banking

Cybersecurity Self-Assessment of Japanese Regional Banks

Norbert Gehrke

Norbert Gehrke

7 min read
Cybersecurity Self-Assessment of Japanese Regional Banks

The Bank of Japan has published an annex to its "Financial System Report" focusing on the results of a cybersecurity self-assessment (CSSA) for regional financial institutions in Japan during fiscal year 2023.

1. Introduction & Background

  • Purpose of the Report: The Bank of Japan (BOJ) and the Financial Services Agency (FSA) jointly conducted a cybersecurity self-assessment (CSSA) for regional financial institutions in Japan to assess their cybersecurity management posture and identify areas for improvement. The report serves as a detailed analysis and provides insights into the overall cybersecurity landscape of these institutions.
  • Growing Threat Landscape: The report emphasizes the increasing sophistication and frequency of cyberattacks, particularly ransomware, as a significant challenge for financial institutions. This is driven by the sector's increasing adoption of digital technologies and interactions with cyberspace. "In cyberspace, complicated and skillful ransomware attacks as well as other organized and sophisticated cyberattacks are increasing, and thus the threat of cyberattacks is growing."
  • CSSA Methodology: The CSSA involved a self-assessment by regional banks, shinkin banks, and shinkumi banks using a detailed checklist based on domestic and international cybersecurity risk management frameworks. The checklist was updated from the previous year to include more advanced initiatives and address feedback from the institutions. "The CSSA Check Sheet was prepared with reference to domestic and international key cybersecurity risk management frameworks."
  • Voluntary Improvement: The CSSA is designed to encourage institutions to voluntarily strengthen their cybersecurity controls based on their self-assessments. The report clarifies that the checklist is not a set of best practices or minimum standards dictated by the BOJ or FSA. "It should be noted that the Check Sheet was designed to encourage regional financial institutions to voluntarily strengthen their cybersecurity controls based on their own self-assessments, and does not represent the views of the BOJ or FSA regarding best practices or minimum standards."

2. Key Findings & Themes

The report presents the results of the CSSA, structured around the following categories.

2.1 Governance

  • Executive Involvement: While most institutions have a cybersecurity management policy, a significant minority (around 8%) lack one, and 15% lack concrete management plans. "While most of the respondents answered that they have set up a management policy to ensure cybersecurity with the involvement of the chief executive, it turned out that around 8% of the respondents have not formulated a management policy" "In addition, around 15% of the respondents have not formulated management plans concerning cybersecurity".
  • Reporting to Executives: While cyber incidents within the institution and the progress of controls are widely reported to executives, reporting on cyber incidents at other companies, although improved, is still lower, highlighting the need for a broader awareness of the threat landscape. "While the percentage of those who reported cyber incidents of other companies has improved compared with the results of the previous CSSA, it was smaller than that of the respondents who reported cyber incidents within the organization".
  • Risk Assessment: Most institutions conduct regular risk assessments for their systems, and also when introducing new systems, but a notable portion (around 60%) don't have executives directly making decisions on responses based on such risk assessments. "when it comes to decisions concerning responses to risks (mitigating, avoiding, transferring, or accepting risks) and prioritization in response policies based on risk assessments, just over 40% of the respondents answered that executives make decisions"
  • Patch Management: There's a significant difference in the urgency of patching systems, with those connected to the internet being prioritized, despite the increasing risk of attacks on closed networks. Specifically, nearly 90% apply patches promptly to internet-connected systems, but only a little over 30% do so for those not connected to the internet. This suggests a critical blind spot in approach to risk. "Looking at policies for applying a patch when a serious vulnerability is found, nearly 90% of the respondents answered that they apply a patch promptly or within a certain period of time for systems that are connected to the Internet, whereas only over 30% do so for systems that are not connected to the Internet". Additionally only about 30% of respondents have executives decide whether or not to apply patches for serious vulnerabilities.
  • Third-Party Risk: The report identifies third-party risk management as a key challenge. Only about 60% of institutions centrally manage third-party cybersecurity risks, and about 10% don't manage them at all. Additionally, while many utilize cloud services, agreements with providers often lack clarity in crucial areas like data location and control boundaries. "From the perspective of ensuring consistent management of third parties, cross-organizational actions are preferable. However, looking at the status of management of cybersecurity risks relating to important third parties, only around 60% of the respondents answered that their control department centrally oversees third-party risk management, while 10% or so do not manage third-party risks at all."

2.2 Protection & Detection

  • Cybersecurity Human Resources: A major concern is the shortage and difficulty in securing and fostering skilled cybersecurity personnel, with organizations often relying on external personnel to fill the gaps. "Meanwhile, most respondents answered that they are suffering an overall labor shortage, and failing to secure sufficient staff for all functions". Many are focusing on immediate human resources development, such as external training, with less focus on longer-term plans and personnel rotations.
  • Zero Trust Security: The report emphasizes the importance of shifting from traditional perimeter security towards a Zero Trust model, which assumes internal breaches are possible. This includes the implementation of multi-factor authentication, behavior-based anti-malware products (EDR), and threat-led penetration testing (TLPT). "It has become important to constantly verify the authenticity of access to the organization's internal environment including those not connected to the Internet in order to protect the organization's information assets (to apply measures based on the so-called zero trust security model)."
  • OA Terminal Security: Most institutions implement basic protections for OA terminals (e.g. network separation and restricted external storage), but should strengthen these in line with zero-trust models.
  • Monitoring and Analysis (SOC): While the majority of institutions have an SOC, many do not operate 24/7, and should expand monitoring to include internal systems and insider threats. "If financial institutions intend to further expand service hours in their efforts for digitalization, they are expected to accelerate detection of and responses to cyber incidents through 24/7 operation in accordance with their service hours".
  • Log Management: While institutions have log management policies, a smaller proportion have rules to prevent unauthorized alteration of logs, which is important to deter and detect insider crime. "Looking at how logs for material systems are handled, around 70% of the respondents have established rules concerning the specification of logs to be obtained, periodic confirmation of logs, and storage period for logs, while only around 60% have established rules to prohibit unauthorized alteration of logs".
  • Penetration Testing: The report encourages institutions to implement penetration testing regularly to validate the effectiveness of their monitoring and analysis frameworks.

2.3 Incident Response & Recovery

  • Incident Response Procedures: Most institutions have initial response plans in place, but fewer have detailed criteria for incident prioritization, system restoration, and responses during off-hours. "As for the status of development of procedures for such measures, the results have found that most of the respondents have formulated rules and procedures for an initial response while only 50% to 70% have formulated the criteria for the prioritization in response policies (i.e. triage) and for decision making with regard to the resumption of system operations, and procedures for responses at night and on holidays".
  • Contingency Planning: While most institutions have contingency plans for common cyberattacks, fewer have plans that consider attacks on their outsourcees, or that include outsourcees in exercises, or set recovery time objectives. "less than half have formulated contingency plans with the assumption of cyberattacks made to their outsourcees, conducted training and exercises with the participation of outsourcees, and set a recovery time objective".
  • Backup Data Protection: The report highlights the increasing threat of ransomware targeting backups, therefore institutions should focus on measures to ensure that backup data cannot be altered by attackers, like storing multiple generations of data or storing data offline. "Looking at the status of measures in consideration of the possibility of destruction or falsification of backup data in material systems, the results indicate that majority of the respondents are taking measures to protect data by such means as storing multiple generations of backup data and storing the data by a method that does not allow direct access from the network".
  • Phishing and Illegal Remittance: Financial institutions need to enhance their measures against illegal remittances and phishing attempts. These measures include multi-factor authentication, transaction notifications, taking down phishing sites, and email authentication mechanisms.

3. Key Takeaways & Recommendations

  • Need for Continuous Improvement: Regional financial institutions need to consistently strengthen their cybersecurity management posture. This requires a commitment to voluntary action, as outlined by the CSSA process.
  • Focus on Human Resources: A significant effort must be made to secure and train cybersecurity staff. This should include longer-term talent development and the possibility of cross-organizational cooperation. "it is important for financial institutions to make efforts to secure personnel within the organization and to bottom-up their abilities from a medium- to long-term perspective"
  • Embrace Zero Trust: A shift towards the Zero Trust security model is critical.
  • Enhance Third-Party Risk Management: Institutions must improve the way they manage third-party risks, especially when using cloud services. "the importance of appropriate management of third parties has been increasing".
  • Comprehensive Monitoring and Analysis: Continuous (24/7) monitoring and analysis is required to detect breaches and internal threats.
  • Realistic Contingency Planning: Institutions need to build more realistic and practical contingency plans and test them through exercises.
  • Backup Data Protection: Backup data must be protected with the assumption that it is a likely target for attack.
  • Utilize the CSSA: The BOJ and FSA expect that regional financial institutions will fully utilize the CSSA results to improve their cybersecurity measures.
  • Continued Support: The BOJ and FSA will continue to support institutions through inspections, monitoring, and seminars.

4. Conclusion

The report underscores the necessity for regional financial institutions to continuously improve their cybersecurity defenses due to the growing threat landscape and their increasing adoption of digital technologies. The CSSA results clearly show that while progress is being made, there are significant areas that require further attention. By focusing on the key challenges highlighted in this report, regional institutions can enhance their resilience against cyber threats and protect the integrity of the Japanese financial system. "it is important for Japanese financial institutions, including regional financial institutions, to continue efforts for developing better cybersecurity management posture and securing the effectiveness of their controls based on the zero trust security model."

Please follow us to read more about Finance & FinTech in Japan, like hundreds of readers do every day. We invite you to also register for our short weekly digest, the “Japan FinTech Observer”, on LinkedIn, or directly here on the platform.

We also provide a daily short-form Japan FinTech Observer news podcast, available via its Podcast Page. Our global Finance & FinTech Podcast, “eXponential Finance” is available through its own LinkedIn newsletter, or via its Podcast Page.

Should you live in Tokyo, or just pass through, please also join our meetup. In any case, our YouTube channel and LinkedIn page are there for you as well.

Read more