Japanese Government Updates Cybersecurity Guidelines: Increased Focus on Cybersecurity Investments and SMBs

In December 2016, the Japanese Ministry of Economy, Trade and Industry (METI) and its Information-Technology Promotion Agency (IPA) released Cybersecurity Guidelines for Business Leadership ver. 1.1. (this is a Japanese link), an update of  ver. 1.0 published in December 2015 (this is a Japanese link; English press release is here).

As our May 2016 blog post pointed out, METI’s Guidelines are aimed squarely at business executives. The December 2016 update builds upon the original document’s three principles and 10 action items, with two notable changes. First, the update includes a higher expectation that business executives take a leadership role in cybersecurity. Second, the revised Guidelines include a Guidebook written by IPA.

The biggest difference between the original and new versions is the revision of the first principle. The 2015 Guidelines urged business executives to take the leadership to determine how much cyber risk to accept and cybersecurity investments to make, despite the near impossibility in calculating return on investment (ROI) in cybersecurity. The new document still encourages business executives to take the leadership for cybersecurity investments but gives an urgent reason: cyberattacks are unavoidable in today’s business environment. The new document emphasizes that business executives’ responsibility to invest in cybersecurity is an indispensable part of their business strategies, given that cyberattacks threaten to negate the opportunities companies have in using or providing IT services to increase their business presence and productivity.

This strong justification reflects the Japanese government’s frustration toward what it views as a cybersecurity mindset gap between Japanese and both American and European business leadership. The revised Guidelines cite KPMG’s Cybersecurity Surveys from 2013 and 2016, which show that, while the ratio of Japanese companies that believe responses to cyberattacks should be discussed at the board level grew from 52 percent in 2013 to 68 percent in 2015, the figure is still much lower than the overseas rate of 88 percent. A May 2016 report by IPA that added to the Japanese government’s sense of urgency found that 28.9 percent of Japanese companies reported their business executives were not sensitive to cyber risks, and 26.2 percent said their business executives did not understand the importance of IT and security. The figures were 16.4 percent and 17.7, respectively, in the United States, and 20.6 percent and 18.0 percent in Europe.

The second major change in the 2016 Guidelines is the inclusion of a new, 128-page supplementary Guidebook for the Cybersecurity Guidelines ver. 1.0 published by IPA. IPA’s Guidebook explains specific actions to be taken by business leaders, chief information security officers (CISOs), and cybersecurity engineers, noting that the original 36-page Guidelines do not provide examples in detail. IPA also explains in further detail the three principles and ten action items from the 2015 Guidelines, and includes an Excel appendix tracking cyber incidents in Japan and overseas between 2011 and 2016.

Some examples in the appendix are incidents in which Japanese subsidiaries (often SMBs) were hacked. Japan has seen an increasing number of cyberattacks against SMBs. 2016 saw a few major breaches against subsidiaries of major companies.This addition of SMB examples by IPA may be to bolster the original Guidelines’ second principle, which encourages business executives to promote cybersecurity measures in affiliated companies and business partners, as well as their own companies, to mitigate potential information breaches. Although the original Guidelines exclude small-sized companies as targeted audiences, 99.7 percent of companies are small and medium-sized businesses (SMBs) in Japan, employing 69.7 percent of Japanese workers (Japan generally defines SMBs as businesses with fewer than 300 employees). Thus, better cybersecurity and corporate governance are musts for overall strong cybersecurity in Japan.

That is why the IPA Guidebook (pp. 55–56) included a powerful statement that parent companies are responsible for their business operations and, thus, are primarily responsible if an affiliate or subsidiary company’s lack of adequate cybersecurity measures result in security incidents, such as the leak of important information or negative impact on business continuity.  The Guidebook further states (p. 57) that cybersecurity responsibilities and costs in the supply chain should be at least partially borne by the upstream company. Upstream companies should neither expect their supply chains to take cybersecurity measures on their own nor shift the responsibility to them.

METI’s issuance within one year of substantive additions to the 2015 Cybersecurity Guidelines for Business Leadership is a testament to how much the government is concerned about businesses’ cybersecurity, especially among SMBs, and eager for behavioral change in Japan. Although government guidelines in general are not legally binding in Japan, the revisions show growing pressure from the government toward companies to help SMBs and be aware of cybersecurity and business risks associated with their subsidiaries and contract companies. The revised Guidelines’ emphasis on the role of business executives is particularly welcome. As we described in our September 2016 blog post, Japanese companies traditionally have not had the concept of “C-level” executives.

Japan’s 2015 National Cybersecurity Strategy emphasized the importance of business executive leadership in investing more in cybersecurity as part of their business strategy. METI’s 2015 Guidelines and 2016 revision reflect the philosophy. The Japanese National Center of Incident Readiness and Strategy for Cybersecurity (NISC) plans to issue the Cybersecurity Strategy for Research and Development in June 2017 and update its Plan for the Development of Cybersecurity Human Resources in 2017. Since 2017 is only three years away from the Tokyo 2020 Olympic Games, business resiliency and cybersecurity awareness is an urgent task for the Japanese. The policy developments late this year, and expected in 2017, will continue to urge companies to take more actions for better cybersecurity.

This is the sixth in a series of blogs co-authored by Mihoko Matsubara and Danielle Kriz, aimed at introducing Japan’s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover Japan’s role in global cybersecurity capacity-building, the cybersecurity ramifications of planning for the 2020 Summer Olympic Games in Tokyo, and other topics.