed at further improving compliance awareness among all employees.

  • Enhance deliberations by the Board of Directors and improve transparency of management decisionmaking.

Revision of Charter for Corporate Behavior and Code of Conduct

Covering SDGs, human rights, risk management and other issues in response to changes in the global situation

The Fujifilm Group believes a business corporation as an entity that provides value to society through its business activities and earns profits as fair compensation for its efforts. At the same time, we believe we must function as a member of society to contribute to sustainable development. In view of the ever-growing influence and importance of the role companies must fulfill in society, we introduced in 2017 the Sustainable Value Plan 2030 (SVP 2030) to meet the expectations of society. Furthermore, we have taken action in face of the changing demands of society and revised our Charter for Corporate Behavior and Code of Conduct in April 2019 to clarify how each employee should behave and act in business. The key is our declaration to “make an active contribution to resolving social issues through innovation.” It urges each and every employee to take on their assigned role in the face of many social issues and tackle innovative challenges with the aim of creating the sustainable society envisioned under SVP 2030. Additionally, it communicates to all employees that business activities must be conducted with “an open, fair and clear corporate culture” and explicitly states that compliance is the key to a company continuing to be needed and trusted by society.
To promote greater understanding of the Charter for Relationship between the Fujifilm Group Corporate Philosophy and Vision and the Charter for Corporate Behavior and Code of Conduct

Corporate Behavior and Code of Conduct, education programs will be implemented in a total of 24 languages so that they can reach all the employees in the Fujifilm Group worldwide.

Relationship between the Fujifilm Group Corporate Philosophy/Vision and the Charter for Corporate Behavior/Code of Conduct

Reinforcement of Governance

Improved audit capabilities through consolidation of audit organizations and introduction of advanced IT-based audit methods

In September 2017, FUJIFILM Holdings established its Global Audit Division, consolidating the existing audit organizations in each Group company, to create a system for the direct auditing of consolidated subsidiaries. This has led to the centralization of information at each company, swift reporting of action, effective utilization of auditing human resources scattered across the Group and other benefits that led to the auditing of all 300 companies in the Group in three years.

In addition, the Audit Planning Group was established to introduce new auditing methods utilizing IT. One such method is the e-mail forensics system, which is very often outsourced to external service providers in an emergency but not in a normal internal audit. At FUJIFILM Holdings, however, the original system was developed internally, utilizing our own AI and other internal systems. This led to analysis that combined more detailed internal data and produced greater accuracy, making it possible to detect problems and signs of wrongdoing as well as to save costs through internal development. The system has already been implemented at sites in other countries as well as in Japan, and we are going to expand its application in the future.

Disaster Prevention Training

Training conducted to raise disaster prevention awareness among all employees

Fujifilm implements various activities to raise disaster prevention awareness in each and every employee. In FY2018, the first e-learning program for disaster prevention was implemented for all employees. Each participant studies for approximately 15 minutes to solidify their knowledge of disaster prevention, including the “basic information of disaster” and “the importance of preparation at home” through their responses to a Q&A checklist. Additionally, stockpiles to prepare for an emergency are being offered for sale at corporate cooperative unions in the Group. They come in the form of “original sets” consisting of foodstuffs, drinking water and supplies needed in an emergency. The items were selected by employees who experienced the Great East Japan Earthquake and the Kumamoto Earthquake. Each set comes with a service notifying the purchaser of the expiration date of the set six months in advance.

We will continue disaster prevention activities, based on the conviction that the safety and security of the lives of employees and their families will lead to the company’s early recovery and business continuity in the event of a disaster.

Compliance and Risk Management

Fujifilm Group Compliance and Risk Management System
Fujifilm Group Compliance and Risk Management System

The Fujifilm Group appoints officers in charge of compliance and risk management at each of its business corporations and group companies, and implements a variety of measures to penetrate the spirit of an “open, fair and clear” corporate culture throughout the Group. Status on implementation of these measures is reported regularly from each organization to the ESG Committee of FUJIFILM Holdings, and from the ESG committee to the Board of Directors. The Board of Directors is responsible for supervising compliance and risk management for the entire Group. The Board also provides direction and advice on the report from the ESG Committee to assure the effectiveness of the processes.

In accordance with changes in social conditions and our business operations, the Fujifilm Group has revised its Charter for Corporate Behavior and Code of Conduct and has disseminated the changes made to its employees.

The employees who violate the Code of Conduct possibly become subject to disciplinary measures depending on the content of the violation.

In April 2019, revisions were made from more global perspectives , in response to changes in ways of thinking on corporate social responsibility in recent years. To ensure that our employees have an accurate understanding of the revision, the Charter and the Code of Conduct were translated into 23 languages and launched in 24 languages through the entire Group.

In the healthcare business, we recognize that higher ethical conduct and transparency and fair business activities are requested by society and the regulatory authorities in each country. In accordance with this situation, in July 2020 we established the Fujifilm Group Global Healthcare Code of Conduct that must be adhered to in promoting proper business activities.

To establish compliance awareness widely among its employees, the Fujifilm Group has been organizing annual training courses on the Fujifilm Charter for Corporate Behavior and Code of Conduct since fiscal 2019. At the same time, we ask all employees to declare to “understand and act in compliance” with the provisions in the Charter and the Code of Conduct.

Additionally, workplace discussions are held on a regular basis for employees in each workplace to discuss specific and familiar compliance and risk issues such as prevention of harassment and misconduct and make them think as their own issues.

Training is also conducted for specific job levels and functions to ensure that the necessary information is disseminated to the right persons at the right timing. M&A cases are increasing in the Fujifilm Group in recent years, requiring training at newly acquired subsidiaries. Due diligence is conducted on compliance, followed by prompt introduction and training in the Group’s Code of Conduct immediately after acquisition for penetration and understanding of the Group’s corporate philosophy.

Intended audience Category Objective
All employees Charter for Corporate Behavior and Code of Conduct and declaration of compliance (Global) Gaining a greater understanding of the Charter for Corporate Behavior and Code of Conduct
Declaration of understanding, complying with and behaving according to the Code of Conduct
Compliance in general (Prevention of misconduct, prevention of harassment, whistle-blowing, etc.) Application of the Charter for Corporate Behavior and Code of Conduct to concrete behavior in compliance
Information security Acquire a correct understanding of the information security rules and prevent leaks of confidential information
New employees(New executive officers,new managerial personnel, new general employees) Compliance and risk management in general Establish awareness of compliance and risk management pertaining to each employee's job level and function, to assure appropriate behavior.
Officers in charge of compliance/risk management at each organization Risk management in general Handling harassment inquiries and current topics on information security, etc. Promotion and guidance on compliance/risk management activities in each organization, in accordance with the groupwide policy.
Managerial personnel and general employees of organizations to be strengthened Program content focused on key points in preventing misconduct, workplace discussions, preventing harassment, etc. Education and training focused on key points to be strengthened in each organization, to ensure deeper knowledge and greater awareness and improvement
  • Training and declaration of compliance for the Charter for Corporate Behavior and the Code of Conduct was conducted for approximately 84,000 employees globally and 99% of the employees completed by the end of March, 2021.
  • Training on the Fujifilm Group Global Healthcare Code of Conduct established in July 2020 has been implemented for employees working in the Healthcare business both in Japan and other countries.
  • Training on compliance and risk management has been conducted for newly joined employees, new managers and new executive officers in their respective positions.
  • In October 2020, employees appointed to overseas positions received risk management training including case studies to prevent illegal fraud and conduct at their respective business locations.
  • With an introduction of the new internal system in November 2020, exhaustive training was conducted on the correct purchasing procedure and payment processing.
  • An e-learning training was conducted in December 2020 to ensure implementation of the information security rules.

The Fujifilm Group conducts regular awareness surveys to examine the degree of awareness of compliance and comprehension among employees and to review the effectiveness of the Code of Conduct. The survey results are reported to the Board of Directors, ESG Committee and top management at each company. At the same time, feedback is given to various organizations and all employees for training purposes and measures are implemented in each organization to maintain and upgrade compliance awareness and prevent violations.

  • Compliance awareness surveys (global): Conducted in alternate years
    Objective: Examine the level of dissemination of awareness and comprehension of compliance in general
  • Harassment awareness survey (Japan): Conducted in alternate years
    Objective: Examine the level of comprehension of harassment and current conditions

An anonymous compliance awareness survey was conducted globally in the October-December 2020 period for all the employees of the Fujifilm Group in Japan and other countries and the response rate was roughly 98%. Favorable results were confirmed, with more than 80% of employees understanding compliance and reporting its dissemination in their workplaces. The survey results were shared to both executive officers and employees, to improve compliance awareness and practice.

The Fujifilm Group has two separate whistle-blowing systems. One is to report directly to FUJIFILM Holdings from all Fujifilm Group employees across the world (available in 23 languages including Japanese and English), and the other enables employees to report to the system in each regional headquarter.

Employees are able to report violations of laws or the Code of Conduct, as well as suspicion of such acts, and to consult on compliance-related issues.

Reports and inquiries are being handled swiftly and properly at each system for prompt resolution of problems. If a probable violation of the Code of Conduct is identified, the compliance division investigates the issue. If a violation is confirmed, corrective actions are taken properly to prevent for further occurrence.

Anonymous reporting is possible under each whistleblowing system. Investigations are conducted with confidentiality and protection for the whistleblower, to prevent the retaliation as a result of their report. We promote the systems among all employees through posters and the intranet to ensure that they can make contact whenever necessary.

For external stakeholders, we provide “Contact regarding Sustainability” form on our official website to listen to the feedbacks on our sustainability activities including those related to human rights from the public at large, either anonymous or named. All complaints and suggestions are examined and handled appropriately after investigating the facts.

Whistle-blowing and consultation reports
  • Number of whistle-blowing reports and consultations in fiscal 2020: 270 (225 in Japan and 45 in overseas)
    Among the whistle-blowing reports and consultations received, issues related to human relationships, personnel and labor affairs and harassment accounted for 60% of the total, in which each case was handled each case appropriately. There have been no incidents that could lead to a serious situation for the Group.
  • In fiscal 2020, we did not experience any critical violation of Code of Conduct that we needed to make public.

Under the risk management regulations of Fujifilm Group, we identify issues for risk prevention and take action in the event of a risk incident.

To strengthen our risk prevention activities, especially in normal circumstances, we implement the following process every year on a global scale, covering all companies controlled by FUJIFILM Holdings, to identify the risks at each company and develop action plans to address them.

Risk Extraction and Process for Establishing an Action Plan
Priority risks in FY2020

Please refer to the Yuka Shoken Hokokusho (Securities Report) for risk issues not listed below.

Risk item Reason for selection Countermeasures

Information security

Rise in security risks for confidential data for growing areas such as regenerative medicine and an increase in services handling customer data

  • Improvements to internal rules and risk management systems
  • Comprehensive implementation of a range of compliance, information security and risk management training

Personal information protection

Importance of exhaustive protection against data leaks, which can lead to significant loss of credibility, because of the large number of businesses handling massive volumes of personal data

Natural disasters & infectious diseases

  • Spread of COVID-19
  • Water-related damage from typhoons and rainstorms

Compliance of healthcare business (Securing ethics and transparency)

In the healthcare business, higher ethical conduct and transparency are requested by the regulatory authorities
in each country. Meeting social requirements as well as compliance with laws and regulations are necessary.

Fraud and misconduct

Although incidents are on the decline, stronger governance and continuous training are necessary.

Harassment

Impact of a power harassment occurrence is growing as the Power Harassment Prevention Act (as commonly called) took effect on June 1, 2020, attracting great social interest.

Response to crisis

Any crisis that takes place in a Group company is handled by the Compliance and Risk Management promotion structure described in 2.2.3 and in accordance with the procedures set out in our risk management regulations. When found, it is reported to each business company and ESG Division of FUJIFILM Holdings, and at the same time addressed swiftly to prevent further propagation of the risk.

Each business company supervises the execution of recurrence prevention measures at the Group company in question and takes exhaustive action to prevent any recurrence through group-wide dissemination and application of the measures throughout the Group.

Serving as Secretariat, the ESG Division of FUJIFILM Holdings reports incidents received through our business companies to the ESG Committee and at the same time takes action to strengthen and promote risk management for the entire Group, based on the information received.

In the event of a serious incident, reports to the ESG Committee do not only include a summary of the incident, but also detailed information. We monitor the effectiveness of risk management in the Group through such information reports from the ESG Division to the Directors and Auditors in every quarter.

Status for FY2020

In fiscal 2020, no significant crisis cases including legal violations and fines in social economic areas that should be announced outside the company were confirmed.

In the Charter for Corporate Behavior and Code of Conduct, the Fujifilm Group has declared that we will refuse any involvement in corruption or in any dubious action that could cause suspicion of fraud with suppliers, business partners, public officials and government representatives. Also, each Group company implements the Corruption Prevention Regulations and conducts regular on-site audits in areas where the risk is deemed to be high.

The Corruption Prevention Regulations prohibit actions that are for inappropriate purposes or lacking in propriety by general social norms, involving provision, request or promise of monetary and other benefits. Both the Corruption Prevention Guidelines and the Regulations specify the procedure to make advanced application for the provision of benefits within a scope that is socially acceptable, to obtain approval and record the procedure, to conduct self audits at least once a year, to report the results of the self audit to the Secretariat of FUJIFILM Holdings and to report to the Secretariat if violations are found. These measures are implemented appropriately at each company.

Relationships with middlemen such as sales agents require advanced inspection prior to starting to trade, inclusion of corruption prevention stipulations in contracts and submission of reports once a year.

Status for FY2020
  • Self audits have been carried out by each Group company worldwide and no serious incidents were found. The results were reported to the Secretariat at FUJIFILM Holdings.
  • The Fujifilm Group never had a corruption or bribery, and we have never been investigated by administrative authorities concerning any corruption matters.

The Fujifilm Group is working hard to observe anti-trust laws and has developed manuals and guidebooks that provide basic knowledge of anti-trust laws, standards of conduct to be observed and important points to be noted. We maintain regular employee education systems, and have introduced annual self audits.

For compliance with Japan's subcontractor law (Act against Delay in Payment of Subcontract Proceeds, Etc. to Subcontractors), regular training sessions are organized for personnel responsible for order management at business divisions where subcontractor business volumes are large. At the same time, divisions are monitored for their state of compliance with the subcontractor law in response to inspections either by the Japan Fair Trade Commission or the Small and Medium Enterprise Agency.

Status for FY2020
  • Anti-trust Laws:
    Self audits were carried out at each Group company worldwide and no serious violations were found. Since 2008, we have not been subject to any penalties concerning antitrust/anti-competitive practice, nor are there any ongoing antitrust lawsuits.
  • Act against Delay in Payment of Subcontract Proceeds, Etc. to Subcontractors
    Internal inspections were carried out based on the written survey conducted by the regulatory authorities and no serious violations were found. The Fujifilm Group confirmed there have been no serious cases pointed out by administrative authorities concerning the Act against Delay in Payment of Subcontract Proceeds, Etc. to Subcontractors.

The Fujifilm Group has created the Global Security Trade Control Policy, one of the basic policies commonly shared across the Fujifilm Group, and control our exports based on this policy. This is our means of preventing products and goods that could be converted into arms or be adapted for military use from being obtained by terrorists or nations that could threaten international security. We can therefore state that we contribute to maintaining international peace and safety not only by observing the related laws. The Fujifilm Group has established Regulations on Export Security Control based on its Export Security Control Policy for export control in compliance with laws and regulations by an export control organization chaired by the President.

We have prepared an e-learning program to train employees in the purpose and outline of export and import control to facilitate acquisition of the necessary knowledge.

Additionally, we hold briefings on revisions to laws and rules, concrete details on export and import control methods, etc., to foster greater understanding among employees.

For each division in Group companies, we conduct on-site audits in addition to annual written audits to check whether improvements are required.

Status for FY2020

We carried out written audits and on-site audits in fiscal 2020 and did not find any serious violations.
The Fujifilm Group never had a case pointed out by administrative authorities concerning export and import control.

Fujifilm Group Export Control Framework
Information Security
1. The environment surrounding information security and the importance of the risks

The environment surrounding information security is changing rapidly. Security risks are broadening, with advanced targeted cyberattacks requiring reinforcement of personal data protection in various countries and assurance of information security not only for a single company but for the entire supply chain. Recently, the value of the damage caused by cyberattacks is increasing rapidly both in Japan and other countries and is expected to grow in the future. The Fujifilm Group also faces growing opportunities for handling vital customer data in areas such as medical systems and IT solutions and services and recognizes that information security risks are a major management issue. The Group is committed to assuring safety and security for its customers and society through information security measures for its products and services.

2. Development of an information security management system
(1) Information Security Policy

The Fujifilm Group recognizes information security as one of the priority risk issues in management and has laid down its Information Security Policy as a group-wide action policy covering the following six items. All the employees share this Policy.

(2) Information security risk management system

The Fujifilm Group has implemented information security governance for the entire group, with information security management organization set up under the chief information security officer (CISO), who is the director in charge of the ESG Division.
Regarding groupwide information security strategies, decision-making on such issues is conducted by the ESG Committee, headed by the president of Fujifilm Holdings. Issues in this area are reported on a regular basis from the ESG Committee to the Board of Directors, who are responsible for supervision of compliance and risk management for the entire Group.

Measures adopted by the information security management organization are implemented in each organization under the initiative of the information security manager.

(3) Cybersecurity response system

The Fujifilm Group offers its products and services not only in Japan but also in various countries around the world and recognizes responding to cyberattacks as an important management issue requiring global action. For this purpose, the Group has formed FUJIFILM CERT, the Group's computer security incident response team (CSIRT) dealing with cyberattacks, to assure the safety of its products and services for customers and to maintain stability and business continuity.

FUJIFILM CERT coordinates and integrates the following four functions:

  • Response to cyber-incidents related to the business IT platform, such as malware infection of employees’ terminals
  • Improvements in security quality from design and development of products and services to their administration or management
  • Implementation of security measures to assure stable operation of its production infrastructure
  • Protection against cyberattacks of our online services for customers
(4) Employee training

The Fujifilm Group believes that each and every employee who handles information each day must acquire the necessary knowledge and a high level of awareness of security in handling personal information, to enable them to prevent incidents or violations in this area. For this reason, e-learning programs on personal information protection are being conducted every year for all employees.

Additionally, we conduct training on cyberattacks, including sophisticated persistent threats, by actually sending emails posing as phishing emails to employees. This suspicious email handling training, aimed at increasing sensitivity to security through the experience of receiving such emails, has been conducted every year since 2011.

3. Identifying information security risks and countermeasures
(1) Establishing an information security management system

The Fujifilm Group ensures a uniform global security level led by our regional headquarters in Japan, the US, Europe, Southeast Asia, and China, based on the group’s Information Security Guidelines and the Global Information Security Regulations, which complies with ISO/IEC 27001, the standards for an information security management system. The Information Security Guidelines define concrete security management methods that are globally applicable and each company manages their security accordingly. The guidelines include, for example, device encryption, mandating antivirus software installation, ID management and access control by building an authentication platform, and mandating installation of an email filtering system to prevent information leakage.

Structure of Information Security Rules at Fujifilm Group
(2) Information security PDCA cycle and other measures

The Fujifilm Group is involved in various information security activities following the PDCA process, which is compliant with ISO/IEC 27001. Based on the risk assessment and action plan developed each year, activities4 are planned in the areas shown below, with each organization acting under the leadership of the information security manager.

[1] Improved security quality of products
The Fujifilm Group has implemented a design and development process for better security quality throughout the product lifecycle from product planning, design and development to maintenance and operation. Specifically, we are implementing threat analysis, secure coding, response to supply chain vulnerabilities and regular vulnerability inspections before and after product release in the processes upstream of design and development, based on a policy of “security by design.”

[2] Response to vulnerabilities
The Fujifilm Group collects vulnerability data from JPCERT/CC and other external organizations and releases information as needed to relevant organizations in the Group. If there is information on a vulnerability that will have a significant impact, we hold a vulnerability response meeting for each vulnerability theme to decide on the response policy and solution.
If a vulnerability in one of our products is reported from an outside whistleblower, we disclose the vulnerability information and provide security patches, in accordance with the Information Security Early Warning Partnership Guideline and in coordination with IPA and JPCERT/CC.

[3] Response to internal frauds
The Fujifilm Group imposes strict restrictions on employees taking company information outside of the company, whether by online or offline methods. Especially, we are monitoring all online transfers of company information to individual email addresses or external cloud services. If any suspicious conduct is detected, we investigate the evidence where necessary.

[4] Cyber-training
To ensure a versatile and appropriate response in the event of an incident stemming from a cyberattack, the Fujifilm Group participates in joint annual cyber drills with NISC organized by the Nippon CSIRT Association. Cyber drills are also organized independently by FUJIFILM CERT to confirm response procedures and upgrade response skills.

4. Development of an emergency response system to address incidents
Development of an emergency response system to address incidents

* Urgent and important incidents are reported to the President and CISO immediately.

The Fujifilm Group has a report reception office to consolidate the receipt of incident reports, including information security incidents and cyberattacks. In the event of an incident, information is collected promptly in the groupwide security management division and measures are implemented to minimize the damage.

  • * From fiscal 2016 to 2020, no serious information security incidents were identified by any third parties or administrative authorities or assessed as requiring public disclosure.
Regarding our system failure resulting from a cyber-attack on the Group

On the night of June 1, 2021, we confirmed unauthorized external access to the server used by our subsidiary FUJIFILM Corporation, and we shut down all the servers, computers and the network that could be affected by the attack on June 2.
From June 4, we started to put the servers and computers that were confirmed to be safe back into operation, and resumed communications on the blocked network in steps.

By June 8, we had restored all the contact points for product and service inquiries, and by June 14 had restored normal operations, including receiving orders for our products.

This incident was investigated by the Total Risk Management Committee chaired by the President of FUJIFILM Corporation and a special task force that included external experts. Our investigation, which was completed before full restoration of services, showed no evidence of any information leakage from the server. We have already implemented countermeasures for this unauthorized access. We will continue to monitor and strengthen the information security of the entire Group.

5. Measures for supply chain security

The Fujifilm Group’s activities are organized acknowledging that the scope of management is not limited to its own companies but also the entire supply chain including business partners.

For further details, please read Information Security in cooperation with partner companies of the Information Security Report.

6. Closer communication with stakeholders and other relevant parties

To report on Fujifilm’s activities on information security and to win stakeholders’ trust for its business operations, the Fujifilm Group publishes an Information Security Report.

FUJIFILM CERT is a member of the Forum of Incident Response and Security Teams (FIRST), the international CSIRT community, and also of the Nippon CSIRT Association, the CSIRT community in Japan (as an administrative member). This contributes to greater security and safety in cyberspace through information exchange and coordination with other CSIRTs in Japan and other countries.

Privacy Protection
  1. Basic policy
    In the Fujifilm Group Code of Conduct, which sets out how employees in Japan and other countries should conduct themselves, we recognize the protection of personal data as an important human rights issue. We require each of our Group companies to establish personal information protection policies and privacy policies that include provisions shared by the entire Group. The entire Group maintains a personal data protection policy based on OECD’s eight basic principles on privacy.

    These policies are also being implemented at suppliers and contractors of the Fujifilm Group and cover the entire supply chain.
  2. Promotion structure
    Based on the Privacy Policy, the Fujifilm Group established the Personal Information Management Regulations to specify the methods of handling personal information. The General Manager of the ESG Division is appointed as the officer responsible for building and maintaining the personal information protection structure.

    The policies and targets related to the group-wide personal information protection are determined by the ESG Committee, chaired by the president of FUJIFILM Holdings, and its report is submitted to the Board of Directors regularly. The Board of Directors is responsible for monitoring group-wide compliance and risk management, including protection of personal information, as one of the priority issues. In this way, we ensure the effectiveness of the process. After the ESG Committee has determined policies concerning personal information protection, The ESG Division of FUJIFILM Holdings takes responsibility for overall management of such policy implementation and other privacy protection. The ESG Division’s tasks include dissemination of the policies and targets, implementation of such policies, inspecting the implementation and management status, promoting details of the Personal Information Management Regulations among employees, and providing instructions and advice to managers of organizations that handle personal information.

    Especially, as social awareness of personal information protection rises, we check our security measures in the processes of risk identification and action planning from the viewpoint of risk management. Our risk management structure spans the entire Group.

    Companies with ISMS certification are involved in personal information protection in combination with ISMS. Companies dealing with sensitive personal information have acquired the Privacy Mark. Both types of companies are making improvements based on the results of regular audits by external audit firms.
  3. Employee training
    The Fujifilm Group believes that each and every employee who handles information each day must acquire the necessary knowledge and a high level of awareness of security in handling personal information, to enable them to prevent incidents or violations in this area. For this reason, e-learning programs on personal information protection are being conducted every year for all employees.

    Additionally, we conduct training on cyberattacks, including sophisticated persistent threats, by actually sending emails posing as phishing emails to employees. This suspicious email handling training, aimed at increasing sensitivity to security through the experience of receiving such emails, has been conducted every year since 2011.
  4. Appropriate handling of personal information
    Under the Fujifilm Group Policy on Personal Information Protection and Privacy Policy, the Group has established internal regulations on the handling of personal information (such as personal information management regulations and various guidelines) to implement appropriate safety management measures and protect personal information held by the Group. Updates on its Personal Information Protection Policy and Privacy Policy are disclosed on the Fujifilm website, acquiring the appropriate consent of the person in question where required by law.

    Once a year, each business division conducts an inventory of the personal information held by the division, to confirm and correct safety control measures and to perform other procedures, such as the deletion of personal information that is no longer necessary. The inventory status is audited by the ESG Division in each organization. In the work regulations, punitive action is imposed on any employee who takes company information outside of the company without authorization. At the same time, near-miss cases, including those that have occurred in other companies, are shared as a caution and to raise awareness. We take various measures to prevent information taken out of the company to assure protection of personal information.

    When a government organization requests disclosure in compliance with the law, we confirm the details of the request and the applicable law in deciding the most appropriate way to protect personal information.
  5. Action on global compliance
    In face of the rapid development and review of personal information protection laws in various countries, as represented by EU’s General Data Protection Regulation, it is important to keep abreast of such developments and assure compliance.

    Although our regional headquarters and local subsidiaries are involved in the practical aspect of dealing with these developments, the ESG Division is also examining the development and review of the laws in various countries and confirming the activities of the various regional headquarters and local subsidiaries.
  6. Incidents and violations in personal information handling
    In fiscal 2020, there were no cases related to personal information handling were pointed out by any third parties or administrative authorities and assessed to require public disclosure.
Acquisition of P-Mark and ISMS at Fujifilm Group

As of February, 2021

Certification Certified affiliates
P-Mark*1

FUJIFILM Medical Co., Ltd. FUJIFILM Imaging Systems Co., Ltd. FUJIFILM Media Crest Co., Ltd.
FUJIFILM Techno Service Co., Ltd. FUJIFILM Imaging Protec Co., Ltd. FUJIFILM Business Innovation System Service Co., Ltd.

ISMS*2

FUJIFILM Imaging Systems Co., Ltd.
FUJIFILM Imaging Protec Co., Ltd.
FUJIFILM Medical Co., Ltd.
FUJIFILM Business Innovation
FUJIFILM Business Innovation Japan
FUJIFILM Manufacturing Co., Ltd.
FUJIFILM Printing Systems Co., Ltd.
FUJIFILM Software Co., Ltd.
FUJIFILM Recording Media Products Division
FUJIFILM Wako Pure Chemical Corporation
FUJIFILM System Service Co., Ltd.
FUJIFILM Service Link Co., Ltd.
FUJIFILM Service Creative Co., Ltd.

FUJIFILM Business Innovation overseas manufacturing companies (4 companies)
FUJIFILM Business Innovation Asia Pacific Pte Ltd
FUJIFILM Business Innovation overseas sales companies (13 companies)

  • *1 Privacy Mark (P-Mark): A mark granted by the Japan Information Processing Development Corporation (JIPDEC) to companies in which personal information is handled appropriately.
  • *2 ISMS: Certification regarding the overall management framework for information including personal information (Information Security Management System).
1. Basic policy

Natural disaster risks are rising and at the same time being aggravated by changes in the global environment, such as rises in sea levels and abnormal meteorological phenomena caused by climate change. In conducting its business activities on a global scale, the Fujifilm Group believes in its social responsibility to maintain a continuous supply of its products and services (business continuity) while at the same time assuring safety and protecting the lives of its employees in various regions. To minimize damage to business in the event of a natural disaster, we actively work to protect against and mitigate damage from natural disasters.

2. Organization in the event of natural disasters

Speed in collecting information is vital to minimize the damage caused by natural disasters. In dealing with such damage, we have created an organization that focuses on information collection.

(1) Emergency Management Team (EMT)

The Emergency Management Team (EMT) is organized by representatives of General Affairs, Human Resources, and other divisions that have the ability to implement countermeasures to natural disasters. The team collects information on disaster damage, as well as damage to the Group, and the EMT leader proposes the formation of a disaster control headquarters. Among the emergency measures at disaster control headquarters, discussions on how to respond are based on the information supplied by the EMT, so it is a vitally important organization.

(2) Disaster control headquarters

In the event of a large-scale natural disaster, the decision on whether to form a disaster control headquarters headed by the Fujifilm Holding President is based on information collected by EMT. If approved, the headquarters is established at head office. Through members of the disaster control headquarters, the action policy and countermeasures decided at the disaster control headquarters are communicated to the disaster control office in each business division, as well as the members of the disaster working unit appointed by each organization. In this way, the actions and countermeasures are implemented by the unit at each organization.

Disaster Information-Collection Organization
Disaster Information-Collection Organization
3. Summary of activities

We carry out projections of possible risks (and screening for disaster risks) for each business site in Japan and other countries. The Group is implementing measures, not only on an across-the-board, group-wide scale, but also those that are specific to the potential disaster risks at individual business sites.

(1) Reinforcement of preparatory action

The Fujifilm Group focuses on the following two important points.

[1] Assessment and greater visibility of disaster risks
Disaster risks for each business site are assessed, followed by preparation of a risk map based on the information.

[2] Study and preparation of countermeasures to address the assessed disaster risks

  • An “action manual” is produced by each production site, specifically for that site, to address each disaster risk made visible on the disaster risk map.
  • Regular drills on how to proceed in the event of an emergency are held based on the manual.

To improve the Group’s ability to address a wide-area disaster, the Fujifilm Group is adding and strengthening the measures to be taken when a natural disaster is anticipated. For torrential rain, we use information on rainstorms and river system water levels made available by the national and regional administrative authorities to strengthen preparatory measures in each region.
We also use the information to predict changes in river water levels and develop a groupwide system to issue alerts when the warning criteria are reached. Each business site customizes the system to its own particular conditions and employees to give an early warning of a potential disaster and allow countermeasures to be taken.

(2) Information collection on the outbreak of a disaster

To grasp an information such as employee and structural safety rapidly and properly, the Fujifilm Group has introduced various systems to assist in doing this.

[1] Employee safety check system
The system was introduced in 2009 that collects information and confirms the safety of all employees of the Fujifilm Group in Japan when a special alert is issued.

[2] Internal damage information collection system
To assess damage to business operations, an internal damage information collection system was introduced in 2014, followed by a disaster information mapping system in 2017. In 2019, the two systems were interlinked to create a scheme for real-time assessment on a digital map, which combines their respective data with information from the damage status reports from the Japan Meteorological Agency and the Ministry of Land, Infrastructure, Transport and Tourism, information on the status of railway operations from the various railway companies, information on electric power and water supply failures and other wide-area disaster data. All the information is shared rapidly among the members at the disaster control headquarters at head office on the outbreak of a disaster.

[3] Structural safety assessment system
A structural safety assessment system, which assesses the safety of structures at each business site in the event of a disaster, was introduced in 2017 and has been utilized for a first-round diagnosis of structural damage before allowing employees to return to the facilities.
In addition, an overseas risk management system was introduced in 2019 for business sites in the Americas, Europe, Southeast Asia and other regions to give a swift assessment of disaster damage and risks that are likely to impact business continuity. We use these systems to rapidly assess the risks and their potential impact on a global scale and is able to assist the relevant parties in taking prompt action.
For earthquakes, floods, wind damage and other leading disasters, the probability of occurrence is classified into levels. For business sites located in high-risk regions, action in this area is regarded as a priority issue, requiring development of appropriate measures and annual reviews of the progress made with implementation. We plan to strengthen our disaster protection system and enable wider sharing of the information collection process.

(3) Emergency drills and employee training

In recent years, the risks of potential disasters have grown in Japan, including Nankai megathrust earthquakes, a greater Tokyo earthquake, a Mount Fuji eruption, torrential rainstorms, flash floods and rises in sea level. we conduct drills that are designed to prepare for possible a Nankai Trough earthquake or a greater Tokyo earthquake, as well as an eruption of Mount Fuji. What kind of procedures will lead to the appropriate action, what initial procedure is required to enable other business sites to respond in the event of Tokyo head office being damaged and what is the best decision-making process that management should follow are all being studied.

Our employees are the most important factor for an early recovery when the company sustains damage. To minimize damage from a disaster, each and every employee must increase their understanding of disaster protection and the required preparations. We organized a disaster preparation e-learning program in May 2021 for employees in Japan in response to the frequent occurrence of large-scale natural disasters in Japan in recent years. The e-learning program is designed to assist employees in ensuring they have a basic knowledge of what to do in the event of a natural disaster, the importance of keeping themselves safe and the everyday preparations they can make for a possible disaster. Up to the middle of June, approximately 46,000 employees in Japan had followed the program.