Information Security

The Kansai Airports Group (the “Group”) handles a variety of information to operate airports that provide customers with a safe and comfortable experience. However, there is an increasing risk that this important information may be compromised due to threats such as unauthorized access to networks, natural disasters, and human error.
In light of these circumstances, the Group has established an information security policy aimed at protecting critical information assets from various threats. By implementing the necessary information security measures for the company’s information assets, the Group strives to ensure the safety of its management, gain the trust of society, and enhance customer satisfaction.

Information Security Basic Policy

1. Handling of Information Assets
   • We will define the method for managing information assets, designate the responsible person for managing them, and handle them appropriately.
2. Implementation of Information Security Measures
   • To protect information assets from threats, we implement security measures through personnel, physical, and technical measures.
3. Raising Awareness of Information Security
   • We will conduct regular training on information security for our employees and other personnel. In addition, employees and other personnel will endeavor to raise their own awareness of information security.
4. Compliance with Laws, Regulations, and the Information Security Policy
   • Employees and other personnel will comply with laws and guidelines related to information security, laws and regulations established by foreign countries, other related agreements, and the information security policy.
5. Response to Information Security Incidents
   • In the event of an information security incident, we will promptly take the necessary actions, analyze the causes and other relevant factors, and implement measures to prevent recurrence.
6. Evaluation and Review of the Information Security Policy
   • We will regularly evaluate and review the information security policy to ensure its effectiveness, taking into account changes in the environment surrounding information security and the status of compliance with the policy.

Information security within the Group is supervised by the CEOs, who act as the ultimate authority.

We have established a Group Information Security Committee to strengthen the organization-wide information security framework. The committee is chaired by the CEOs, with heads of various business units, including the audit department, participating as members. It deliberates on and approves information security-related policies and measures from a cross-organizational perspective.

We will assign an information security officer to each department and group company to promote security measures at the operational level.

We have established the “Information Security Secretariat” as a team to oversee and promote information security and the “KAP-CSIRT” as a team specializing in cybersecurity to smoothly prevent information security incidents.

The committee meets regularly to discuss and approve strategies to promote security measures across the Group and measures to prevent recurrence of information security incidents, aiming for continuous improvement and the establishment of a robust security framework.

We have established guidelines for the handling of information to ensure its proper management. Based on these guidelines, employees are responsible for appropriately classifying information and thoroughly managing and operating it according to each classification.

The Group’s cybersecurity efforts are primarily led by the KAP-CSIRT in the IT Division.

Major Initiatives

Vulnerability Management

• As part of our risk management efforts, we collect, evaluate, and analyze information on various threats and vulnerabilities to effectively address even high-risk events for the Group and mitigate them within an acceptable range. We also conduct regular assessments of the Group’s infrastructure and systems to identify any vulnerabilities.

Implementation, Monitoring, and Improvement of the Defense Infrastructure

• We monitor the Group’s infrastructure and systems for any suspicious activities, verify the effectiveness of measures, identify operational issues, and work on improvements.

We strengthen cooperation and collaboration with regulatory authorities, external stakeholders, and the Group’s related parties to promote coordination and knowledge sharing during emergencies.

The Group places strong emphasis on preventing information security incidents during normal operations. In the unlikely event that an incident does occur, we will respond promptly and appropriately in accordance with our incident response guidelines. Furthermore, under the Group’s crisis management framework, we will work to minimize damage and limit the scope of the impact.

The Group regularly conducts phishing email training for all employees, e-learning programs to help employees learn appropriate responses according to their respective positions, and cybersecurity drills based on specific cyberattack cases.

Major Initiatives

In recent years, cyberattack techniques, such as ransomware, phishing attacks, and DDoS attacks, have become increasingly sophisticated and complex. To prepare against such threats, the Group regularly conducts practical cybersecurity drills. These drills simulate realistic cyberattack scenarios and verify whether appropriate measures can be taken, such as properly assessing the situation, sharing information, activating a crisis management framework, and restoring operations related to airport management. Going forward, we will continue to conduct training and drills based on a variety of scenarios to prepare for all types of information security risks and to raise the awareness of all employees and strengthen their response capabilities.

The Kansai Airports Group places the enhancement of information security at the core of its corporate activities and considers the provision of safe and secure services to customers and stakeholders who use the airports as its top priority and responsibility. As cyberattacks become more sophisticated and complex and information security risks increase, the Group is committed not only to implementing technical measures but also to raising the security awareness of every employee, thereby reinforcing the organization-wide security framework. We will continue our efforts to strengthen our framework so that we can flexibly and swiftly address any and all threats and risks through our information security initiatives.