Information Security

We consider information security management to be one of our most important management issues given our expanding global operations and rising proportion of online sales and the growing risk of cyberattacks. With those considerations in mind, we have been strengthening and rigorously implementing information security-related initiatives across the Group. This page includes detailed descriptions of the information security-related initiatives and frameworks established by the Fast Retailing Group.

Information Security Initiatives

As a company that keeps the trust of all its customers, business partners, shareholders, regional societies and other stakeholders, we consider the safe use and protection of all Information Assets* to be our social duty and an area of utmost importance that all officers and employees must strive to uphold. We seek to ensure the appropriateness, effectiveness and efficiency of our business operations by strengthening and thoroughly implementing Information Security frameworks. We also apply our Group Information Security Basic Regulations which set out the fundamental rules that must be observed to maintain and improve corporate value and social credibility. We encourage broad awareness of this policy through training and our Information Security portal.

*Non-public information necessary to the business operations of the Fast Retailing Group that poses risk of damage to the Group if disclosed, leaked, lost or compromised.

	Content
1. General provisions	Basic rules that apply to all officers and employees regarding the use and protection of all Information Assets to ensure the appropriateness, effectiveness and efficiency of business operations through Information Security.
2. Organizational structure	Information Security-related organizations and responsibilities.
3. Duty of officers and employees	The fundamentals of maintenance and enhancement of Information Security and rules on the handling of all Information Assets.
4. Physical and technical measures	Physical and technical measures for protecting Information Assets, and rules for handling information devices
5. Vendor management	When outsourcing the handling of Personal Information or Highly Confidential Information, rules surrounding the selection of third parties, the forming of contracts, and the managing of vendors across all processes during and after the contract period.
6. Response to incidents	If an incident did occur, in addition to mounting a swift response under the direction of the Chief Security Officer (CSO), we would build any subsequent required response frameworks and detail our response strategy through appropriate reporting to relevant authorities and other measures.
7. Response to violations	Measures to be taken in the event of an officer or employee infringing any of the items determined in these basic rules or other relevant documents.

These basic regulations apply to all officers and employees regardless of whether they work in our head office or in our stores. The rules are reviewed and revised as necessary to reflect and account for any changes in circumstances surrounding recognized Information Security practices and industry standards, applicable legal requirements or any requirements relating to the operation of our business.

Information Security Framework

At Fast Retailing, the Chief Security Officer (CSO), who is appointed by the Company Chairman and President, strives to ensure robust information security throughout the Group in their capacity as the manager and executive officer with the highest authority and responsibility for information security. We have also established the Information Security Office (ISO) as a global organization that sits under the direct jurisdiction of the CSO and is tasked with strengthening and deepening information security frameworks and dealing with any information security-related incidents.

Fast Retailing works constantly to enhance the effectiveness of its systems by regularly sharing problems and discussing the best way to implement different measures in Board of Directors and Risk Management Committee meetings.

Our Board of Directors includes members with specialist IT and Information Security experience, so the Board is adept at discussing, making decisions and issuing instructions whenever necessary on policy direction and measures regarding Information Security-related risks and countermeasures. Our Risk Management Committee, which operates under the direct jurisdiction of the Board of Directors, is made up of internal and external directors and executives from relevant departments. The Committee determines Information Security risks and receives reports on Information Security initiatives and their implementation. It offers advice and counsel to the Board on future policy initiatives and the proposal and implementation of concrete Information Security measures.

In order to strengthen and deepen information security systems across the Fast Retailing Group, we have assigned dedicated personnel to each national and regional operation. To help maintain and improve departmental information security, we have appointed information security promotion officers to each individual department, who encourage attentive information security practices in conjunction with ISO.

Information Security Framework

• Precautionary Measures and Prompt Response to Incidents
Fast Retailing strives to prevent the occurrence of information security-related incidents. In the unlikely event that an incident does occur, the main response would be mounted by the ISO under the supervision of the CSO. The ISO would work together with the relevant departments (including the department where the incident occurred as well as IT, legal, customer service, and sales functions) to bring the incident swiftly under control, ensure business continuity, and restore trust, and to promptly formulate and implement measures to prevent a recurrence. If a serious incident were to occur, the incident would be immediately reported to senior management, including the Company Chairman and President, and swift decisions would be taken as a company and any necessary response implemented.

Strengthening Cyber Security Measures

Fast Retailing uses the latest digital technology and information technology to help us become a digital consumer retailing company with rapid and efficient clothes-making processes across all stages from planning through production, distribution and retail. With cyberattacks growing increasingly sophisticated and skillful, we have made the strengthening of our cybersecurity measures an important priority for the company. Under the supervision of the CSO, we implement preventative measures to reduce the threat to our digital and information technologies from cyberattacks during regular operations. We also have systems in place that monitor and detect cyberattacks 24/7/365. We continuously strive to improve cybersecurity measures by reviewing security considerations during the system design and development phase, and commissioning vulnerability diagnoses by third-party institutions. Once a new system is introduced, we monitor for fraudulent access and address any vulnerabilities. As a member of the Forum of Incident Response and Security Teams (FIRST), we also actively share and gather information on latest cybersecurity trends and countermeasures.

Information Security Training

Fast Retailing works continuously to strengthen training for employees, fostering a corporate culture that ensures the appropriate handling of Information Assets such as corporate confidential information and personal information.

• Training for Employees
We conduct annual e-learning Information Security training for officers and employees. We also conduct regular training sessions on how to handle phishing mails and heighten awareness of other threats to improve Information Security awareness. In addition, we hold Information Security training sessions at Group-wide meetings and individual department conferences, and offer targeted Information Security training for new head office and store employees, mid-career hires, newly-appointed store and company managers, and staff who have transferred to our head office operation.

• Practical Information Security Portal
Fast Retailing has provided a multilingual information security portal for its Group officers and employees, which can be used to check our information security rules and manuals at any time, read announcements on important information security issues, and access incident reports and responses. Fast Retailing has also compiled an Information Security Handbook that outlines the minimum security measures that must be observed. We try to promote deeper awareness by making the handbook available on the information security portal.

• Supply Chain Initiatives
We are working to strengthen information security measures not only within the Fast Retailing Group but across our entire supply chain. Before we commence any business transactions, we check the robustness of the information security systems at partner factories and other business partners and ascertain what procedures they have put in place to restore operations if an incident were to occur. We continue to conduct periodic audits and other security assessments after business transactions have started in order to reduce the risk of any leakage of information or potential suspension of business originating from a business partner.

Top of page