Business Continuity Planning (BCP)

The MEDIPAL Group anticipates a range of risks, and has drafted an effective business continuity plan (BCP) adapted to business characteristics that allows us to provide a steady supply of products, not only in normal times but also in the event of pandemics or large-scale natural disasters such as earthquakes. This enables the Group to fulfill its role as a company responsible for social infrastructure.

The MEDIPAL Group has created a Disaster Response Manual (for Natural Disasters) that contains details of anticipated disaster damage, preparatory measures, operations in the event of a natural disaster, emergency organization structures, and the like. In the event of an earthquake with a seismic intensity of lower 6 or above on the Japanese scale, the general manager of the Group's Disaster Countermeasures Headquarters will decide whether the Disaster Countermeasures Headquarters needs to be established based on reports from the secretariat chief on incurred or imminent damage and with reference to the manual.
This headquarters rapidly confirms the safety of Group company employees and their families in the affected areas; the status of buildings, systems, and the like; the state of lifelines; and the situation with product supply systems. It also leads a range of response activities aimed at business continuity.
When there is an outbreak or spread of an infectious disease, a secretariat for the Disaster Countermeasures Headquarters is established based on the Disaster Response Manual (for Infectious Diseases) and information on the disease is gathered from the World Health Organization (WHO) and Japanese government agencies. Once the outbreak occurs in Japan and is expected to spread, the general manager of the Group's Disaster Countermeasures Headquarters will decide whether the Disaster Countermeasures Headquarters needs to be established based on reports from the secretariat chief.
To maintain a stable supply of pharmaceuticals and other products while ensuring the safety of customers and employees, the headquarters collects and centrally manages information on government policies and local conditions, and quickly and flexibly implements countermeasures against various anticipated situations.

Disaster Countermeasures Headquarters Established by MEDICEO CORPORATION for the case of Great East Japan Earthquake

A backup system has been established to enable coordination with other centers to take over distribution in the event that the one center is rendered incapable of supply due to a large-scale natural disaster, etc.

The MEDIPAL Group has gained experience in previous major natural disasters, including the Great Hanshin-Awaji Earthquake, the Great East Japan Earthquake and the Kumamoto earthquakes, and has undertaken many initiatives to ensure stable supply when disaster strikes. Because Japan is a land of natural disasters, MEDIPAL must make full preparations for dealing with a wide range of disaster scenarios.

We are working to ensure all our major locations, beginning with our distribution centers and other buildings, are earthquake resistant with seismic isolation structures in order to prevent products from falling from shelves and becoming damaged during disasters, and to prevent our distribution facilities from becoming inoperative.

MEDIPAL's principal business locations, including the Head Office and distribution centers, are equipped with in-house electric power generators.

Based on our experience during times when gasoline was in short supply due to disasters, MEDIPAL's principal distribution centers are equipped with their own fuel supplies.

To prepare for times when public transportation and transportation networks are disrupted, motorcycles are kept in readiness at distribution centers and other locations. When roads to some areas are impassable for larger vehicles, motorcycles prove to be an important means of delivering pharmaceuticals.
In addition, to deal with traffic restrictions in the event of a large-scale disaster, we have completed advance registration of emergency vehicles to allow their passage under the Disaster Countermeasures Basic Act.

As part of preparations for a major disaster, the MEDIPAL Group has signed pharmaceutical supply contracts with local governments and will play an important role in regional plans for disaster preparedness.
The Group has also signed a disaster cooperation contract with Japan's Self-Defense Forces on pharmaceutical supply during a major disaster.

All of the MEDIPAL Group's main sites are equipped with stores of disaster supplies, as well as satellite mobile phones for emergency communications.

The MEDIPAL Group's systems and networks at all sites feature built-in redundancy so that operations can continue even if one system goes down. The main systems equipment is designed with seismic base isolation, and sited in data centers that feature high-security measures, continuous power supply and air-conditioning, plus the built-in redundancy.

We have introduced a system to check on the safety of employees and their families during emergencies, and are running regular training drills on the safety check process.

Safety Confirmation System (screen image)

Products can be inspected by scanning the delivery container label with a wireless device, thereby shortening the time that people are in contact when receiving products.

MEDIPAL Group possesses a variety of information, beginning with customer data. We understand that appropriately managing and preserving this information is an important social responsibility that the MEDIPAL Group bears. Recent years have seen an increase in cybersecurity threats, including ransomware and supply chain attacks. In response to this, in addition to hard countermeasures such as those implemented in our systems, we are focusing on improving soft measures such as education for employees in the handling of data. We are thus striving to more thoroughly manage information through the implementation of countermeasures made up of both such hard and soft approaches.

As a standard for information management, the MEDIPAL Group has established a Group-wide Information Security Policy.
To ensure rigorous information management, we have set up an Information Management Committee headed by the Chief Information Officer (Representative Director, President and CEO) and have advanced investigations into initiatives beginning with stronger cybersecurity measures. We have also created a company-wide internal management system of managers and officers deployed in each Group company and section.

The MEDIPAL Group considers the awareness of each and every employee who handles information to be the most critical element of information management. Based on this idea, we conduct information security training twice a year via an e-learning platform to remind employees about information management and raise their awareness of security. Additionally, through trainings at different levels of the organization, we have conducted training to promote proper handling of data based on internal rules targeting new employees and management.
Furthermore, we are working to improve data collection and analyze the risk related to information security, drawing the attention of employees to phishing emails and other methods of targeted attack as necessary, and ensuring thorough awareness of information security at all workplaces.

We are working to prevent fraudulent use of systems and impersonation by thoroughly minimizing access permissions and by introducing two-factor authentication when logging into PCs, in order to prevent data leaks and data falsification stemming from unintended operations or mistakes within organizations, or from acts of fraud. We are logging operational history to enable tracking of suspicious operations on PCs, preventing access to suspicious websites and implementing detection and automatic removal of suspicious devices. By using biometric authentication and encrypting stored data on mobile devices, we have ensured data safety. As a measure to prevent mistaken sending of emails, we not only perform automatic inspection of emails contents, but we have also made it so that approval from a superior is required under certain circumstances, to thoroughly prevent mistaken transmissions.

In order to protect data assets from external threats such as cyberattacks, fraudulent access and malware infection, we are defending against unauthorized access through means such as the installation of firewalls, and the use of secure remote access limited to the connection source PC.
We have also implemented EDR^*1 as a malware countermeasure on all PCs and servers, and have made it possible to respond quickly in the early stages of an attack through real-time monitoring and detection of suspicious system operations. Additionally, we have also improved our filtering system for suspicious emails.
We also conduct monitoring in partnership with an external SOC^*2 and using a 24-hour monitoring system, enabling us to both ascertain the signs of an attack as soon as possible and to determine the scope of any impacts when an incident occurs, and to quickly perform initial responses through, for example, isolation of PCs. We thus work to minimize damage and quickly restore systems.

*1 Security technology that monitors the status of PCs and servers (endpoints) and the content of transmissions, and notifies administrators if irregular or suspicious activity occurs, and then blocks such activity

*2 A specialist team that provides 24-hour, 365-day-a-year monitoring of a company's or organization's networks or systems, gathering and analyzing logs, and proposing and executing countermeasures when incidents occur