Aggregated results of cybersecurity self-assessment at regional financial institutions

In Japan’s financial institutions, it is important to develop and ensure the effectiveness of cybersecurity management systems in light of the increasing threat of cyber attacks as the institutions work to improve customer services and streamline operations using digital technology.

Continuing from fiscal 2022, the Bank of Japan and the Financial Services Agency conducted a cybersecurity self-assessment targeting regional financial institutions (99 regional banks, 254 credit unions, and 145 credit cooperatives).

The results of this survey show that many regional financial institutions view ensuring cybersecurity as an important management issue and are steadily making efforts to improve the effectiveness of cybersecurity measures by introducing both technological and organizational measures. However, it was confirmed that there are still issues with securing and training cybersecurity personnel and managing third-party risks.

The Bank of Japan and the Financial Services Agency hope that regional financial institutions will utilize cybersecurity self-assessments as they move forward with efforts to further strengthen their cybersecurity management systems, and that they will continue to implement on-site examinations, inspections, and monitoring. We plan to support such efforts through various seminars, etc.

The full text as well as an overview are available on the Bank of Japan website in Japanese. The following is a summary of our English translation of the main document.

This report, published by the Bank of Japan and the Financial Services Agency, delves into the results of a cybersecurity self-assessment (CSSA) conducted among regional financial institutions in Japan during FY2023. The assessment aimed to evaluate the cybersecurity posture of these institutions and identify areas requiring improvement. This summary will provide a comprehensive overview of the report, covering the key findings and recommendations.

I. Introduction

The report begins by highlighting the increasing significance of cybersecurity in the financial sector. With the rapid adoption of digital technologies and the rise of sophisticated cyber threats, financial institutions face an evolving landscape of risks. This necessitates a robust cybersecurity management system to ensure the stability and resilience of the financial system.

The CSSA was designed to encourage regional financial institutions to proactively strengthen their cybersecurity measures. The assessment focused on five key areas:

1. Management Involvement: Examining the role of top management in establishing and promoting a culture of cybersecurity within the organization.
2. Risk Identification and Understanding: Assessing the institutions’ ability to identify, analyze, and prioritize cybersecurity risks.
3. Risk Countermeasures: Evaluating the implementation and effectiveness of various technical and organizational measures to mitigate cybersecurity risks.
4. Emergency Preparedness: Assessing the institutions’ readiness to respond to and recover from cyber incidents.
5. Securing and Developing Cybersecurity Human Resources: Evaluating the institutions’ efforts in securing and developing skilled personnel to manage cybersecurity effectively.

II. Overview of CSSA Aggregation Results

Management Involvement

• Management Policy and Plan: While most institutions have formulated a cybersecurity management policy with top management involvement, a significant portion still lacks a concrete multi-year management plan.
• Risk Management and Reporting: Regular risk assessments are conducted, but reporting on cybersecurity threats and incidents to management needs improvement.
• Decision-Making: Involvement of executives in decisions regarding risk response policies and patch application for serious vulnerabilities is crucial but not yet widespread.

Risk Countermeasures

• Zero Trust Concept: The report emphasizes the importance of adopting a “Zero Trust” approach, which assumes potential breaches and continuously verifies access, to enhance cybersecurity posture.
• OA Terminal Measures: Measures like network separation, restriction of external storage media, and anti-malware products are widely implemented, but continuous monitoring is essential for timely incident detection and response.
• Monitoring and Analysis: While most institutions monitor for malware and external communication, focusing on internal threats and suspicious behavior detection is crucial.
• Log Management: Rules and procedures for log management need strengthening, with a focus on identifying essential logs, ensuring their accuracy, and preventing unauthorized modifications.
• Penetration Testing: Penetration testing and threat-based penetration testing (TLPT) are vital for evaluating the effectiveness of detection and monitoring systems, but their implementation requires further improvement.

Prepare for Emergencies

• Measures Against Fraudulent Remittances and Phishing Attacks: Implementing multi-factor authentication, security services, user alerts, and phishing support are crucial to counter rising phishing threats.
• Incident Response Procedures: Most institutions have initial response procedures, but comprehensive plans covering triage, system restart criteria, and nighttime/holiday response need development.
• Contingency Plans: While most institutions have contingency plans for various cyberattacks, involving outsourced companies and setting realistic recovery objectives are essential.
• Protecting Backup Data: Multi-generational storage and offline storage are prevalent, but further measures to prevent backup data destruction or tampering, especially from ransomware attacks, are needed.

Countermeasures Against Attacks that Exploit Vulnerabilities

This section highlights the importance of proactive vulnerability management. Key points include:

• Information Collection: Gathering information from diverse sources like industry associations, government agencies, and threat intelligence services is crucial.
• System Asset Management: Maintaining accurate and updated records of system assets and configurations is essential for effective vulnerability management.
• Patch Application: Prompt application of security patches to all systems, including those not connected to the internet, is critical to mitigate vulnerabilities.

Trends in Ransomware Attacks

This section discusses the evolving threat of ransomware attacks and emphasizes the need for robust backup protection measures:

• Double Threat: Ransomware attacks now often involve both data encryption and data theft, making it crucial to protect backup data.
• Backup Encryption: Attackers increasingly target backup data, making offline and immutable storage solutions essential.

III. Conclusion

The report concludes by emphasizing the need for continuous improvement in cybersecurity management within regional financial institutions. Key recommendations include:

• Embrace a Zero Trust Approach: Implement stricter access controls and continuous verification to minimize the impact of potential breaches.
• Strengthen Risk Management: Enhance risk assessment processes, improve reporting to management, and involve executives in key decisions.
• Invest in Cybersecurity Human Resources: Develop long-term plans for recruitment, training, and development of skilled personnel.
• Enhance Third-Party Risk Management: Establish clear contracts with third-party service providers, particularly cloud providers, and ensure proper risk assessments and monitoring.
• Improve Emergency Preparedness: Develop comprehensive incident response procedures and contingency plans, including participation of outsourced companies and setting recovery time objectives.
• Protect Backup Data: Implement multi-generational storage, offline storage, and immutable storage solutions to mitigate ransomware risks.

The report acknowledges the ongoing efforts of regional financial institutions to strengthen their cybersecurity posture and encourages them to utilize the CSSA results to identify areas for improvement and implement effective measures. The Bank of Japan and the Financial Services Agency remain committed to supporting these efforts through various initiatives and resources.

Please follow us to read more about Finance & FinTech in Japan, like hundreds of readers do every day. We invite you to also register for our short weekly digest, the “Japan FinTech Observer”, on Medium or on LinkedIn. Our global Finance & FinTech Podcast, “eXponential Finance” is also available through its own LinkedIn newsletter, or via our Podcast Page.

Should you live in Tokyo, or just pass through, please also join our meetup. In any case, our YouTube channel and LinkedIn page are there for you as well.