SHIONOGI Group Information Security Policy

1. Purpose

  SHIONOGI Group (hereinafter "SHIONOGI") recognizes information—one of the four principal management resources (along with human resources, products, and capital) —to be a critical asset (hereinafter "information assets") essential for fulfilling its mission as "a healthcare provider" delivering new value to society.

  Moreover, SHIONOGI places a high priority on strengthening information security, ensuring the confidentiality, integrity, and availability of its information assets while maintaining the trust of its stakeholders.

  SHIONOGI establishes this policy to outline its fundamental approach to information security, ensuring the protection of its information assets and the effective addressing of security risks. 

2. Scope of Application

  This policy applies to all executives and employees working for SHIONOGI (hereinafter "Personnel"). Furthermore, SHIONOGI requires external business partners handling its information assets, such as contractors and suppliers, to adhere to this policy.

  For the purposes of this policy, information assets encompass any information that creates value for SHIONOGI and its stakeholders, including confidential information, personal information, data, and documents, regardless of the medium. It also includes information entrusted to SHIONOGI by stakeholders, which SHIONOGI is responsible for protecting. 

3. Responsibilities

  All Personnel have a responsibility to ensure information security and must act accordingly.

  The management recognizes the critical importance of information security and is committed to providing the necessary resources and guidance. 

4. Information Security Objective

  The objectives of SHIONOGI's information security activities are as follows: 

  • Protect information assets critical to the development and reliable supply of our pharmaceuticals and the delivery of healthcare value, protecting them from unauthorized disclosure, alteration, or loss, while ensuring their appropriate use.
  • Balance the public's right to access vital health information with the proactive sharing of data to address societal challenges, such as advancing public health, while strictly adhering to ELSI (Ethical, Legal and Social Issues) principles, applicable regulations, and confidentiality obligations.
  • Ensure full compliance with all applicable laws, regulations, and contractual requirements.
  • Mitigate risks associated with cyberattacks and other information security incidents.
  • Ensure a swift and effective response in the event of an incident, and maintain business continuity.

5. Establishment of Information Security Management Structure and its Governing Documents

  SHIONOGI establishes a governance structure to implement information security in accordance with this policy. SHIONOGI also maintains and improves information security through the establishment of internal governing documents based on this policy, and their subsequent implementation, monitoring, and evaluation. 

6. Implementation of Information Security Risk Management and Measures

  SHIONOGI assesses information security risks and implements appropriate organizational, human, physical, and technical measures to address the identified risks. 

7. Implementation of Information Security Education

  SHIONOGI provides all Personnel with both onboarding training and continuous education to ensure they understand the importance of information security and take appropriate actions. 

8. Implementation of Business Partner Management

  SHIONOGI requires its business partners, such as contractors and suppliers handling SHIONOGI’s information assets, to maintain appropriate information security level, while also assessing their compliance. 

9. Audit and Improvement

  SHIONOGI periodically conducts information security audits and continuously strengthens its security measures in response to the evolving threat landscape and changes in its business. 

10. Incident Response

  SHIONOGI establishes an incident response structure to ensure a prompt and appropriate response to any information security incident and to maintain business continuity. In the event of an incident, SHIONOGI thoroughly investigates the root cause and implements corrective actions to prevent recurrence.

  All Personnel must immediately report any potential information security incident in accordance with the relevant internal governing documents. 

11. Compliance

  SHIONOGI is committed to full compliance with all applicable laws, regulations, and ethical standards.

  All Personnel must comply with this policy and internal governing documents. Any violation will be subject to disciplinary action, in accordance with SHIONOGI's established procedures. 

 

Established on April 1, 2026