The Financial Services Agency of Japan (FSA) prioritizes the stability of financial functions and the protection of depositors as outlined in Article 3 of the Financial Services Agency Establishment Law. Cybersecurity threats pose a significant risk to the interests of financial service users and the stability of the financial system. Therefore, the FSA recognizes the critical importance of strengthening cybersecurity across the entire financial sector.
Furthermore, financial institutions are obligated under their respective laws to ensure the sound and appropriate management of their businesses. This inherently includes maintaining robust cybersecurity practices to ensure business integrity and suitability.
In line with the “Cybersecurity Strategy for Strengthening Cybersecurity in the Financial Sector” (including its revised versions), the FSA has been proactively engaging in dialogue and collaboration with the financial industry to bolster cybersecurity across the sector. The FSA has established supervisory guidelines and administrative guidelines (referred to as “Supervisory Guidelines, etc.”) within the framework of each relevant law to outline the key points for financial institutions to consider in their cybersecurity management systems. Through inspections and monitoring based on these regulations, the FSA has been promoting enhanced cybersecurity across the financial sector by engaging in individual dialogue with financial institutions and disseminating best practices and common challenges identified through inspections and monitoring activities to the entire industry via industry groups.
The “Guidelines on Cybersecurity in the Financial Sector” build upon previous inspections, monitoring outcomes, and the evolving landscape of cybersecurity threats, presenting more detailed guidelines separate from the Supervisory Guidelines, etc. This section outlines the fundamental principles expected of financial institutions regarding cybersecurity, the roles of information-sharing organizations and central industry organizations, and the positioning and supervisory response to these guidelines. Section 2 outlines key considerations for governance, identification, protection, detection, response, recovery, and third-party risk management from a cybersecurity perspective. For each, “Basic Response Items” and “Desirable Response Items” are defined for financial institutions. Section 3 addresses the fundamental approach to strengthening collaboration between the FSA and related parties and organizations.
Note: The “Basic Response Items” refer to essential practices, often referred to as cyber hygiene, that financial institutions are generally expected to implement. “Desirable Response Items” represent advanced initiatives and best practices, gleaned from dialogue with other national authorities and financial institutions globally, that leading financial institutions and major clearing and settlement institutions should consider implementing. These are examples of best practices that major financial institutions and major clearing and settlement institutions should refer to because they may have a significant impact on regional communities, the economy, etc. in the event of an incident.
Given the diversity in size and characteristics of financial institutions, neither “Basic Response Items” nor “Desirable Response Items” imply a uniform approach. Financial institutions are expected to adopt a risk-based approach, identifying, assessing, and mitigating cybersecurity risks based on their own business environment, business strategies, and risk appetite (Note).
The FSA will continue to conduct risk-based inspections and monitoring, considering the scale and characteristics of each financial institution, to verify the robustness of their cybersecurity management systems. It’s crucial that financial institutions prioritize their risk mitigation efforts based on the importance and urgency of identified risks, acknowledging resource limitations. Simultaneously, the FSA will share identified cases (common challenges and good practices observed in financial institutions) with the entire industry through industry groups to enhance cybersecurity across the sector.
2.1. Cybersecurity Management System
The Cybersecurity Basic Law in Japan lays out the fundamental elements for ensuring cybersecurity within the country. One of its core principles highlights the need for proactive collaboration among various stakeholders, including the government, critical infrastructure providers, and other entities, to effectively address these issues. Financial institutions in banking, life insurance, non-life insurance, securities, and funds settlement are designated as critical infrastructure providers (critical information infrastructure operators) under the Cybersecurity Basic Law. This designation underscores their responsibility to prioritize cybersecurity by fostering awareness and understanding within their organizations and engaging in proactive and independent efforts to ensure robust cybersecurity practices.
In addition to their obligations as critical infrastructure providers, financial institutions are also bound by the Banking Law, the Insurance Business Law, the Financial Instruments and Exchange Law, etc. to ensure sound and appropriate business operations, which inherently encompass robust cybersecurity measures.
When a financial institution operates as a group (including overseas offices), it is expected to establish a consistent cybersecurity management system, considering the size and characteristics of its group companies and branches, encompassing the elements outlined in Section 2. This approach ensures comprehensive cybersecurity across the entire group.
Moreover, addressing the ever-evolving threat landscape demands constant and adaptable adjustments to both organizational and technological aspects of cybersecurity. This requires appropriate resource allocation under the leadership of management and a shift from a reactive to a proactive approach. Furthermore, since cybersecurity cannot be solely entrusted to the cybersecurity or IT departments, it necessitates a comprehensive approach involving the entire organization, starting with the management, to establish and operate a robust system.
Under these circumstances, financial institutions should not solely focus on formally complying with these guidelines. Instead, they are expected to take practical and effective measures based on relevant laws and regulations, Supervisory Guidelines, etc., and the intent of these guidelines. In doing so, they should refer to relevant guidelines (Note).
2.2. Management Involvement and Understanding
Disruptions to operations caused by cyber incidents can significantly impact customers and potentially erode trust in both the financial institution and the financial system. Given the potential severity of such risks, it’s clear that cybersecurity is not solely an IT/system issue but a critical business concern that could significantly impact management’s accountability. Moreover, minimizing the impact on customers and the financial system and striving for swift recovery in the event of a cyber incident requires collaboration among departments such as business operation, planning, public relations, compliance, risk management, and audit. It also necessitates proactive involvement from top management, going beyond the immediate response team. Furthermore, collaboration with external stakeholders, including customers, law enforcement agencies, information-sharing organizations, and regulatory authorities, is essential. Building a robust and organization-wide response framework to facilitate such collaborative efforts is crucial, and strong leadership from management is indispensable in achieving this.
Directors and officers are entrusted with responsibilities outlined in the Civil Code, the Companies Act, and other relevant laws and regulations. Therefore, they are expected to proactively participate in training and drills to deepen their understanding of cybersecurity, enabling them to make well-informed management decisions.
Responding to threat intelligence and keeping pace with the latest attack trends may not always be efficient or effective for individual financial institutions. This is particularly true for smaller institutions or those with limited operational scope, making it challenging to accumulate sufficient information and expertise.
To enhance the overall resilience of the Japanese financial sector, industry groups and central organizations should take on a central and leading role. In collaboration with authorities when necessary, they can contribute by:
- Sharing Information and Best Practices: Disseminating information and response examples relevant to financial institutions.
- Capacity Building: Providing support for system development and operation.
- Collaborative Exercises: Organizing sector-wide cybersecurity exercises, scenario analysis, and personnel training.
Financial institutions are encouraged to actively leverage the resources and expertise offered by organizations like the Financial ISAC, which provides support in addressing technical challenges, sharing best practices, analyzing the latest cyberattack trends and vulnerability information, etc. Collaboration with other industries is also encouraged.
For example, many cooperative financial institutions outsource the development and operation of their core systems to joint centers. They also entrust the development and operation of network systems that connect with industry networks and other industries’ systems to central organizations and industry centers of each business category. In some cases, they jointly utilize these centers. Similarly, network environments such as internet connections, homepages, and internet banking services are often provided by and shared with industry centers. Therefore, the role of industry groups and central organizations is crucial in coordinating responses to system failures caused by cyberattacks. Thus, each cooperative financial institution is encouraged to utilize the business complementation and support services provided by central organizations that have a business support function for individual financial institutions. Furthermore, central organizations are expected to enhance the aggregation and enrichment of business complementation and support related to cybersecurity.
Furthermore, clearing and settlement institutions are expected to manage the risks posed by their participants to ensure the stable provision of services. From this perspective, it is conceivable that clearing and settlement institutions will refer to this Guideline when setting reasonable participation requirements, etc., related to risks for participants based on the risk situation.
These Guidelines are intended for institutions subject to Supervisory Guidelines, etc., regarding cybersecurity management, including:
- Major banks
- Regional and small- and medium-sized financial institutions
- Insurance companies
- Small amount and short term insurance businesses
- Financial instruments business operators, etc.
- Credit rating agencies
- Money lending businesses
- Prepaid payment instrument issuers
- Electronic bond registry institutions
- Designated credit bureaus
- Funds transfer providers
- Clearing and settlement institutions
- Financial services intermediary businesses
- Foreign exchange transaction analysis businesses
- Crypto asset exchange service providers
- Bank agency businesses
- Electronic payment instrument, etc. trading businesses
- Electronic payment instrument, etc. handling businesses
- Electronic payment instrument, etc. agency businesses
- Agricultural and fishery cooperative financial institutions, and
- Financial instruments exchanges
(referred to as “Financial Institutions, etc.” in these Guidelines).
Unless otherwise specified, definitions of terms in these Guidelines shall be in accordance with those defined in the Supervisory Guidelines, etc. for each respective industry.
Note: The provisions of the Supervisory Guidelines, etc. concerning cybersecurity management constitute part of the provisions concerning system risk management in the Supervisory Guidelines, etc. Therefore, it is also recommended that the provisions of the Supervisory Guidelines, etc. concerning system risk management be referred to as necessary for understanding these Guidelines.