The pandemic has impacted financial services globally, but the impact has varied by country and region depending on previous trends and underlying conditions. We spoke with the Chairperson Director of Japan’s F-ISAC, our sister organization dedicated to Japanese financial institutions, about how the pandemic is changing mindsets and longstanding practices in a very short time.

Q: What have been the key learnings of the Japanese financial system as a result of COVID-19? What have been the major cybersecurity issues that have emerged and how have they been dealt with?

A: Before COVID-19, the concept of operational resilience was not widely understood in Japan. The current situation, in which we have to grasp the changing situation from moment to moment, decide what is necessary or unnecessary, and continue to introduce new measures to adapt our operations to these circumstances, is the very definition of operational resilience.

With the rapid increase of remote working, the industry's understanding has moved forward in the context of developing operational resilience. Also, with these emergency changes/responses, cybersecurity is increasingly incorporated in the decision-making process.  Of course, there are cases where the speed of development and deployment are prioritized, but this experience has helped build a common consensus between the development side and the security side and understanding of cybersecurity within Japanese financial firms will move forward.

Q: What is the connection between Japanese culture and cybersecurity?

A: Japan has historically been more challenging for cyber criminals to penetrate for several reasons. The language barrier and Japanese operating systems required more effort for cyber criminals to attack, and often were not worth the effort when compared to hacking English-based operating systems. Additionally, the Japanese have a national trait of following rules, which helps prevent security holes and gaps. However, resistance to change and not wanting to take new risks are also traits in Japan, and when we need to make drastic changes, these aspects sometimes don't work in our favor.  In that sense, when Japan's financial sector was at a turning point in the context of cybersecurity six years ago, I think the fact that Financials ISAC Japan was established as an unprecedented sharing, cooperation, and collaboration community was of great significance because we seldom shared our secrets with our competitors until then.  This could not have been done without FS-ISAC's cooperation, and we would like to express our gratitude for that once again.

Q: Do you think the pandemic will change the primacy of cash in Japan? What are the implications for FIs?

A: There are many reasons for the persistence of cash in Japan, including that credit card fees for retailers are high compared to other countries. With the 2020 (now 2021) Olympics in mind, the introduction of new payment methods such as QR codes and IC chip-based payment methods has progressed not only at retail stores but also in various places such as taxis, trains and museums. In addition, the percentage of online shopping is increasing due to the COVID, so I think cashless shopping is accelerating now. I personally have used very little cash in the last few months.

Q: Do you believe that the pandemic will accelerate the adoption of digital banking in Japan? What are the cybersecurity implications of rapid digital banking adoption for Japanese FIs?

A: Japan’s long-term low interest rate policy already has the financial firms weak. On top of that, the recession triggered by COVID-19 will probably accelerate restructuring and streamlining by digitization. This crisis is bringing about three big changes in Japanese financial institutions. Working from home (WFH) will bring about a change in the workforce, we will see digitization of services and operations that had been considered to be possible only with human support, and finally, there will be changes in IT development processes.

These changes in IT development are particularly important. In Japan, outsourcing software development came into fashion about 20 years ago. Internal development was considered obsolete and inefficient. However, wide scale WFH makes it much more difficult to rely on third parties. I think that this difficult period will serve as a springboard for us to return to the original practice of Japanese financials where we can flexibly create an optimal system that suits us by writing code ourselves.

Q: Japan's financial services system is well-established, in many cases older than the rest of APAC. What are the advantages and disadvantages of that, and how are Japanese FIs embracing innovation (or not)?

A: When I was a programmer at a bank about 30 years ago, the demand was for high level technical capabilities to process large amounts of data flawlessly.  I think development in those times was much more fun and creative.  When firms started to outsource to cut costs and the banks stopped developing on their own, the focus shifted to internal control and left no space nor energy for creative development (this might be a negative side effect of the diligence of the Japanese people). In addition, many banks have a policy of shifting their staff around to different departments every two to three years to prevent corruption and improper ties developing between bank staff and government and vendors. The disadvantage is that people often remain generalists who do not have time to develop specialized expertise. However, we are seeing some recognition that cybersecurity does require a depth of experience, so this may be changing.

For true innovation, the quickest way may be to shift investment from external third parties towards internal resources who understand the firm well to learn new technology and create an environment where that creativity can be utilized.  Investing in fintech and gaining that information and knowledge and pulling together an enhanced internal environment and capability is the start of Japan's innovation. 

The Insight

In Japan, the pandemic has brought a fast introduction to the concept of operational resilience, as well as a willingness for more collaboration between development and cybersecurity. While Japan has historically been more challenging for international cyber criminals to penetrate because of language barriers and conservative cultural traits, the industry has been slow to leap into digitization. With remote working becoming a lasting part of life, Japanese firms may begin to move more development capabilities in-house again after decades of outsourcing, which will in turn unlock more opportunities for innovation in financial services.

September 2020

© 2020 FS-ISAC, Inc. All rights reserved.

Ransomware-Sidebar
Ransomware_Graphic_1200x627px (1)

With its attractive business model and multiple revenue streams, ransomware is a growing threat to financial services and their third party suppliers. While there are many steps you can take to prevent attacks, threat actors are evolving their tactics all the time. If attacked, will you pay the ransom?

View Report

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More