Cybersecurity 2025

JAPAN Trends and Developments Contributed by: Yasushi Kudo, Yukiko Konno and Takayuki Inukai, Nagashima Ohno & Tsunematsu

equacy of their establishment and operation of a cybersecurity system. In the Case, a shareholder derivative suit was filed against the officers (more precisely, the officers of the Company group’s holding com - pany) to hold them liable. In its judgment, the court held that it was necessary to establish an internal control system based on the nature and scale of the business, management conditions, and other related circumstances (Hiroshima High Court, Okayama Branch, 18 October 2019 (2018 (Ne) No 201)). Therefore, in the case of a large corporation, it is necessary to establish an appropriate internal control system from the perspective of cybersecurity, taking into account the trends in practice. In the Case, the responsi - bility of the officers of the holding company was in question, not the Company itself, since it was the holding company that had established the relevant internal control system. In conclusion, the court dismissed the claim against the offic - ers of the holding company. Additionally, in a case where the issue was whether or not there were deficiencies in the risk management system of a listed company due to the false statements made in the securities report required under the Financial Instruments and Exchange Act, as a result of fictitious sales being recorded by employees, the Japanese Supreme Court made its judgment based on (i) whether the company had a management sys - tem sufficient to prevent the type of misconduct that could normally be expected, and (ii) whether there were special circumstances that should have led the company to anticipate the miscon - duct that occurred (Supreme Court, 9 July 2009 (2008 (Ju) No 1602)). If the responsibility of company officers for the inadequacy of risk management systems for

cyber-attacks is contested in court, this Supreme Court judgment may be cited as a precedent. In such cases, security incidents and tactics employed by attackers, as introduced in public alerts by relevant authorities like the PPC, such as the PPC’s quarterly report and in publicised cases by other companies, would be taken into account. As a result, it should be noted that the court may assess whether a degree of control was exercised that could have prevented secu - rity incidents that occurred, assuming that the incidents were caused by normal, expected cyber-attacks. Necessity of ensuring adequate security levels As discussed above, the legal risks associated with cybersecurity are increasing, and so is the need to ensure an adequate level of cybersecu - rity. For example, the following are beneficial in ensuring adequate standards. • Considering, from the viewpoint of system maintenance, the necessary cybersecurity measures from the perspective of mainte - nance of internal controls, with reference to the technical management described in the “Guidelines for Internal Fraud Prevention in Organizations” of the Information-technology Promotion Agency, Japan (IPA) and the evalu - ation items set forth in “Evaluation of the effectiveness of maintenance and operation status of internal controls using IT” listed in the “Standards for evaluation and audit of internal controls over financial reports” of the Financial Services Agency. • Conducting cyber due diligence, including penetration tests (actual simulated attacks) and systemic checks, with a view to reducing risks before they occur. • Participating in the Cyber Security Council (a council legally established under Article 17 of

180 CHAMBERS.COM

Powered by