Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended | ||||
|---|---|---|---|---|---|
Mar. 31, 2025 | |||||
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |||||
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Cybersecurity Risk Management and Strategy The process at TMC for managing cybersecurity risks is integrated into the TGRS, a company-wide risk management framework based on ISO and COSO. For instance, based on the TGRS, TMC identifies cybersecurity risks, determines their degree of significance, and sets priorities to enable an effective response. For a further discussion of TMC’s company-wide risk management, see “Item 4. Information on TMC — 4.B. Business Overview — Climate Change-related Disclosures — Risk Management” in this annual report. As part of TMC’s cybersecurity risk management process, TMC has a cybersecurity team established within the digital information and communication group that gathers information concerning cybersecurity-related trends and case examples relating to other companies from third parties such as governmental security agencies, cybersecurity companies and software vendors, and monitors cyberattacks from external sources. In addition, by being a member of the Automotive Information Sharing & Analysis Center (Auto-ISAC) in Japan and the U.S., TMC is able to learn promptly about problematic events that occur within the industry and puts the information to use to improve and implement cybersecurity measures. Furthermore, TMC also actively collaborates with outside experts to gain outside knowledge and uses it to improve security. TMC also is a member of the Nippon Computer Security Incident Response Team (CSIRT) Association, which shares information about incidents, vulnerabilities, and signs of attacks, among member companies. The team also shares information about security threats with Toyota’s overseas regional headquarters, which then share information within their own regions and implement countermeasures as necessary. Similarly, in the area of product security, the groups in charge of automotive security within the specialized team promotes automotive security initiatives throughout the entire automotive lifecycle in collaboration with the automotive development field, including product development with security-by-design 1 and ISO/SAE 21434*2 , and the collection and monitoring of threat and vulnerability information.
TMC also provides information security training for all of TMC’s employees, including secondees and dispatched employees, such as through activities to raise awareness during “Information Quality Months,” educational or warning information displayed at the startup of individuals’ personal computers, and unannounced training to test responses to targeted-attack-type emails. In addition, third-party organizations with expertise in cybersecurity and risk management evaluate, based on such standards as those of the U.S National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), NIST’s Special Publications (SP) Series, ISO and International Electrotechnical Commission (IEC) , the condition of the management and technical aspects of TMC’s security measures for information technology, operational technology, products and other areas. TMC implements measures to address problems identified through these evaluations as needed, working to raise the level of security. TMC has an ongoing process in place to monitor known access routes to its systems, block potential threats, and evaluate incidents as they are identified. This process also applies to the systems of certain subsidiaries as well as certain third-party distributors, suppliers, and service providers. TMC has issued the All Toyota Security Guidelines (“ATSG”), which are guidelines for identifying and mitigating cybersecurity risks, to TMC’s consolidated subsidiaries, as well as third party dealers and rental or leasing agencies in Japan, requesting them to conduct self-inspections covering more than 100 items and enhance cybersecurity measures. In addition, the cybersecurity team carries out on-site audits by visiting the subsidiaries and other entities that the ATSG applies to, to check responses to the ATSG and the status of implementation of physical security measures at each company. TMC has also requested TMC’s key suppliers to enhance their cybersecurity measures based on the guidelines that are equivalent to the ATSG. [No material cybersecurity incident has occurred to Toyota to date.] In fiscal 2025, Toyota did not identify cybersecurity risks from cybersecurity threats, including as a result of past cybersecurity incidents, that are reasonably likely to materially affect Toyota, including its business strategy, results of operations, or financial condition. However, despite the capabilities, processes, and other security measures we employ that we believe are designed to assess, identify, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the risks of incidents, and such preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks. For a further discussion of risks that may materially affect Toyota if a cybersecurity threat materializes and other matters, see “Risk Factors” in this annual report. |
||||
| Cybersecurity Risk Management Processes Integrated [Flag] | true | ||||
| Cybersecurity Risk Management Processes Integrated [Text Block] | The process at TMC for managing cybersecurity risks is integrated into the TGRS, a company-wide risk management framework based on ISO and COSO. For instance, based on the TGRS, TMC identifies cybersecurity risks, determines their degree of significance, and sets priorities to enable an effective response. For a further discussion of TMC’s company-wide risk management, see “Item 4. Information on TMC — 4.B. Business Overview — Climate Change-related Disclosures — Risk Management” in this annual report. |
||||
| Cybersecurity Risk Management Third Party Engaged [Flag] | true | ||||
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true | ||||
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false | ||||
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] | [No material cybersecurity incident has occurred to Toyota to date.] In fiscal 2025, Toyota did not identify cybersecurity risks from cybersecurity threats, including as a result of past cybersecurity incidents, that are reasonably likely to materially affect Toyota, including its business strategy, results of operations, or financial condition. However, despite the capabilities, processes, and other security measures we employ that we believe are designed to assess, identify, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the risks of incidents, and such preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks. For a further discussion of risks that may materially affect Toyota if a cybersecurity threat materializes and other matters, see “Risk Factors” in this annual report. |
||||
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Cybersecurity Governance TMC considers cybersecurity risk to be a particularly important risk within its risk management framework and one of the areas of focus for its Board of Directors, Audit and Supervisory Committee, and management. As part of the company-wide risk management process, in addition to developing the TGRS described above, TMC has established a governance and risk subcommittee that includes members of the Board of Directors and Audit and Supervisory Committee, as well as the Chief Information & Security Officer (“CISO”) as a member in charge of cybersecurity. The subcommittee discusses cybersecurity as one of the company-wide risks. TMC’s cybersecurity team is led by the CISO and reports serious cybersecurity risks or incidents to the Board of Directors and the Audit and Supervisory Committee as they arise. In addition, the members of the Information Quality Management Meeting, which is held approximately twice a year, receives reports on and oversees the status of cybersecurity risks and incidents at TMC. This body, chaired by the CISO, is attended by responsible personnel assigned to each security area, such as confidential information management, information systems, and supply chain. Participants report and share information about security risks and the status of incidents. Of such information, material matters are reported by the CISO to the Board of Directors and Audit and Supervisory Committee through the CRO, who is responsible for overall risk management. In addition to the meeting mentioned above, the cybersecurity team is in close contact with full-time Audit and Supervisory Committee members, providing regular reports and receiving and responding to their inquiries about the state of TMC’s approach to cybersecurity and incident trends in the world. TMC’s process for identifying, tracking and managing cybersecurity risks on a daily basis is primarily carried out by the cybersecurity team led by the CISO. The cybersecurity team consists of professionals with cybersecurity expertise. Among the members, the CISO has gained experience in the development of in-vehicle software and on-board devices since joining TMC and has insights into information technologies such as software and cloud services. The CISO also gained experience in the field of cybersecurity since 2016, when he became an officer of Toyota’s Connected Company, and thus has knowledge of and insights into cybersecurity. TMC has a process where cybersecurity incidents at TMC or TMC’s group companies or suppliers is reported to an appropriate cybersecurity team in a timely manner as it occurs and escalated to the CISO according to the severity of the incident. In addition, TMC has the Toyota Motor Corporation-Security Incident Response Team (TMC-SIRT), a response team including members of management, and has established a system to take appropriate and prompt action to resolve incidents. The TMC-SIRT does not only respond to cybersecurity incidents at TMC, but also provides support for incidents at TMC’s subsidiaries in Japan and overseas and key suppliers in Japan as necessary to bring the situation under control. The CISO is responsible for managing the cybersecurity risks and strategic processes described above, as well as overseeing the prevention, mitigation, detection, and remediation of cybersecurity incidents. |
||||
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | TMC considers cybersecurity risk to be a particularly important risk within its risk management framework and one of the areas of focus for its Board of Directors, Audit and Supervisory Committee, and management. As part of the company-wide risk management process, in addition to developing the TGRS described above, TMC has established a governance and risk subcommittee that includes members of the Board of Directors and Audit and Supervisory Committee, as well as the Chief Information & Security Officer (“CISO”) as a member in charge of cybersecurity. The subcommittee discusses cybersecurity as one of the company-wide risks. |
||||
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | TMC’s cybersecurity team is led by the CISO and reports serious cybersecurity risks or incidents to the Board of Directors and the Audit and Supervisory Committee as they arise. In addition, the members of the Information Quality Management Meeting, which is held approximately twice a year, receives reports on and oversees the status of cybersecurity risks and incidents at TMC. This body, chaired by the CISO, is attended by responsible personnel assigned to each security area, such as confidential information management, information systems, and supply chain. Participants report and share information about security risks and the status of incidents. Of such information, material matters are reported by the CISO to the Board of Directors and Audit and Supervisory Committee through the CRO, who is responsible for overall risk management. In addition to the meeting mentioned above, the cybersecurity team is in close contact with full-time Audit and Supervisory Committee members, providing regular reports and receiving and responding to their inquiries about the state of TMC’s approach to cybersecurity and incident trends in the world. |
||||
| Cybersecurity Risk Role of Management [Text Block] | TMC’s process for identifying, tracking and managing cybersecurity risks on a daily basis is primarily carried out by the cybersecurity team led by the CISO. |
||||
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true | ||||
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | In addition, TMC has the Toyota Motor Corporation-Security Incident Response Team (TMC-SIRT), a response team including members of management, and has established a system to take appropriate and prompt action to resolve incidents. The TMC-SIRT does not only respond to cybersecurity incidents at TMC, but also provides support for incidents at TMC’s subsidiaries in Japan and overseas and key suppliers in Japan as necessary to bring the situation under control. The CISO is responsible for managing the cybersecurity risks and strategic processes described above, as well as overseeing the prevention, mitigation, detection, and remediation of cybersecurity incidents. |
||||
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | The cybersecurity team consists of professionals with cybersecurity expertise. Among the members, the CISO has gained experience in the development of in-vehicle software and on-board devices since joining TMC and has insights into information technologies such as software and cloud services. The CISO also gained experience in the field of cybersecurity since 2016, when he became an officer of Toyota’s Connected Company, and thus has knowledge of and insights into cybersecurity. |
||||
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |