Cybersecurity measures have evolved from being handled independently by individual financial institutions to the construction of unified security foundations at the group level. Currently, these measures are progressing toward enhancing security at external connection points physically connected to financial institutions. The Financial Services Agency (FSA) has already requested financial institutions to manage cybersecurity measures at external connections as part of "outsourcing management" or "third-party risk management." This is also emphasized in the Cybersecurity Self-Assessment (CSSA) that began in FY2022. Additionally, the government, considering recent international developments, has mandated economic security measures at a national level starting from FY2024.

The government identifies threats to "specific social infrastructure projects" as a key issue in economic security. These projects include essential infrastructure provided by service operators, such as core systems and payment infrastructure in the financial sector. Financial institutions, which are considered infrastructure operators, assemble core systems by purchasing equipment and software from external sources. These institutions also rely on external companies and contractors for infrastructure maintenance. Currently, these scenarios face threats like cyber-attacks and sabotage, leading to data breaches or system destruction.

Risks include the potential embedding of unauthorized devices or chips into ICT equipment and software during procurement, maintenance, or outsourcing processes, which could lead to significant information leaks. Our firm evaluates the current state of IT systems surrounding financial institutions, adhering to Cabinet Office regulations, to build robust security measures for critical financial infrastructure. We also support financial institutions not directly covered by these regulations but affected indirectly, helping to ensure the integrity of Japan's financial functions.

We begin by evaluating the current environment surrounding the procurement, development, and operation of critical systems to identify processes that generate vulnerabilities. We then determine the risks that need to be addressed and develop solutions based on the Risk-Based Approach (RBA) that can be communicated both internally and externally. Our approach ensures compliance with supervisory guidelines, the former Financial Inspection Manual, and various guidelines issued by financial authorities to eliminate errors and misunderstandings.

We define monitoring standards, evaluation processes, and criteria for external contractors and key partner companies, forming the foundation of economic security. For financial institutions not directly covered by current laws but affected due to their investments or loans to infrastructure operators, we provide comprehensive models for evaluating loan recipients. This includes drafting financial covenants related to monetary loan contracts, contributing to effective risk management for financial institutions.

• Realization of process-level risk assessments and development of alternative solutions required for economic security measures
• Detailed reporting on the safety evaluation of critical systems, useful for external explanations
• Ability to evaluate and organize the legal regulations imposed on 14 infrastructure operators required for economic security measures and assess their impact

Fintech Journal