Initiatives related to governance, anti-corruption and information management systems

PRONEXUS has established the PRONEXUS Corporate Governance Guidelines, which set out our corporate governance approach and framework for shareholders and other stakeholders, as well as a code of conduct for our officers and employees.The Company is promoting management following these guidelines with the aim of maximizing shareholder value and achieving enduring development and growth that is based on recognition by shareholders and clients.We are constantly striving to review and improve our management structure from the perspective of effectiveness, with the aim of implementing precise and efficient management that leads to increased corporate value and the appropriate and fair execution of management responsibilities.

In addition, we make every effort to disclose accurate management information in a timely manner, while strengthening our monitoring and checking functions, improving transparency, and ensuring compliance and risk management.

In light of its fiduciary responsibility to shareholders, the Board of Directors deliberates and makes decisions on important matters related to the management of the Company, and supervises the Company’s business and overall management, with the aim of enhancing corporate value over the medium to long term.

The Board of Directors has an appropriately balanced composition as a whole with no more than ten members who have a deep understanding of the PRONEXUS Group’s business and diverse knowledge and expertise on finance and accounting, risk management, legal compliance and other related matters.PRONEXUS nominates candidates for outside officers who have a high level of insight and extensive experience in corporate management, finance and accounting, legal matters and other specialized areas and can appropriately convey their opinions from an objective standpoint, supervising the execution of duties by Directors and enhancing the activities of the Board of Directors through frank, active, and constructive opinions and proposals.In addition, PRONEXUS has adopted an executive officer system to separate the management decision-making function from business execution.

(As of October 1, 2024)

As of October 1, 2024 there were eight directors including four outside directors.In addition, three of the four Audit & Supervisory Board members are outside Audit & Supervisory Board members to ensure that the Board of Directors is adequately monitored.There were a total of 35 executive officers, with three of these also serving concurrently as directors.

PRONEXUS has a corporate management structure that allows for improved management efficiency and accurate, strategic management decisions, with the Board of Directors having the functions of making management decisions and managing and supervising the execution of duties by executive officers.As of October 1, 2024 there were eight directors and 35 executive officers, with three of these also serving concurrently as directors.Moreover, four of the eight directors are outside directors and three of the four Audit & Supervisory Board members are outside Audit & Supervisory Board members to ensure that the Board of Directors is adequately monitored.

In accordance with its Risk Management Rules, PRONEXUS finds, identifies and analyzes risk to be addressed in each department and investigates possible countermeasures, led by the General Affairs Department, the department overseeing risk management.With regard to information security, the Insider Information Security Committee examines and decides on the identification of risks and the implementation of preventive and corrective measures on a system level, based on activities related to the ISO 27001 (information security management system) certification that has been obtained for the entire Company.We are working to improve employees’ security awareness and strengthen our information management system through security education and training for all employees, on-site inspections of outsourcing partners from the perspective of information management, and other measures.

In addition, we have introduced a safety confirmation system to enable us to confirm the safety of our employees in the event of a natural disaster, and we conduct safety confirmation drills for all employees every year.

With regard to bribery, the Supplier Code of Ethical Conduct clearly states that we will not engage in any kind of bribery.In addition, we have established standards for approval and upper limits for cases where we entertain or give gifts to clients, outside manufacturers, suppliers, etc., and we have clearly stated these in the PRONEXUS Group Compliance Manual distributed to all Group employees to ensure that they are familiar with them.In addition, we have established internal regulations regarding entertainment and gifts, and ensure that everyone in the Company is familiar with them.

The PRONEXUS Group clearly states in its Supplier Code of Ethical Conduct that it prohibits all forms of bribery, extortion, and embezzlement.We also publish this information on our website to ensure that it is widely known.

In light of recent international trends and social demands regarding sustainable procurement, the PRONEXUS Group established a new Supplier Code of Ethical Conduct in February 2024 and endorsed the Declaration of Partnership Building.Through procurement based on the Supplier Code of Ethical Conduct, we will work to promote collaboration throughout the supply chain with consideration for legal compliance, information security, human rights and the environment.

In FY2024, there were no cases of anti-corruption and no internal disciplinary actions.To the best of our knowledge, there are no costs associated with fines, surcharges, or settlement payments related to corruption.

In order to facilitate the early detection and correction of misconduct by officers and employees, the PRONEXUS Group Corporate Ethics Hotline has been established as an external reporting contact, and the distribution of cards to employees and the display of posters in the office are being used to promote awareness and encourage use of the hotline.The Internal Reporting Regulations apply the Whistleblower Protection Act and designate employees who are engaged in work that is subject to whistleblowing.In order to protect informants, it specifies that disadvantageous treatment and searches are prohibited.

The PRONEXUS Group provides education on legal compliance and compliance education through e-learning for officers and employees twice a year.We also distribute the PRONEXUS Group Compliance Manual, which contains information on points to be observed in day-to-day operations, case studies and checkpoints, to all Group employees in an effort to raise awareness.

In order to facilitate early detection and correction, the PRONEXUS Group Corporate Ethics Hotline has been established as an external reporting contact, and the distribution of cards to employees and the display of posters in the office are being used to promote awareness and encourage use of the hotline.The Internal Reporting Regulations apply the Whistleblower Protection Act and designate employees who are engaged in work that is subject to whistleblowing.In order to protect informants, it specifies that disadvantageous treatment and searches are prohibited.

The PRONEXUS Group does not make illegal political contributions.
In fiscal 2024, there were no donations to political groups.

The General Affairs Department, the Legal & Compliance Promotion Office, and the Quality Management and Business Reform Department oversee and promote PRONEXUS’s company-wide risk and compliance management.Furthermore, we hold regular training sessions twice a year for insider trading prevention education and compliance education, and also conduct comprehension tests via e-learning.

As a specialist company that supports corporate disclosure and IR, PRONEXUS is engaged in a wide range of measures to strengthen insider information security, from organizational and personnel systems to the establishment of dedicated areas and the establishment of information systems.

As an organization, the Insider Information Security Committee plays a central role in ensuring that rules for handling insider information and rules for preventing insider trading are thoroughly implemented.

Twice a year, we hold group training sessions on insider trading prevention for all Group employees, incorporating the latest case studies, and also conduct comprehension tests through e-learning, as well as training for new and mid-career employees.In addition, we repeatedly hold specialized training sessions five times a year for sales representatives and those in charge of handling insider information, who have frequent access to confidential information.We also conduct regular group training and on-site surveys for Group companies, partner companies, and subcontractors.

Our stock trading regulations completely prohibit trading of shares of listed companies by managers at the division head level and higher, sales staff, and those in charge of handling insider information, and a system of obtaining approval by applying in advance is in place for trading by other employees.

In addition, all employees are required to submit a written pledge each year to prevent insider trading.

We monitor compliance with these rules as appropriate, and are working to improve and strengthen them.

The Legal & Compliance Office is in charge of company-wide compliance risk management, and has established relevant regulations and a compliance manual based on the PRONEXUS Internal Control System Basic Policy.The compliance manual is updated regularly to incorporate case studies to address new topics such as corporate misconduct, the spread of social media, and work-style reforms to make it more practical.

In addition, a PRONEXUS Group Corporate Ethics Hotline has been set up to enable reporting on corporate ethics, and we are promoting awareness and encouraging employees to use it by distributing cards to employees and displaying posters in the office. We are also conducting surveys for all employees using external organizations to understand the current situation.

In terms of risk management of personal information, we have established a personal information protection policy and maintain and manage a personal information protection management system in order to handle personal information appropriately.We conduct on-site surveys of information management systems among outsourcers who are entrusted with particularly important personal information operations.

• AI Ethics Policy（Japanese）

Recognizing that our businesses have a social infrastructure aspect, we have established an information security policy and are strengthening our structures and systems to protect and safely handle confidential information, including insider information before disclosure by our clients.We are continuously working to enhance our communications infrastructure, hardware and software, and to improve management, in order to securely send, receive, process and store information.

To manage insider information, in addition to isolating work areas and separating file servers, we also limit access through ID management and regularly analyze and audit access records. We are also working to improve this through the development and operation of critical in-house systems.For example, the GENE-S.I.S. system, which integrates existing production management systems and enables centralized management of processes from order receipt to delivery, is helpful for increasing operational efficiency, and preventing errors and problems by sharing and visualizing information. At the same time, it also plays a major role in insider information management through “concealment” preventing unnecessary human intervention and information exposure by completing the handling of important and confidential information within a single system.

Meanwhile, to combat the threat of cyberattacks from outside, we are working to promptly implement all the requirements of the Cyber Security Management Checklist under the leadership of management, in accordance with the Cybersecurity Management Guidelines published by the Ministry of Economy, Trade and Industry in 2015.In addition, we evaluate the appropriateness of the threat response policy and risk management at the management level based on the threat analysis and reports received from the CISO*.

• CISO: Chief Information Security Officer

We have established CSIRT as a common organization for PRONEXUS and ASP Communications Co., Ltd. in order to understand the diversifying incidents and implement proactive security measures, and are working to enhance the security of the entire Group.

Main roles of CSIRT:

Detect events regarding computer security
Handle and manage security incidents
Investigate and analyze causes of infected computers
Understand and disseminate security-related information, etc.

• CSIRT: The Computer Security Incident Response Team is a collective term for the organizations that monitor computers and networks for problems, and analyze the cause and investigate the scope of the impact when a problem occurs.

As a response to working from home during the COVID-19 pandemic until now, and as an initiative for future work style reforms, we are providing all employees with remotely managed computers for working from home to create a secure environment for working from home that is unified across the Company.Work is carried out via VPN from a computer for working from home to the company LAN environment, and the computer for working from home cannot be used to take any company data out of the office.PRONEXUS does not allow employees to work from home using their own personal devices.

We regularly conduct e-mail training for all employees to respond to the growing external threats such as targeted attacks, ransomware and DDoS attacks.The aim is to prevent attacks by quickly detecting danger by thoroughly taking action to notice and report suspicious e-mails.

Along with this, we hold regular information security education programs via e-learning twice a year.

In addition, we have established Security Guidelines to develop systems with security in mind from the system development stage, and we are promoting design and development in compliance with these rules as part of CSIRT operations.

As measures against malware, which has been increasing in threat in recent years, we have introduced EDR products that detect, eliminate, and investigate suspicious behavior and traces on computers, and NDR products that detect abnormal communications on internal networks, as we build a security environment that is able to respond to zero-day attacks.

We have introduced security diagnostic tools, and carry out regular system security diagnostics and annual security diagnostics for all publicly available services.In addition, all publicly available systems are externally assessed by security assessment companies every two to three years.

CSIRT* is a specialist team spanning departments that responds to system security issues and incidents when they occur.It constantly inspects and monitors systems to prepare against information security incidents, and provides training and creates systems to enable quick action in the event of an incident.
Since 2019, we have been a member of the Nippon CSIRT Association and have been sharing information with CSIRT members from other companies.In addition, we hold monthly meetings for CSIRT members as part of our internal CSIRT activities.We invite outside experts to provide us with insights from a third-party perspective and information on security trends.

• CSIRT: Computer Security Incident Response Team

As part of our CSIRT activities, we have established and documented procedures for responding to the occurrence of security incidents, and we conduct disaster prevention training six times a year based on the assumption that an incident has actually occurred.The results of implementing these are also reported regularly to the Company’s Security Committee.

We regularly conduct disaster prevention training for all employees using e-mails that imitate attack patterns such as Emotet, and we continue to work to ensure that our employees remain vigilant against e-mail attacks.