{"id":22825,"date":"2016-12-22T13:00:35","date_gmt":"2016-12-22T21:00:35","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=22825"},"modified":"2016-12-22T09:33:35","modified_gmt":"2016-12-22T17:33:35","slug":"gov-japanese-government-updates-cybersecurity-guidelines-increased-focus-cybersecurity-investments-smbs","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2016\/12\/gov-japanese-government-updates-cybersecurity-guidelines-increased-focus-cybersecurity-investments-smbs\/","title":{"rendered":"Japanese Government Updates Cybersecurity Guidelines:  Increased Focus on Cybersecurity Investments and SMBs"},"content":{"rendered":"<p>In December 2016, the Japanese Ministry of Economy, Trade and Industry (METI) and its Information-Technology Promotion Agency (IPA) released <a href=\"http:\/\/www.meti.go.jp\/policy\/netsecurity\/downloadfiles\/CSM_Guideline_v1.1.pdf\" rel=\"nofollow,noopener\" ><em>Cybersecurity Guidelines for Business Leadership ver. 1.1.<\/em><\/a> (this is a Japanese link), an update of <a href=\"http:\/\/www.meti.go.jp\/press\/2015\/12\/20151228002\/20151228002-2.pdf\" rel=\"nofollow,noopener\" >\u00a0ver. 1.0 published in December 2015<\/a> (this is a Japanese link; English press release is <a href=\"http:\/\/www.meti.go.jp\/english\/press\/2015\/1228_03.html\" rel=\"nofollow,noopener\" >here<\/a>).<\/p>\n<p>As <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2016\/05\/japans-cybersecurity-guidelines-for-business-leadership-changing-the-japanese-business-mindset-and-potentially-raising-the-global-bar\/#more-13765\">our May 2016 blog post<\/a> pointed out, METI\u2019s <em>Guidelines<\/em> are aimed squarely at business executives. The December 2016 update builds upon the original document\u2019s three principles and 10 action items, with two notable changes. First, the update includes a higher expectation that business executives take a leadership role in cybersecurity. Second, the revised <em>Guidelines<\/em> include a <em>Guidebook<\/em> written by IPA.<\/p>\n<p>The biggest difference between the original and new versions is the revision of the first principle. The 2015 <em>Guidelines<\/em> urged business executives to take the leadership to determine how much cyber risk to accept and cybersecurity investments to make, despite the near impossibility in calculating return on investment (ROI) in cybersecurity. The new document still encourages business executives to take the leadership for cybersecurity investments but gives an urgent reason: cyberattacks are unavoidable in today\u2019s business environment. The new document emphasizes that business executives\u2019 responsibility to invest in cybersecurity is an indispensable part of their business strategies, given that cyberattacks threaten to negate the opportunities companies have in using or providing IT services to increase their business presence and productivity.<\/p>\n<p>This strong justification reflects the Japanese government\u2019s frustration toward what it views as a cybersecurity mindset gap between Japanese and both American and European business leadership. The revised <em>Guidelines<\/em> cite <a href=\"https:\/\/assets.kpmg.com\/content\/dam\/kmpg\/pdf\/2016\/06\/jp-cyber-security-survey-2013.pdf\" rel=\"nofollow,noopener\" >KPMG\u2019s Cybersecurity Surveys from 2013<\/a> and <a href=\"https:\/\/home.kpmg.com\/jp\/ja\/home\/insights\/2016\/06\/cyber-security-survey-2016.html\" rel=\"nofollow,noopener\" >2016<\/a>, which show that, while the ratio of Japanese companies that believe responses to cyberattacks should be discussed at the board level grew from 52 percent in 2013 to 68 percent in 2015, the figure is still much lower than the overseas rate of 88 percent. A <a href=\"https:\/\/www.ipa.go.jp\/files\/000052362.pdf\" rel=\"nofollow,noopener\" >May 2016 report by IPA<\/a> that added to the Japanese government\u2019s sense of urgency found that 28.9 percent of Japanese companies reported their business executives were not sensitive to cyber risks, and 26.2 percent said their business executives did not understand the importance of IT and security. The figures were 16.4 percent and 17.7, respectively, in the United States, and 20.6 percent and 18.0 percent in Europe.<\/p>\n<p>The second major change in the 2016 <em>Guidelines <\/em>is the inclusion of a new, 128-page supplementary <a href=\"http:\/\/www.ipa.go.jp\/files\/000056148.pdf\" rel=\"nofollow,noopener\" ><em>Guidebook for the Cybersecurity Guidelines ver. 1.0<\/em><\/a> published by IPA. IPA\u2019s <em>Guidebook <\/em>explains specific actions to be taken by business leaders, chief information security officers (CISOs), and cybersecurity engineers, noting that the original 36-page <em>Guidelines<\/em> do not provide examples in detail. IPA also explains in further detail the three principles and ten action items from the 2015 <em>Guidelines,<\/em> and includes <a href=\"https:\/\/www.ipa.go.jp\/security\/economics\/csmgl-kaisetsusho.html\" rel=\"nofollow,noopener\" >an Excel appendix<\/a> tracking cyber incidents in Japan and overseas between 2011 and 2016.<\/p>\n<p>Some examples in the appendix are incidents in which Japanese subsidiaries (often SMBs) were hacked. <a href=\"http:\/\/news.mynavi.jp\/series\/network_security\/001\/\" rel=\"nofollow,noopener\" >Japan has seen an increasing number of cyberattacks against SMBs<\/a>. 2016 saw a few major breaches against subsidiaries of major companies.This addition of SMB examples by IPA may be to bolster the original <em>Guidelines<\/em>\u2019 second principle, which encourages business executives to promote cybersecurity measures in affiliated companies and business partners, as well as their own companies, to mitigate potential information breaches. Although the original <em>Guidelines<\/em> exclude small-sized companies as targeted audiences, <a href=\"http:\/\/www.smrj.go.jp\/recruit\/environment.html\" rel=\"nofollow,noopener\" >99.7 percent of companies are small and medium-sized businesses (SMBs) in Japan, employing 69.7 percent of Japanese workers<\/a> (Japan generally <a href=\"http:\/\/www.chusho.meti.go.jp\/faq\/faq\/faq01_teigi.htm\" rel=\"nofollow,noopener\" >defines<\/a> SMBs as businesses with fewer than 300 employees). Thus, better cybersecurity and corporate governance are musts for overall strong cybersecurity in Japan.<\/p>\n<p>That is why the IPA <em>Guidebook<\/em> (pp. 55\u201356) included a powerful statement that parent companies are responsible for their business operations and, thus, are primarily responsible if an affiliate or subsidiary company\u2019s lack of adequate cybersecurity measures result in security incidents, such as the leak of important information or negative impact on business continuity.\u00a0 The <em>Guidebook<\/em> further states (p. 57) that cybersecurity responsibilities and costs in the supply chain should be at least partially borne by the upstream company. Upstream companies should neither expect their supply chains to take cybersecurity measures on their own nor shift the responsibility to them.<\/p>\n<p>METI\u2019s issuance within one year of substantive additions to the 2015 <em>Cybersecurity Guidelines for Business Leadership<\/em> is a testament to how much the government is concerned about businesses\u2019 cybersecurity, especially among SMBs, and eager for behavioral change in Japan. Although government guidelines in general are not legally binding in Japan, the revisions show growing pressure from the government toward companies to help SMBs and be aware of cybersecurity and business risks associated with their subsidiaries and contract companies. The revised <em>Guidelines\u2019 <\/em>emphasis on the role of business executives is particularly welcome. As we described in <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2016\/09\/cso-the-safe-zone-and-other-challenges-to-japans-cybersecurity-governance-efforts\/\">our September 2016 blog post,<\/a> Japanese companies traditionally have not had the concept of \u201cC-level\u201d executives.<\/p>\n<p><a href=\"http:\/\/www.nisc.go.jp\/eng\/pdf\/cs-strategy-en.pdf\" rel=\"nofollow,noopener\" >Japan\u2019s 2015 National Cybersecurity Strategy<\/a> emphasized the importance of business executive leadership in investing more in cybersecurity as part of their business strategy. METI\u2019s 2015 <em>Guidelines<\/em> and 2016 revision reflect the philosophy. The Japanese National Center of Incident Readiness and Strategy for Cybersecurity (NISC) plans to issue the <a href=\"http:\/\/www.nisc.go.jp\/conference\/cs\/kenkyu\/dai05\/pdf\/05shiryou04.pdf\" rel=\"nofollow,noopener\" >Cybersecurity Strategy for Research and Development in June 2017<\/a> and update its <a href=\"http:\/\/www.nisc.go.jp\/conference\/cs\/jinzai\/dai04\/pdf\/04gijishidai.pdf\" rel=\"nofollow,noopener\" >Plan for the Development of Cybersecurity Human Resources in 2017<\/a>. Since 2017 is only three years away from the Tokyo 2020 Olympic Games, business resiliency and cybersecurity awareness is an urgent task for the Japanese. The policy developments late this year, and expected in 2017, will continue to urge companies to take more actions for better cybersecurity.<\/p>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/12\/Miho_Danielle.png\"><div style=\"max-width:100%\" data-width=\"762\"><span class=\"ar-custom\" style=\"padding-bottom:50.79%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"alignnone size-full wp-image-22837 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/12\/Miho_Danielle.png\" alt=\"miho_danielle\" width=\"762\" height=\"387\" \/><\/span><\/div><\/a><\/p>\n<p><em>This is the sixth in a series of blogs co-authored by Mihoko Matsubara and Danielle Kriz, aimed at introducing Japan\u2019s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover Japan\u2019s role in global cybersecurity capacity-building, the cybersecurity ramifications of planning for the 2020 Summer Olympic Games in Tokyo, and other topics. <\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In December 2016, the Japanese Ministry of Economy, Trade and Industry (METI) and its Information-Technology Promotion Agency (IPA) released Cybersecurity Guidelines for Business Leadership ver. 1.1. (this is a Japanese link), an &hellip;<\/p>\n","protected":false},"author":182,"featured_media":20199,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1766,484],"tags":[120,473],"coauthors":[1873,1920],"class_list":["post-22825","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cso-perspective","category-government","tag-cybersecurity","tag-japan"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/09\/government-web-banner-650x300.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/22825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/182"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=22825"}],"version-history":[{"count":4,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/22825\/revisions"}],"predecessor-version":[{"id":22849,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/22825\/revisions\/22849"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/20199"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=22825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=22825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=22825"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=22825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}