Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

See question 6.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

To date, there are no rules directly and expressly prescribing such obligations under any laws or regulations.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

See question 24.


What is the timeline for reporting to the authorities?

To date, there is no law or regulation directly and expressly prescribing the obligation of a private business operator to make regular reports concerning cybersecurity. Reporting obligations in the event of a leakage of information are discussed in question 24.


Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

In terms of information security, some of the guidelines established in accordance with the Personal Information Protection Act set forth matters relating to public announcements or notices to be provided in the event of any leakage of information. For example, the Guidelines Concerning Measures to be Taken Upon Personal Data Leakage Incidents, Etc, prepared by the PPC, prescribe that: ‘It is desirable for a business operator handling personal information to take necessary measures concerning (1) through (6) below’, and, with regard to (6) (‘Publication of facts involved and recurrence prevention measures’), ‘Facts involved and recurrence prevention measures should be promptly publicised based on the details of such leakage incident, etc., so as to prevent any secondary damage or the occurrence of similar incidents.’

Furthermore, it is provided in the Guidelines for Personal Information Protection in the Financial Field that, in the event of an accidental leak or the like of personal information, an entity handling personal information in the financial field must ‘promptly publicise the facts involved in such incident and the recurrence prevention measures, so as to prevent secondary damage or the occurrence of similar incidents’ (article 17, paragraph 2); and must ‘notify the facts of such incident promptly to the person whose personal information has been leaked’ (article 17, paragraph 3).