Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

As stated in question 2, under the Basic Cybersecurity Act, the obligations for critical infrastructure operators, cyber-related business operators, university and other educational and research institutions may be prescribed in a more concrete manner by the promulgation of specific laws and regulations in the future. These may also include guidelines for strengthening cybersecurity. For example, on 27 July 2018, the Cabinet adopted a revised Cybersecurity Strategy. Furthermore, the Cyber Security Strategy Headquarters published the 4th Edition of the Basic Policy on Critical Information Infrastructure Protection, as mentioned in question 2, on 18 April 2017 (partly revised on 25 July 2018), whereby the following five measures have been promoted:

  • developing security standards and raising awareness: to continuously improve guidelines for cross-sectoral measures and sector-to-sector security standards in protecting critical information infrastructure;
  • strengthening information-sharing arrangements: to strengthen information-sharing arrangements between public and private sectors and across different sectors, principally by way of various forms of communication and the specification of shared information;
  • strengthening failure response frameworks: to generally strengthen the frameworks for responding to service failures in critical infrastructure through drills, to be performed by way of public-private collaboration and coordination of various drills and training;
  • managing and addressing risks: to promote comprehensive risk management, including improvement of risk response capabilities, through assessment of risks and development of contingency plans; and
  • strengthening the protection base: to revise the scope for critical infrastructure protection, promoting public relations or public consultation activities and international collaboration, make necessary approaches to corporate senior management, and promote human resource development, etc.

The guidelines mentioned in question 4, which have been provided from the perspective of information security, would also recommend additional protections.

How does the government incentivise organisations to improve their cybersecurity?

To ensure that critical infrastructure operators adhere to measures to strengthen cybersecurity, the Basic Cybersecurity Act requires the state to take necessary measures such as developing basic standards to be followed, providing drills, training and promoting information sharing and other voluntary efforts (article 14). In addition, the state is required to promote awareness regarding the significance of cybersecurity, hold consultations concerning cybersecurity, provide necessary information and advice and take other necessary measures (article 15). See also questions 13 and 18.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

With regard to information security, international standards ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27017 are principally used in the development of relevant guidelines.

To use the ISO standards for the applicable certification system in Japan, however, the contents of such ISO standards must be established anew as Japanese Industrial Standards (JISs). JISs refer to national standards that are established in accordance with the Industrial Standardisation Act. These are specially enacted for the purpose of furthering industrial standardisation in Japan.

For example, as of November 2018, JIS Q 27000:2014, JIS Q 27001:2014, JIS Q 27002:2014, JIS Q 27006:2018 and JIS Q 27017:2016 have been established or revised as national standards based on ISO/IEC27000 (issued in 2012), ISO/IEC27001 (issued in 2013), ISO/IEC27002 (issued in 2013) and ISO/IEC27006 (issued in 2015), respectively. In 2017, JISQ15001, being a standard used for privacy mark certification, was revised. This JISQ15001 is not an international standard but rather a national standard that partly overlaps with ISO/IEC 27001 in terms of information protection; however, the two standards greatly differ in that, while information held by an organisation is generally protected under ISO/IEC 27001, only personal information is protected under JISQ15001.

Are there generally recommended best practices and procedures for responding to breaches?

In the event of an accidental information leak at a company resulting from a cybersecurity incident, although the measures to be taken by such company may vary depending on each case, examples of possible measures generally include the following:

  • immediately verify related facts concerned, including causes of the accident and the information that has been leaked, and announce accurate facts at an early stage and express sincere apologies;
  • continuously announce facts that may be revealed through subsequent investigations;
  • perform investigations not only by a team of internal members, but also, where necessary or appropriate, organise a third-party committee consisting of legal specialists including attorneys and technical specialists, etc, who are in neutral positions and cause investigations to be performed by such committee, and also report the results of the investigations performed; and
  • develop and adopt measures to prevent the recurrence based on the accidental information leak concerned.
Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

With regard to the voluntary sharing of information relating to cyberthreats, there is no legal or political incentive in particular. From the perspective of information security, however, in the event of an accidental information leak at a company, it would be practically advantageous for such company to make an accurate announcement at an early stage and to humbly take necessary measures to reduce the deterioration of goodwill among its customers. In the Japanese market, there have been cases of huge business losses incurred by companies as a result of deterioration in their corporate image owing to improper handling of information leaks. Risk to reputation must, therefore, be considered a significant business risk that should never be ignored.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The Basic Cybersecurity Act provides the basic philosophy for cybersecurity and basic measures that are required to be taken ‘for facing threats to cybersecurity, through coordination of various entities such as the state, local authorities, critical infrastructure operators, etc’ (article 3). To realise such coordination, the Basic Cybersecurity Act requires the government or the state to take the following measures, in addition to the measures mentioned in question 14:

  • necessary legal, financial or tax measures and other measures to be taken by the government to adhere to the policies concerning cybersecurity under the Basic Cybersecurity Act (article 10); and
  • necessary measures to be taken by the state to reinforce coordination among relevant governmental agencies and ministries, and to enable various entities such as the state, local authorities, critical infrastructure operators, etc, to mutually coordinate and work on cybersecurity-related measures (article 16).

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance products covering ‘cyber risks’, such as standard attacks from outside parties and unauthorised access committed internally, providing coverage for damage arising from personal information leakage or system failure or such similar issues, are generally available. However, most of these insurance products have limited the types of incidents for which insurance benefits can be claimed, and have also limited the place of insured incidents to Japan.

In December 2012, a Japanese corporation belonging to an insurance company group based in the United States started selling insurance products that provide broader coverage for damage arising from cyberattacks, including accidents occurring outside Japan. Currently, insurance products that cover damage incurred in cybersecurity incidents are being sold by leading Japanese insurance companies.