At a glance: cybersecurity best practices in Japan

Best practice

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Under the Basic Act on Cybersecurity, the obligations for critical infrastructure operators, cyber-related business operators, universities and other educational and research institutions may be prescribed in a more concrete manner by the promulgation of specific laws and regulations in the future. These may also include guidelines for strengthening cybersecurity. For example, on 28 September 2021, the Cabinet adopted a revised Cybersecurity Strategy. Furthermore, the Cyber Security Strategy Headquarters published The Cybersecurity Policy for Critical Infrastructure Protection (4th Edition) on 18 April 2017, which was subsequently revised on 25 July 2018 and 30 January 2020 (the 4th Edition Policy is now being revised, with the next edition planned to be developed by 31 March 2022), whereby the following four measures have been promoted:

• developing security standards and raising awareness: continuously improve guidelines for cross-sectoral measures and sector-to-sector security standards in protecting critical information infrastructure;
• strengthening failure response frameworks: generally strengthen the frameworks for responding to service failures in critical infrastructure through drills, to be performed by way of public-private collaboration and coordination of various drills and training;
• managing and addressing risks: promote comprehensive risk management, including improvement of risk response capabilities, through risk assessment and the development of contingency plans; and
• strengthening the protection base: revise the scope for critical infrastructure protection, promoting public relations or public consultation activities and international collaboration, make necessary approaches to corporate senior management and promote human resource development, among other things.

Further, from the perspective of information security, the Personal Information Protection Commission has developed the following separate guidelines regarding the Act on the Protection of Personal Information: general rules; provision of personal information to third parties outside of Japan; confirmation and recording obligations in providing personal information to third parties; and anonymously processed information.

How does the government incentivise organisations to improve their cybersecurity?

To ensure that critical infrastructure operators adhere to measures to strengthen cybersecurity, the Basic Act on Cybersecurity requires the state to take necessary measures, such as developing basic standards to be followed, providing drills, training and promoting information sharing and other voluntary efforts (article 14). In addition, the state is required to promote awareness regarding the significance of cybersecurity, hold consultations concerning cybersecurity, provide necessary information and advice and take other necessary measures (article 15).

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

With regard to information security, international standards ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27017 are principally used in the development of relevant guidelines.

To use the ISO standards for the applicable certification system in Japan, however, the contents of such ISO standards must be established anew as Japanese Industrial Standards (JISs). JISs refer to national standards that are established for the purpose of promoting industrial standardisation in accordance with the Industrial Standardisation Act. These are specially enacted for the purpose of furthering industrial standardisation in Japan. Among the ISO/IEC 27000 family relating to information security management systems (ISMSs), the following standards have been faithfully translated into Japanese to secure consistency with international standards and are recognised as being identical (IDT: IDENTICAL):

• ISO/IEC 27001: 2013 into JIS Q 27001: 2014;
• ISO/IEC 27002: 2013 into JIS Q 27002: 2014;
• ISO/IEC 27006: 2015 into JIS Q 27006: 2018;
• ISO/IEC 27014: 2013 into JIS Q 27014: 2015; and
• ISO/IEC 27017: 2015 into JIS Q 27017: 2016.

In 2017, JISQ15001, being a standard used for privacy mark certification, was revised. JISQ15001 is not an international standard but rather a national standard that partly overlaps with ISO/IEC 27001 in terms of information protection; however, the two standards greatly differ in that, while information held by an organisation is generally protected under ISO/IEC 27001, only personal information is protected under JISQ15001.

Are there generally recommended best practices and procedures for responding to breaches?

In the event of an accidental information leak at a company resulting from a cybersecurity incident, although the measures to be taken by the company may vary depending on each case, examples of possible measures generally include the following:

• immediately verify the facts concerned, including the causes of the accident and the information that has been leaked, and announce accurate facts at an early stage, expressing sincere apologies;
• continuously announce facts that may be revealed through subsequent investigations;
• perform investigations not only by a team of internal members but also, where necessary or appropriate, organise a third-party committee consisting of legal specialists (including attorneys and technical specialists, etc) who are in neutral positions to perform investigations and report the results of the investigations performed; and
• develop and adopt measures to prevent recurrence based on the accidental information leak concerned.

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

There is no particular legal incentive with regard to the voluntary sharing of information relating to cyberthreats. However, the revised Cyber Security Strategy (adopted by a Cabinet decision on 28 September 2021) stipulates as follows: ‘[T]he government will work to ensure that efforts to strengthen cybersecurity in line with digitalisation are visualised so that investors and other stakeholders who value sustainability will be aware of them, and that incentives are generated for such efforts’; ‘Specifically, cybersecurity initiatives will be positioned in policies to promote digitalisation, including tax measures for digital-related investments and the selection and announcement of forward-looking companies that practice digital management guidelines and work on digitalisation. In addition, the use of tools and guidelines to visualise the status of initiatives to stakeholders in and outside companies will be advanced’; and ‘Through such efforts, … the promotion of practices such as ascertaining cybersecurity risks by executives and the disclosure of corporate information is expected’. The Policies state that the government will share information on best practices and create guidelines while working to continually grasp and evaluate information dissemination and disclosure status. For example, from the perspective of information security, in the event of an accidental information leak at a company, it would be practically advantageous for the company to make an accurate announcement at an early stage and to take the necessary measures to reduce the deterioration of goodwill among its customers. In the Japanese market, there have been cases of huge business losses incurred by companies as a result of deterioration in their corporate image due to improper handling of information leaks. Risk to reputation must, therefore, be considered a significant business risk that should never be ignored.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The Basic Act on Cybersecurity provides the basic philosophy for cybersecurity and basic measures that are required to be taken ‘for facing threats to cybersecurity, through coordination of various entities such as the state, local authorities, critical infrastructure operators, etc' (article 3). To realise such coordination, the Basic Act on Cybersecurity requires the government or the state to take the following measures, in addition to the measures mentioned in 'Increased protection':

• necessary legal, financial or tax measures and other measures to be taken by the government to adhere to the policies concerning cybersecurity under the Basic Act on Cybersecurity (article 10); and
• necessary measures to be taken by the state to reinforce coordination among relevant governmental agencies and ministries, and to enable various entities such as the state, local authorities, critical infrastructure operators, etc, to mutually coordinate and work on cybersecurity-related measures (article 16).

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance products covering cyber risks, such as standard attacks from outside parties and unauthorised access committed internally, and providing coverage for damage arising from personal information leakage or system failure or similar issues, are generally available. However, most of these insurance products have limited the types of incidents for which insurance benefits can be claimed and have also limited the place of insured incidents to Japan.

In December 2012, a Japanese corporation belonging to an insurance company group based in the United States started selling insurance products that provide broader coverage for damage arising from cyberattacks, including accidents occurring outside Japan. Currently, insurance products that cover damages incurred in cybersecurity incidents are being sold by leading Japanese insurance companies.

Law Stated Date

Give the date on which the information above is accurate.

30 November 2021