SUSTAINABILITY Lawson Information Security Policy

Lawson, Inc. (hereafter, the “Company”) handles important information assets such as various trade secrets and personal information when conducting the Company’s business. The information assets is appropriately protected from all accidental or deliberate threats arising both within and outside the Company, and an Information Security Policy is established as follows with the aim of providing services to customers and operating our business in a continuous and reliable manner.

1. Basic principle

This Information Security Policy (hereafter, this “Policy”) stipulates the basic policy for information security management at the Company, and all measures concerning information security are implemented in accordance with this Policy. Personnel who handle information assets are aware of the importance of information security and are required to comply with this Policy. In addition, matters concerning the implementation of this Policy are stipulated separately in documentation such as internal regulations.

2. Applicable scope

This Policy applies to all information assets handled as part of the Company’s operations and the equipment used to protect the information assets. It also applies to all personnel who handle the information assets (such as company directors and employees, franchise stores and crew members, temporary staff members and subcontractors). Information assets refers to all information including trade secrets and personal information handled by the Company. Information assets is not just information from within the Company, it also includes information obtained from outside the company from such as customers and suppliers. This information can be in the form of electronic records stored on devices such as a computer or printed on paper forms and media such as documented information.

3. Basic policy

3.1 Protection of information assets

The Company takes measures to prevent the unauthorized use such as illegal access and insider trading, as well as disclosure, loss, destruction and tampering of the information assets with regards to its collection, use and provision based on the unique characteristics of each information asset.

3.2 Classification and management of information assets

  • Taking into account the importance of information security for information assets held by the Company, these assets are classified into four categories, which are customer information, franchise store & owner information, supplier information and internal information.
  • The Company establishes an administrator for each information asset and creates appropriate information security countermeasures. The Company also manages information security at third parties such as subcontractors to ensure the necessary countermeasures are being implemented.
  • The Company only uses information assets as part of its business operations, not for personal activities. Furthermore, these assets are protected in accordance with this Policy and related internal regulations.
  • The Company will investigate the cause of any accidents relating to these assets if such an event occurs to minimize any damage. The Company will also take appropriate measures to prevent such accidents and prevent any recurrence.

3.3 Management of access rights

The Company manages information assets to ensure that only personnel who have a legitimate business need to handle such assets can access the information. The Company takes measures to eliminate any risks against information assets being accessed illegally and without permission, while taking appropriate control countermeasures such as limiting the access to and keeping access logs for such assets.

3.4 Physical security protection measures

The Company provides appropriate protection for offices and their equipment, facilities and equipment where information assets are handled, and network devices as well as other equipment to ensure that information assets are not exposed to risks such as illegal access, disclosure, destruction or tampering.

3.5 Legal compliance

The Company identifies applicable laws such as the Act on the Protection of Personal Information and Unfair Competition Prevention Act to comply with legal requirements when handling information assets.

3.6 Response to information security incidents and accidents

The Company strives to prevent accidents and establish response procedures and systems in the event of their occurrence, works hard to coordinate countermeasures so that business activities can continue while taking appropriate action immediately in the event of an information security incident or accident occurring to minimize the damage and prevent recurrence.

3.7 Disciplinary action

The Company will take a firm stance such as disciplinary action and legal action against wrongful acts both within and outside the company that threaten information security.

4. Promotion system

The Company has set up personnel in charge of assessing and responding to information security risks in each department and company under the supervision of the Chief Compliance and Risk Officer (CRO). The Company also provides supervisory management for systems that establish, operate and manage information security across the entire company through a supervisory committee based on support from departments that supervise risk management and departments that are primarily responsible for system security.

  • Supervisory manager: CRO
  • Supervisory committee: Information Security Management Committee

5. Training

The Company implements appropriate training concerning information security countermeasures for company directors, employees and franchise stores.
Temporary staff members and subcontractors are required to undergo thorough training as part of their contract.

6. Continuous improvement

The Company regularly evaluates and reviews the situation for establishing, operating and managing information security or whenever necessary by means such as inspections and audits to achieve continuous improvement.

Created: January 1, 2004 (as internal regulations)

Revised: March 1, 2024