* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [CSO Perspective](https://origin-researchcenter.paloaltonetworks.com/blog/category/cso-perspective/)
* Japanese Government Updat...

# Japanese Government Updates Cybersecurity Guidelines: Increased Focus on Cybersecurity Investments and SMBs

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F12%2Fgov-japanese-government-updates-cybersecurity-guidelines-increased-focus-cybersecurity-investments-smbs%2F)  
[](https://twitter.com/share?text=Japanese+Government+Updates+Cybersecurity+Guidelines%3A++Increased+Focus+on+Cybersecurity+Investments+and+SMBs&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F12%2Fgov-japanese-government-updates-cybersecurity-guidelines-increased-focus-cybersecurity-investments-smbs%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F12%2Fgov-japanese-government-updates-cybersecurity-guidelines-increased-focus-cybersecurity-investments-smbs%2F&title=Japanese+Government+Updates+Cybersecurity+Guidelines%3A++Increased+Focus+on+Cybersecurity+Investments+and+SMBs&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2016/12/gov-japanese-government-updates-cybersecurity-guidelines-increased-focus-cybersecurity-investments-smbs/&ts=markdown)  
\[\](mailto:?subject=Japanese Government Updates Cybersecurity Guidelines: Increased Focus on Cybersecurity Investments and SMBs)  
Link copied  
By [Danielle Kriz](https://www.paloaltonetworks.com/blog/author/danielle-kriz/?ts=markdown "Posts by Danielle Kriz") and [Mihoko Matsubara](https://www.paloaltonetworks.com/blog/author/mihoko-matsubara/?ts=markdown "Posts by Mihoko Matsubara")  
Dec 22, 2016  
5 minutes  
[CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)  
[Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown)  
[cybersecurity](https://www.paloaltonetworks.com/blog/tag/cybersecurity/?ts=markdown)  
[Japan](https://www.paloaltonetworks.com/blog/tag/japan/?ts=markdown)

In December 2016, the Japanese Ministry of Economy, Trade and Industry (METI) and its Information-Technology Promotion Agency (IPA) released [*Cybersecurity Guidelines for Business Leadership ver. 1.1.*](http://www.meti.go.jp/policy/netsecurity/downloadfiles/CSM_Guideline_v1.1.pdf) (this is a Japanese link), an update of [ver. 1.0 published in December 2015](http://www.meti.go.jp/press/2015/12/20151228002/20151228002-2.pdf) (this is a Japanese link; English press release is [here](http://www.meti.go.jp/english/press/2015/1228_03.html)).

As [our May 2016 blog post](https://www.paloaltonetworks.com/blog/2016/05/japans-cybersecurity-guidelines-for-business-leadership-changing-the-japanese-business-mindset-and-potentially-raising-the-global-bar/#more-13765) pointed out, METI's *Guidelines* are aimed squarely at business executives. The December 2016 update builds upon the original document's three principles and 10 action items, with two notable changes. First, the update includes a higher expectation that business executives take a leadership role in cybersecurity. Second, the revised *Guidelines* include a *Guidebook* written by IPA.

The biggest difference between the original and new versions is the revision of the first principle. The 2015 *Guidelines* urged business executives to take the leadership to determine how much cyber risk to accept and cybersecurity investments to make, despite the near impossibility in calculating return on investment (ROI) in cybersecurity. The new document still encourages business executives to take the leadership for cybersecurity investments but gives an urgent reason: cyberattacks are unavoidable in today's business environment. The new document emphasizes that business executives' responsibility to invest in cybersecurity is an indispensable part of their business strategies, given that cyberattacks threaten to negate the opportunities companies have in using or providing IT services to increase their business presence and productivity.

This strong justification reflects the Japanese government's frustration toward what it views as a cybersecurity mindset gap between Japanese and both American and European business leadership. The revised *Guidelines* cite [KPMG's Cybersecurity Surveys from 2013](https://assets.kpmg.com/content/dam/kmpg/pdf/2016/06/jp-cyber-security-survey-2013.pdf) and [2016](https://home.kpmg.com/jp/ja/home/insights/2016/06/cyber-security-survey-2016.html), which show that, while the ratio of Japanese companies that believe responses to cyberattacks should be discussed at the board level grew from 52 percent in 2013 to 68 percent in 2015, the figure is still much lower than the overseas rate of 88 percent. A [May 2016 report by IPA](https://www.ipa.go.jp/files/000052362.pdf) that added to the Japanese government's sense of urgency found that 28.9 percent of Japanese companies reported their business executives were not sensitive to cyber risks, and 26.2 percent said their business executives did not understand the importance of IT and security. The figures were 16.4 percent and 17.7, respectively, in the United States, and 20.6 percent and 18.0 percent in Europe.

The second major change in the 2016 *Guidelines* is the inclusion of a new, 128-page supplementary [*Guidebook for the Cybersecurity Guidelines ver. 1.0*](http://www.ipa.go.jp/files/000056148.pdf) published by IPA. IPA's *Guidebook* explains specific actions to be taken by business leaders, chief information security officers (CISOs), and cybersecurity engineers, noting that the original 36-page *Guidelines* do not provide examples in detail. IPA also explains in further detail the three principles and ten action items from the 2015 *Guidelines,* and includes [an Excel appendix](https://www.ipa.go.jp/security/economics/csmgl-kaisetsusho.html) tracking cyber incidents in Japan and overseas between 2011 and 2016.

Some examples in the appendix are incidents in which Japanese subsidiaries (often SMBs) were hacked. [Japan has seen an increasing number of cyberattacks against SMBs](http://news.mynavi.jp/series/network_security/001/). 2016 saw a few major breaches against subsidiaries of major companies.This addition of SMB examples by IPA may be to bolster the original *Guidelines* ' second principle, which encourages business executives to promote cybersecurity measures in affiliated companies and business partners, as well as their own companies, to mitigate potential information breaches. Although the original *Guidelines* exclude small-sized companies as targeted audiences, [99.7 percent of companies are small and medium-sized businesses (SMBs) in Japan, employing 69.7 percent of Japanese workers](http://www.smrj.go.jp/recruit/environment.html) (Japan generally [defines](http://www.chusho.meti.go.jp/faq/faq/faq01_teigi.htm) SMBs as businesses with fewer than 300 employees). Thus, better cybersecurity and corporate governance are musts for overall strong cybersecurity in Japan.

That is why the IPA *Guidebook* (pp. 55--56) included a powerful statement that parent companies are responsible for their business operations and, thus, are primarily responsible if an affiliate or subsidiary company's lack of adequate cybersecurity measures result in security incidents, such as the leak of important information or negative impact on business continuity. The *Guidebook* further states (p. 57) that cybersecurity responsibilities and costs in the supply chain should be at least partially borne by the upstream company. Upstream companies should neither expect their supply chains to take cybersecurity measures on their own nor shift the responsibility to them.

METI's issuance within one year of substantive additions to the 2015 *Cybersecurity Guidelines for Business Leadership* is a testament to how much the government is concerned about businesses' cybersecurity, especially among SMBs, and eager for behavioral change in Japan. Although government guidelines in general are not legally binding in Japan, the revisions show growing pressure from the government toward companies to help SMBs and be aware of cybersecurity and business risks associated with their subsidiaries and contract companies. The revised *Guidelines'* emphasis on the role of business executives is particularly welcome. As we described in [our September 2016 blog post,](https://www.paloaltonetworks.com/blog/2016/09/cso-the-safe-zone-and-other-challenges-to-japans-cybersecurity-governance-efforts/) Japanese companies traditionally have not had the concept of "C-level" executives.

[Japan's 2015 National Cybersecurity Strategy](http://www.nisc.go.jp/eng/pdf/cs-strategy-en.pdf) emphasized the importance of business executive leadership in investing more in cybersecurity as part of their business strategy. METI's 2015 *Guidelines* and 2016 revision reflect the philosophy. The Japanese National Center of Incident Readiness and Strategy for Cybersecurity (NISC) plans to issue the [Cybersecurity Strategy for Research and Development in June 2017](http://www.nisc.go.jp/conference/cs/kenkyu/dai05/pdf/05shiryou04.pdf) and update its [Plan for the Development of Cybersecurity Human Resources in 2017](http://www.nisc.go.jp/conference/cs/jinzai/dai04/pdf/04gijishidai.pdf). Since 2017 is only three years away from the Tokyo 2020 Olympic Games, business resiliency and cybersecurity awareness is an urgent task for the Japanese. The policy developments late this year, and expected in 2017, will continue to urge companies to take more actions for better cybersecurity.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/12/Miho_Danielle.png)  
[![miho\_danielle](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/12/Miho_Danielle.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/12/Miho_Danielle.png)

*This is the sixth in a series of blogs co-authored by Mihoko Matsubara and Danielle Kriz, aimed at introducing Japan's cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover Japan's role in global cybersecurity capacity-building, the cybersecurity ramifications of planning for the 2020 Summer Olympic Games in Tokyo, and other topics.*

*** ** * ** ***

## Related Blogs

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### Japan's New Cybersecurity Strategies Have the Right Priorities in Mind](https://origin-researchcenter.paloaltonetworks.com/blog/2017/11/cso-japans-new-cybersecurity-strategies-right-priorities-mind/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown)

[#### Palo Alto Networks Day Japan 2017: Evolving Cybersecurity Efforts to Increase Trust in the Digital Age and Prevent Cyberattacks](https://origin-researchcenter.paloaltonetworks.com/blog/2017/09/cso-palo-alto-networks-day-japan-2017-evolving-cybersecurity-efforts-increase-trust-digital-age-prevent-cyberattacks/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### A Seat at the Table: How Countries Like Japan Can Be More Visible in Cybersecurity Discussions](https://origin-researchcenter.paloaltonetworks.com/blog/2017/06/cso-a-seat-at-the-table-how-countries-like-japan-can-be-more-visible-in-cybersecurity-discussions/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Activities That Support Deterrence - Industry's Role in Norms of Responsible Behavior in Cyberspace](https://origin-researchcenter.paloaltonetworks.com/blog/2017/06/activities-support-deterrence-industrys-role-norms-responsible-behavior-cyberspace/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown)

[#### Madam or Mr. President, Here's How to Keep the Pedal to the Cyber Metal](https://origin-researchcenter.paloaltonetworks.com/blog/2016/11/cso-madam-mr-president-heres-keep-pedal-cyber-metal/)

### [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### How Japanese Businesses Are Cultivating Cybersecurity Professionals](https://origin-researchcenter.paloaltonetworks.com/blog/2016/10/cso-japanese-businesses-cultivating-cybersecurity-professionals/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language