Corporate Governance Structure and Initiatives | Information security initiatives

Shareholders and investors have made the effective functioning of internal control into a key issue amidst an epidemic of corporate misconduct in Japan and overseas. In this section, Capcom will explain the corporate governance structure and systems that it has initiated so far based on the key concepts of “effectiveness and visibility” in terms of the results of third party assessment.
(Assessment areas are highlighted in yellow.)

  • Capcom Corporate Governance Guidelines (June 21, 2023)

    PDF

  • Corporate Governance Report (December 14, 2023)

    PDF

Initiatives for reinforcement of information security

As our main business is planning and developing software and we operate in an environment in which the latest information technology is always used, we believe that our information security risks are greater than companies in general. For that reason, we have implemented perimeter*1 security measures for some time; further, we had begun working on introducing defensive measures like SOC*2 services and EDR*3, however in 2020 a third party was able to gain unauthorized access to our systems. Because of this incident, we have implemented various security reinforcement measures to prevent recurrence in addition to our perimeter security measures. These include the establishment of the Information Technology Security Oversight Committee, which includes several external experts, and the introduction of SOC services for around-the-clock monitoring of external connections and EDR for early detection of unusual activity taking place on devices.

*1 Security measures that include placing a firewall at the perimeter between external networks and internal networks.

*2 Acronym for Security Operation Center. A SOC service is a system that monitors systems and networks around-the-clock, and supports the detection, analysis and handling of attacks.

*3 Acronym for Endpoint Detection and Response. A system that introduces software to detect unusual activity on devices such as the PCs and servers utilized by end-users and supports quick responses to issues.

Main Measures

Technical Measures
  • 1. Leading software company carried out cleaning of all compromised devices
  • 2. Reverified the safety of all VPN devices and that security measures are in place
  • 3. Introduced SOC (Security Operation Center) service in order to monitor external connections around the clock
  • 4. Introduced the latest EDR (Endpoint Detection and Response) to provide early detection of unusual activity and computer virus infection on devices
  • 5. Business accounts have been reviewed
  • 6. Further improvements to administrative methods have been made such as long-term retention of logs for swiftly addressing incidents involving VPN devices and other equipment
Organizational Measures
  • 1. Launched the Information Technology Security Oversight Committee in late January 2021 in order to receive recommendations on a continuous basis from external experts based on the latest trends, with an aim to procure external checks and the swift accumulation of knowhow regarding strengthening cyber security (including data protection for securing personal information, etc.). Externally, there are four Committee members who consist of two university professors who are cyber security experts, one lawyer who is an expert on both cyber security and the Act on the Protection of Personal Information, and one certified public accountant that is an IT system audit specialist; internally, one director as well as three technicians who oversee security and networks participate. The Committee plans to continue to regularly hold meetings to strengthen protection standards.
  • 2. Established the Information Technology Surveillance Section in December 2020, a new section directly under the Information Technology Security Oversight Committee, which gathers information regarding cyber security and builds knowledge of preventative measures to make recommendations.
  • 3. Strengthened the system for regular verification, including for the adoption of tools, in the management of business accounts.
  • 4. Constructed a system to further raise awareness of security and the management of personal information at the Group overall.