In the backdrop of major cyber attacks targeting Japanese companies, the Japanese government is preparing to introduce a new system that will require large enterprises to share cybersecurity costs with their suppliers during the procurement process, in order to enhance the overall defense capabilities of the industry chain.
This initiative is jointly promoted by the Ministry of Economy, Trade and Industry (METI) and the Japan Fair Trade Commission (JFTC), with plans to establish unified cybersecurity standards by March 2027.
The Japanese government believes that small and medium-sized enterprises, due to lack of funds and technology, often become the gateway for hackers to infiltrate large corporations. In 2022, Toyota was impacted by a cyber intrusion through its supplier Kojima Industries, leading to the temporary shutdown of multiple factories in Japan, causing disruptions across the national industry chain.
Recent cyber attacks have continued to occur. Beverage giant Asahi Group Holdings fell victim to ransomware attacks, causing a two-month paralysis of its ordering system; office supplies retailer Askul was hit by a cyber attack, resulting in the leakage of personal information of approximately 740,000 customers and employees.
Facing the escalating risks, several major Japanese companies have strengthened their cybersecurity requirements for suppliers. For instance, semiconductor manufacturer Kioxia has conducted cybersecurity reviews on around 3,000 partner companies, stating that contracts with high-risk partners will be reevaluated; NEC has mandated suppliers to enhance protection measures based on the standards of the National Institute of Standards and Technology (NIST).
However, small and medium-sized enterprises have expressed concerns about the high costs associated with cybersecurity investments, including data protection, system updates, and manpower, which are often beyond their financial capabilities.
Therefore, METI and JFTC will require leading purchasing companies to bear a portion of the cybersecurity costs for suppliers, including indirect expenses such as manpower, management, and system upgrades.
The government also pointed out that even if companies do not directly demand suppliers to enhance cybersecurity measures, they should be willing to accept price increases resulting from cybersecurity investments. If the purchasing party lacks negotiation willingness, they can seek assistance from the JFTC.
To enhance transparency in procurement requirements, the Japanese government introduced a five-level cybersecurity protection standard in April this year, assisting large enterprises in clearly specifying cybersecurity demands to suppliers. For example, Level 3 represents the minimum security standard that all supply chain companies must meet, while Level 5, following international standards, adopts risk-oriented management and implements best practices, representing the highest level.
Suppliers can apply for cybersecurity level certification from the Information-technology Promotion Agency, Japan (IPA), with certificate validity ranging from one to three years. IPA will also publicly disclose the list of certified companies, aiding purchasers in identifying compliant suppliers.
The government aims to finalize the standard details by the end of March 2026, and expects full implementation to begin no earlier than the end of March 2027. Starting from the 2027 fiscal year, the government will also provide expert technical support for small and medium-sized enterprises to obtain certification.
The Japanese government emphasized that with the continuous evolution of cyber attack tactics, it is challenging for individual companies to effectively mitigate risks. By enhancing the overall cybersecurity maturity of the supply chain and promoting reasonable cost sharing in transaction relationships, systemic risks can be effectively reduced.
(This article referenced reports from “Nikkei Asia”)