Information Security

Basic Approach

In recent years, cyber attacks on the Internet have become more sophisticated on a global scale, and threats such as cyber terrorism using computer viruses, large-scale information leaks, and business email fraud are increasing.
As a corporate group responsible for the vital infrastructure of air transportation, our company has built an information security management system based on the ANA Group Information Security Management Rules Manual and we are routinely improving information system functions and taking security measures through multilayered defenses. ANA Systems Co., Ltd., which handles security measures for ANA Group systems, has obtained ISO 27001 certification.

Declaration of Information Security

ANA Holdings Inc. (hereafter "ANAHD") and companies which are linked with ANAHD through ANA Group management rules (hereafter "ANA Group") are fully aware of the importance of protecting information assets, including the personal information of customers. Therefore, ANAHD and ANA Group take the following measures to ensure compliance with relevant regulations and technical standards, handle such information assets accurately, safely, and appropriately according to the risks involved, and prove to be worthy of stakeholders' trust.

  1. ANA Group strives to ensure the confidentiality, integrity, and availability of the information assets in its possession.
  2. ANA Group will not disclose any information assets unless there are reasonable requirements to do so (requested by law, etc.).
  3. ANA Group establishes a special organization that addresses improvement of information security for the purpose of protection of information asset, provides as manual the measures to ensure information security and always makes efforts for maintenance and improvement of information security by means education, evaluation of effectiveness and audit of status of compliance.
  4. If any ANA Group executive or employee commits any act which impairs the confidentiality, integrity, and availability of any information asset, ANA Group will respond to such cases strictly according to established procedures.

Promotion System

The Group ESG Management Promotion Committee formulates and implements basic measures in accordance with the fundamental policy decided by the Board of Directors and the ANA Group Information Security Declaration, which states the ANA Group's basic stance on information security.
Each ANA department and Group company strives to ensure information security by having in place an ESG Promotion Leader (EPL) to actively promote it and an ESG Promotion Officer (EPO) to oversee its promotion.

Personal information is essential for providing ANA Group services, and we consider it an important asset entrusted to us from our customers. In the event of an incident involving information security, such as the data breach of personal information, it is reported to the Group General Affairs Department through the ESG Promotion Leader of the department in charge. In the event of a serious incident, we will promptly establish a crisis response system as stipulated in the Crisis Management Manual and respond to emergencies in cooperation with related parties inside and outside the company. We established a Cyber Security Incident Response Team, a specialized team to respond to security issues, to ensure a timely response in the event of an incident.

Major Initiatives

Personal Information Protection

In recent years, a number of laws and regulations concerning personal information and privacy have been enacted both in Japan and overseas. To date, our company has revised its privacy policy and related internal regulations in order to ensure compliance with Europe's General Data Protection Regulation (GDPR), China's Cybersecurity Act (CCSL) and Personal Information Protection Law (PIPL), the Californian Consumer Privacy Act (CCPA), Japan's revised Personal Information Protection Act, and Thailand's Personal Data Protection Act (PDPA). We are also strengthening our efforts to appropriately handle the personal information of customers, shareholder, business partners, and employees by educating them on these laws and related internal regulations.

Cybersecurity Measures

The ANA Group is designated as a critical infrastructure provider in Japan by the National Center of Incident Readiness and Strategy for Cybersecurity (NISC). We implement a multi-level defense in accordance with the guidelines formulated by related ministries. We monitor our security system 24 hours a day, 365 days a year. The ANA Group trains security specialist human resources, and we have established the Computer Security Incident Response Team (CSIRT) to ensure swift action in response to any incidents. Cybersecurity intelligence is most effective when providing early alerts to counter cyberattacks. Therefore, we participate in information sharing organizations, such as the Aviation Information Sharing and Analysis Center (A-ISAC), which consists of airline, aircraft manufacturer, and other members. We also participate in the Surface Transportation Information Sharing and Analysis Center (ST-ISAC). In these ways, we acquire information from internal and external industry sources as early as possible for use in taking preventive measures. We are working on response measures, under the premise that cybersecurity incidents are inevitable. At the same time, we are adopting a Zero-Trust approach based on a conventional security measure TRUST (i.e., communication with trusted people and objects based on authentication and process reliability checks). We use this approach as we simultaneously pursue DX in ANA Group services and products, such as Mobility as a Service (MaaS) and the ANA Super App. In addition, we intend to work even more closely with relevant ministries and agencies, economic organizations such as Keidanren, and private security organizations such as ISAC; to improve security between supply chains in today's society, which is connected across all manner of business industries and sectors.

Development of Specialized Human Resources

In addition to training security experts in cooperation with external organizations and actively sharing information with other companies to improve our knowledge, we also conduct drills to quickly establish an initial response system in event of a problem and to minimize its impact by taking countermeasures in cooperation with each department.

Implementation of Education

In order to understand the importance of information security, including the protection of personal information, and the threat of cyber attacks, and to ensure that actions are taken to protect information assets, we have established a permanent e-learning system for Group employees and regularly provide them with knowledge that incorporates the latest examples.

Implementation of Information Security Risk Assessment

The ANA Group periodically conducts information security risk assessments at its domestic and overseas business sites by a team of specialists, and checks the status of information asset management from the perspective of a third party to identify and improve issues. In addition, we have established a self-inspection system that annually reviews the status of compliance with the regulations and are working to improve information security at each organization.