Grygo is the chief content officer for FTF.
When it comes to cyber-attacks, my guess is that financial services firms are petrified that they will be hit hard by a rather successful invasion sooner than later. The potential of such attacks causes firms to clam up and pretend that have no problems until they are forced to acknowledge that a catastrophe is underway.
My gut instincts tell me that there has got to be a better way and, in Japan, Mitsubishi UFJ Financial Group, Inc. (MUFG) may have found it.
MUFG and its affiliated companies have issued a cyber-security declaration in an attempt to be proactive about this very controversial subject. MUFG officials say that they want to build cybersecurity “from the two perspectives of value creation and risk management” as specified by the Japan Business Federation’s (Keidanren) Declaration of Cyber Security Management.
Thus, MUFG has set forth its Cyber Security Management Declaration, which features five major components.
Among other things, the first section offers a basic recognition of cyber-attacks as a major management issue.
This part of the declaration will require managers to:
- “deepen their understanding” of cybersecurity issues;
- “proactively manage the positioning of and investment in cyber security;”
- And “squarely confront risk” and display “leadership as they take responsibility for the implementation of responses.”
As for business continuity planning (BCP), the firm will “improve contingency plans by strengthening its ability to respond to incidents through the establishment of a specialist line to lead detection, response and recovery (MUFG-CERT), the improvement of procedures and manuals, and periodic training and drills, in addition to initiatives for the identification of and defense against risks. MUFG will also disclose initiatives to strengthen security through disclosure materials,” according to the firm’s declaration.
MUFG officials also say that they will have “sufficient budget, personnel and other resources” in place to bolster its cybersecurity defenses. It will also “improve its internal structure and take necessary measures in personnel, technology, logistics, and other areas, and train and educate employees at each level, including management, project management, engineers, and general staff.”
These efforts will also extend to its “supply chain, including overseas, and with customers and service providers,” according to the declaration. MUFG will also “leverage advanced technologies” to achieve these goals.
MUFG officials will also disseminate “countermeasures to systems and services companies … so that customers can safely and securely use services … At the time of development of new systems and services we will implement security countermeasures to provide customers with easy-to-use, secure services.”
In addition, the firm will be reaching out for a new give-and-take with industry participants.
“Based on collaboration with related government departments, organizations, groups and others, we aim to build personal dialogue networks in Japan,” according to the declaration. “Specifically, through appropriate and timely collaboration with related government and other bodies such as the Financial Service Agency, National center of Incident readiness and Strategy for Cybersecurity, Information-technology Promotion Agency, the police and others, while also promoting the cross-sector sharing of information domestically and internationally including Financial ISAC2, FS-ISAC2 and ICT-ISAC3, we aim to contribute to the enhancement of the cybersecurity of society as a whole on a global basis.”
MUFG has given itself an ambitious agenda and has embraced a new level transparency for its cyber-security process that its competitors and counterparts in North America and Europe may find instructive.
The full declaration is here and more information about the firm can be found here.
Need a Reprint?