Policy and Basic Approach
Information security
Sanrio conducts business activities by utilizing customer information, business partner information, information created by the Company itself, and other information. We recognize that it is our responsibility as a business enterprise to protect this information and the information systems that handle it from various threats so that our customers can use our products and services with peace of mind.
Protection of personal information
Sanrio enforces the Sanrio Group Personal Protection Policy and strives to ensure the appropriate handling of personal information. Overseas Group companies comply with local privacy laws; in the European Union, policies and enforcement systems have been established based on the EU General Data Protection Regulation (GDPR), and in the United States, a personal information handling policy and enforcement system have been established based on the California Consumer Privacy Act (CCPA).
We have also established a system to check and comply with the laws and regulations of each region in our digital business. After confirming matters to address with a law firm, an external third-party organization checks the operating system and system configuration at the company and its outsource partners. Information security measures are reinforced through compliance with laws in Japan and the local overseas regions.
Structure and governance
Information security system
Sanrio has established rules on information management and on information security. The managing executive officer of the Corporate Management Division serves as the general manager and the DX Department in the Corporate Strategy Division serves as the control department in charge of information security for the entire company. Each internal department also designates a promoter and a person in charge to implement measures based on the annual plan that has been formulated. We also assess company-wide risk-response and implement correction measures.
Main initiatives
Information security initiatives
To ensure that information security measures are thoroughly implemented, Sanrio requires employees to take e-learning courses multiple times annually and offers voluntary information security training sessions three times a year. In addition, targeted attack e-mail tests are conducted several times annually. A security assessment of the Sanrio Group was conducted by an external security firm in FY3/2025. We are planning to formulate a global security policy based on those results. The quality of security is also maintained by conducting audits at appropriate times using a reliable third party. We will continue to implement these initial efforts at the Head Office and affiliates, including global affiliates.
Strengthening the information security system
In FY3/2025, Sanrio introduced a system to perform integrated correlation analysis on the log of each piece of equipment in the network system. An agreement for monitoring the system 24 hours a day, 365 days a year was also concluded with an external security firm.
We plan to upgrade the security software on all PCs and all servers, and place them under monitoring by the external security firm in FY3/2026.
Labeling system operation
In April 2025, we began operating an information labeling system that evaluates the importance and confidentiality of each file. We also introduced cloud lift services for information storage at the same time, and this will raise the security level of information management from the perspective of BCP.