On April 9, 2024, Japan's Ministry of Economy, Trade and Industry (METI) announced its intention to implement a cybersecurity rating system for companies by fiscal year 2025. Although the proposal is still in the consultation phase, with industry feedback expected to lead to potential refinements, key aspects of the planned system have been outlined:
METI aims to establish a five-level categorization of corporate cyber defense measures, enhancing clarity for business partners regarding the extent of cybersecurity implementations within a company. This stratification is designed to bolster overall industry responsiveness, particularly in combating attacks that exploit supply chain vulnerabilities.
Details of the Proposed Rating Levels:
- Levels 1-2: Fundamental measures including regular software updates, restricted access to sensitive information, and protocols for handling information leaks.
- Levels 3-4: Targeted at key players within the supply chain, these levels require more sophisticated information management systems.
- Level 5: The highest level, necessitating third-party certification of a company’s cyber defense capabilities.
The proposed rating system is expected to motivate companies to strengthen their cyber defenses and enable partners to better evaluate the cybersecurity preparedness of businesses. The desired outcome should be the ripple effect of higher cybersecurity performance expectations propagating from key industry pillars and effecting their ecosystems towards a higher state of cybersecurity maturity. Effectively, lower cybersecurity ratings could deter potential transactions, and directly impact the profitability of businesses. In summary, a lack of a credible cybersecurity strategy would pose a strategic risk for businesses.
This initiative is part of broader governmental efforts to enforce cybersecurity within critical infrastructure and high-risk sectors. It parallels the U.S. Cybersecurity Maturity Model Certification (CMMC), which utilizes a similar five-level grading system influencing defense procurements. Japan's initiative, however, extends its impact to the commercial sector, thereby facilitating more effective due diligence by both government and businesses.
Challenges and Strategic Considerations:
The technological and cybersecurity debt accumulated by Japanese businesses might cause initial resistance to this initiative. To address potential hesitations and accelerate cybersecurity enhancements, the government and businesses might consider several strategies in accordance to their own profile. Their cybersecurity implementation strategy may look something like this:
- Assessment and Planning: Essential first steps to identify current capabilities and outline strategic objectives.
- Policy Development: Establishing governance to guide cybersecurity efforts.
- Implementation: Deploying necessary cybersecurity measures.
- Training and Awareness: Educating staff on cybersecurity practices.
- Monitoring and Response: Continuously observing systems and preparing to respond to security incidents.
- Review and Audit: Regularly evaluating the effectiveness of cybersecurity measures.
- Improvement: Continuously refining cybersecurity practices.
- Third-Party Management: Overseeing the security postures of all associated third parties.
Focusing on the initial steps of assessment, planning, and policy development can set the foundation for robust cybersecurity practices, enhancing resilience across Japan's business landscape so let us focus on how to start.
For most Medium or Large enterprises, they may already have existing programs but may have lacked a structured framework to build and scale from. Businesses may hire third party consultants, but the necessary investments may not be palatable. The alternative may be to develop their cybersecurity maturity in-house. Adopting a cybersecurity framework (such as NIST Cyber Security Framework) is often one of the recommended first steps, and then leveraging the framework to determine the current state and planning towards their desired target profiles matching their needs. NIST CSF has wide ranges of profiles that could help Small and Medium Enterprises (SME) to Industry-Specific Profiles to Cloud Security Profiles. I would recommend a security profile that would suit your business ecosystem as well as allow you to grow as your cybersecurity program matures. Whilst building your profiles, it may also be useful to keep an eye on recent requirements by the US Securities and Exchange Commissions if your company is listed in the US stock exchanges. Give this a read, for some insights from my colleagues.
Additional considerations should be taken in the context of business stakeholders. A government led rating could be sufficiently intuitive and seen as a necessary hurdle to further business engagements. Such a perspective may erode the good value cybersecurity (and their teams) may be bringing in, such as a means to demonstrate returns on investments, risk reduction and demonstrate good corporate governance. All of which are positive, quantified and tangible business returns that can be easily overlooked, resulting in a pursuit of minimum spend since cybersecurity is a cost center. Benchmarking cybersecurity risk performance against competitors and industry peers in an independently correlated risk metric in a visual manner involves decision makers and stakeholders for better engagement and crossing the proverbial chasm.