Japan’s Cybersecurity Guidelines for Business Leadership – Changing the Japanese Business Mindset and Potentially Raising the Global Bar

(This blog post is also available in Japanese.)

In May 2015, 1.25 million pieces of personal information were stolen by cyber thieves from the Japan Pension Service (JPS). The news of the event reverberated throughout Japan similar to the headlines created after the Office of Personnel Management hacking a month later in the United States. The JPS event, on top of a recent series of information leaks, was shocking enough to raise cybersecurity awareness among corporate executives in Japan and shape Japan’s cybersecurity posture.

Seven months later, the Japanese Ministry of Economy, Trade and Industry (METI) and its Information-Technology Promotion Agency (IPA) released an impactful document: Cybersecurity Guidelines for Business Leadership Version 1.0 (this is a Japanese link; English press release is here). The 36-page document is aimed squarely at business executives, written in plain Japanese and eschewing technical terminology. The two organizations were alarmed by PwC statistics showing that only 27 percent of Japanese companies have business executives proactively instituting cybersecurity measures, compared to 59 percent globally.

Since their release, the guidelines have struck a chord with the business community, with executives in Japan becoming increasingly keen to learn which cybersecurity measures their companies should take. Seminars about the guidelines have proliferated around Tokyo and other major cities, attracting audiences from management and the executive level—quite different from the typically technical audiences that, until now, have attended most cybersecurity events. And some key Japanese players have reacted with major initiatives. Keidanren, the Japanese Business Federation (akin to the U.S. Chamber of Commerce), responded immediately in January 2016 in its second set of cybersecurity recommendations to the government, noting that industry is committed to reforming business leadership awareness and ensuring that cybersecurity is an important pillar of business risk management.

Keidanren blazed a trail. This April, Fujitsu Ltd., the Japanese multinational IT and services company, published a company-wide cybersecurity policy based on the guidelines: Fujitsu Group Information Security Policy, which applies to the company’s operations globally. We expect other major Japanese companies will follow suit with similar efforts, as Japanese companies culturally prefer to act in a uniform manner.

For the non-Japanese reading audience, what does the document say? The Japanese government gets to the point in the Cybersecurity Guidelines introduction: cybersecurity is an integral part of business operations and a priority for leadership, thus businesses must make decisions on their IT and cybersecurity investments to ensure business continuity and protect the company’s intellectual property and other assets. The document then provides three principles about which business executives should be aware, and 10 action items they should require their CISO and security teams to complete.

The three principles are that executive leadership should:

• Take the leadership to invest in cybersecurity, based on the level of risk they deem acceptable to their business operations;
• Enact cybersecurity measures for their own company, and promote measures in affiliated companies and business partners to mitigate potential information breaches; and
• Communicate their cybersecurity measures to stakeholders, take accountability, and build confidence.

The 10 action items elucidate more specific measures to take and demand teamwork among executives, technical professionals, and non-technical people. Leadership should instruct CISOs to:

1. Craft a cybersecurity policy;
2. Establish an appropriate team and clarify the division of responsibilities;
3. Identify assets to protect, and potential risks to those assets, and craft a mitigation plan;
4. Implement the Plan-Do-Check-Act (PDCA) cycle;
5. Have subsidiaries and business partners also do a PDCA;
6. Ensure an appropriate budget and human resource allocation;
7. Categorize assets as those the company should protect on its own, versus those outsourced contractors should protect, given capacity and efficiency;
8. Actively participate in and contribute to cyber threat information sharing frameworks;
9. Establish an emergency response system and conduct cyber exercises; and
10. Identify in advance whom to notify about potential incidents.

Although not legally binding, the Cybersecurity Guidelines have presented a baseline expectation from the Japanese government to industry. And, in Japan, government expectations carry significant weight, as do the actions of one’s contemporaries. Couple these cultural norms with a growing realization among Japanese companies (similar to their global peers) of the need to improve cybersecurity, and there is strong foundation for change.

The timing of the release of the METI/IPA Cybersecurity Guidelines also was essential to the rapid comprehension among Japanese companies of their value. After the JPS case, Japan’s revised Personal Information Protection Act came into effect in September 2015, requiring all companies to take security measures to protect and prevent breaches of personal information. Finally, in January 2016 “My Number,” a new personal identification system for Social Security and taxation information, was launched.

This all was on top of new legal risks following the 2014 “Benesse Corporation” case in which a leading Japanese correspondence education services provider and publisher paid ¥20 billion (approximately $187 million) in a class-action customer lawsuit after a systems engineer working for its subsidiary sold 35 million pieces of customer information to name-list brokers. The case ran afoul of the Japanese Companies Act, which requires C-level people, such as Chief Information Officers and Chief Financial Officers, to ensure internal controls, including information security.

The guidelines have been a potent force over the last five months in encouraging Japanese companies to release or prepare new cybersecurity policies, many of which will impact both Japanese and non-Japanese business partners. Given the potential global influence, it would be beneficial for the METI/IPA Cybersecurity Guidelines to be translated into English. This also will enable a global audience to better understand the direction in which Japan’s cybersecurity is heading, share best practices and potentially comment on the guidelines, and maximize the chances that government efforts are aligned internationally.

We have seen this approach to send messages globally bear fruit very recently. When the Japanese National Center of Incident Readiness and Strategy for Cybersecurity (NISC), a governmental organization responsible for cybersecurity strategy and policy-crafting and international coordination, published Japan’s National Cybersecurity Strategy in 2015, it released Japanese and English versions at around the same time. This was a trial for the Japanese government, which traditionally has taken several months to release English translations of documents, if at all. This important move reflected Japan’s strong determination to make a globally impactful strategy rather than potentially limiting its influence to just within Japan.

No single country, sector or company can improve cybersecurity on its own. Teamwork and communication are essential. The METI/IPA Cybersecurity Guidelines are a very welcome addition to the mix. Many global companies including Palo Alto Networks have been strong advocates of government efforts to promote sound cybersecurity policies that enable entities to assess and manage their cyber risks, and that are based on public-private partnerships. Japan is the third largest economy in the world, and its efforts to improve cybersecurity are globally impactful. Japan’s new Cybersecurity Guidelines deserve a global audience.

This is the first in a series of blogs to be co-authored by Mihoko Matsubara and Danielle Kriz aimed at introducing Japan’s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover additional thoughts on the METI/IPA Cybersecurity Guidelines, the G7 Summit hosted by Japan in late May 2016, Japan’s role in global cybersecurity capacity-building, cyberthreat information-sharing and prospects for Japan, the cybersecurity ramifications of planning for the Tokyo Olympic Games 2020, and other topics.