Information Security Policy

ENEOS Group ("Group" hereinafter) implements necessary security measures based on its recognition that the maintenance of a high level of information security is an important topic of management. Accordingly, the Group has established the following Information Security Policy under which it strives to handle, manage, protect, and maintain information, including that related to business partners and subcontractors, appropriately.

1. Development of an information security management structure

To protect and appropriately manage all information assets it holds, the Group shall both secure sufficient resources, including budgeting and staffing, and develop a structure to enable the timely implementation of Information security measures.

2. Maintenance of internal rules

The Group shall maintain the rules necessary for the protection and appropriate management of information assets and ensure a thorough understanding within the Group of matters that should be complied with.

3. Appropriate Information security measures

To prevent incidents such as unauthorized access, damage, information leaks, and unauthorized alteration related to information assets, the Group shall ascertain Information security risks and implement necessary measures. In addition, it shall maintain the Incident Response and Recovery Team and establish the planning for timely response and recovery action.

4. Improving Information security literacy

The Group also shall implement periodic information security education to maintain and improve the Group's information management structure, together with publicizing and ensuring thorough awareness among all executives and employees concerning the necessity of information security and specific matters to be complied with.

5. Compliance with laws, regulations, etc.

The Group shall comply with laws, regulations, national guidelines, and other social norms regarding information security.

6. Continual improvements

The Group shall implement continual improvements to its information security management through periodic evaluation and review of the above efforts, as well as information sharing activities.

In March 2018, the Keidanren (Japan Business Federation) announced the Keidanren Declaration of Cyber Security Management, a declaration under which all members of the business community participate in promoting cybersecurity measures. The Group supports the intents of this declaration.