1. Home
  2. News Releases
  3. Back Issues
  4. November FY2023
  5. Study Group for Promotion of Information Sharing on Damages Caused by Cyberattacks under the Study Group for Industrial Cybersecurity Compiles Final Report

Study Group for Promotion of Information Sharing on Damages Caused by Cyberattacks under the Study Group for Industrial Cybersecurity Compiles Final Report

November 22, 2023

As cyberattacks become more and more sophisticated, an effective effort from the perspective of ascertaining the full picture of cyberattacks and preventing the spread of damages involved is for companies to promptly share information on such damages through expert organizations that directly support victim organizations. From this perspective, in May 2023, the Ministry of Economy, Trade and Industry (METI) launched the Study Group for Promotion of Information Sharing on Damages Caused by Cyberattacks (hereinafter referred to as the “study group”) and since then the study group has held discussions and compiled a final report and other documents.

The final report provides streamlined approaches to technical information on cyberattacks, which is information subject to prompt sharing without gaining prior consent from companies that fall victim to such attacks, and it also recommends expert organizations to smoothly share such information in accordance with the said approaches.

In addition, the study group offered a draft guide for expert organizations and draft model contractual articles between user organizations and expert organizations, which are supplementary documents to the final report. From Wednesday, November 22, to Friday, December 22, 2023, METI will open a call for public comments on these supplementary documents.

1. Background and purposes

As cyberattacks become more and more sophisticated, it is becoming increasingly difficult for a single organization to unravel the full picture of such an attack. Amid this situation, information sharing on cyberattacks is extremely important from the perspective of ascertaining their full picture and preventing the spread of damages caused by the attacks. To this end, in March 2023, METI, in collaboration with other ministries and agencies, formulated and published the Guidance on Information Sharing and Publication Involving Damages Caused by Cyberattacks, which serves as a practical reference to help victim organizations of cyberattacks to share information on damages incurred due to such attacks with cybersecurity-related organizations.

Leaving the coordination of such information sharing up to the victim organizations themselves may impose a burden on them that outweighs the benefits. To overcome this challenge, the promotion of prompt information sharing through expert organizations that directly support victim organizations is critical. This promotion of information sharing through expert organizations needs to address two challenges: [i] restrictions on information sharing because of non-disclosure agreement (NDA), and [ii] the risk of a victim organization being identified or ascertained from non-confidential information.

To address these challenges, METI launched the Study Group for Promotion of Information Sharing on Damages Caused by Cyberattacks. Since then, the study group has held a series of meetings to discuss issues to promote information sharing through expert organizations that contributes to the prevention of extensive damages, rather than information sharing by victim organizations themselves, and compiled a final report and other documents.

2. Highlights of the report

In light of the importance of information sharing and the current challenges, the report provides streamlined approaches to technical information on cyberattacks that can be promptly shared without gaining prior consent from the respective victim companies of such attacks, and it also recommends expert organizations to smoothly share such information in accordance with the approaches.

In addition, from the perspective of providing supplementary documents to the report, the study group compiled the Draft Guide on How to Handle and Utilize Technical Information on Cyberattacks, a document streamlining specific policies to be taken by expert organizations, including processing for de-identification of information from which the specific name or suchlike of a victim company may be deduced. It also presented the Draft Model Contractual Articles on How to Handle Technical Information on Cyberattacks to be Included in  non-disclosure agreement (NDA), a document describing draft contractual articles that an expert organization should include in its NDA with a user organization. Such articles stipulate prior consent to the effect that the expert organization will not, in principle, assume legal liability derived from the sharing of the technical information on cyberattacks that the expert organization has de-identified, as an effort to facilitate smooth information sharing. METI will open a call for a wide variety of comments from the public on the Draft Guide on How to Handle and Utilize Technical Information on Cyberattacks and the Draft Model Contractual Articles on How to Handle Technical Information on Cyberattacks to be Included in NDA.

Moreover, as future challenges that may not be overcome merely by promoting information sharing among expert organizations, the report highlights [i] ideal approaches to public-private collaboration toward information sharing (e.g., ideal approaches to consultations with and reporting to administrative organizations, and information sharing between the government and private companies) and [ii] roles played by vendors in supply chains.

3. Details of the call for public comments

Documents on which METI calls for public comments

Period of the call

From Wednesday, November 22 to Friday, December 22, 2023

Related Materials

Related Links

Division in Charge

Cybersecurity Division, Commerce and Information Policy Bureau

Related website