Basic Policy on Information Security

Simplex Holdings, Inc. (the “Company”) establishes this Basic Policy on Information Security (this “Policy”) to implement risk management in response to customer and public confidence by appropriately protecting all information assets handled by the Company (handling of personal information is established in the Personal Information Protection Policy).

When applying this Policy, the Company aims to guarantee information security with regard to information assets from the point of view of confidentiality, completeness, and availability.

1.Implementation of security management measures

(1)Implementation of organizational security management measures

The Company maintains, and appropriately manages, an organizational structure to take security management measures, measures to confirm the situation regarding the handling of information assets, and an organizational structure to respond to leaks, etc. of information assets.

(2)Implementation of personnel security management measures

The Company supervises workers appropriately, regularly carries out education and training on information security, and consistently handles information assets in a suitable manner.

(3)Implementation of physical security management measures

The Company prevents the theft and leak of information assets by designating zones for handling information assets and managing information assets, and takes necessary measures such as deletion of assets after they are used.

(4)Implementation of technical security management measures

The Company consistently prevents the theft and leak of information assets with the aim of preventing unauthorized access from outside the Company by restricting access rights to information assets to the necessary and appropriate extent, controlling access, and identifying and authorizing any person with access rights.

2.Outsourced management

If outsourcing the handling of information assets to an external organization, the Company will make efforts to guarantee the same level of information security for the outsourced services as that provided at the Company. The Company will also establish evaluation standards and evaluate the subcontractor and take measures in accordance with the results of such evaluations.

3.Business continuity

The Company will establish a business continuity system, protect information assets from system failure or disasters, and take the necessary measures to promptly recommence business activities so that the Company’s business activities are not suspended for a long period.

4.Analysis, evaluation, assessment, and improvement

The Company will assess the risk for information assets from the point of view of confidentiality, completeness, and availability, regularly implement risk assessments based on the current management status against threats and/or vulnerabilities, and take appropriate measures based on those risk assessments.

The Company also regularly assesses and reviews the maintenance and operation of company rules, etc. and management systems, and aims to continually improve in order to maintain and enhance confidence in and security of information assets.

5.Compliance

The Company complies with laws and regulations, standards, public guidelines, company rules, and agreements related to information security.

Page Top