Japan's FSA cybersecurity guidelines and the Zengin lesson
The Japan FSA's revised cybersecurity guidelines, finalised in October 2024, raise the bar for boards, third-party oversight and resilience testing. Recent incidents have shaped that bar.

Japan's financial regulator, the JFSA, finalised its revised Guidelines for Cybersecurity in the Financial Sector in October 2024, replacing the framework that had been in place since 2015. The revision moved the regime in three directions. It set clearer expectations on board and senior management ownership of cyber risk. It strengthened expectations on third-party and supply chain cyber risk. And it formalised the role of threat-led testing in larger institutions, drawing on international practice while remaining tuned to the Japanese market.
The context for the revision matters. The October 2023 Zengin system outage, which disrupted interbank transfers for several days across multiple banks, demonstrated that a single piece of shared infrastructure could affect a large share of retail and corporate payments. Earlier incidents at major banks, and a series of cyber events affecting trading platforms and asset managers, reinforced the point that the cyber and operational resilience agendas overlap and cannot be governed in separate towers.
Board accountability in the revised guidelines is explicit. The board is expected to approve the cybersecurity strategy, to ensure the cybersecurity function is appropriately resourced and independent and to receive information sufficient to understand the institution's posture and significant incidents. The expectation is calibrated to the size and complexity of the institution, but the direction is uniform. Boards that previously delegated cyber to a specialist committee are being asked to demonstrate genuine engagement at the full board.
Third-party and supply chain expectations have moved closer to international peer regimes. Institutions are expected to identify the third parties that support critical operations, to assess their cyber posture in a manner proportionate to the risk and to maintain visibility of fourth-party arrangements where these affect critical functions. The guidelines acknowledge that contractual reliance is not enough on its own, and that institutions need a route to evidence-based assurance, particularly for cloud providers and shared market infrastructure.
Threat-led testing has been formalised for the largest institutions through the JFSA's framework that draws on international approaches such as TIBER-EU and CBEST. The intent is not to import a foreign regime but to ensure that systemically important institutions test against realistic adversary behaviour rather than against generic scenarios. Smaller institutions are expected to scale their testing appropriately, and the supervisory dialogue is moving towards what testing has actually exposed rather than how much testing has been conducted.
Incident notification expectations sit across the cybersecurity guidelines and the broader supervisory regime. Significant cyber incidents are expected to be notified to the JFSA promptly, with the precise channel and timing depending on the institution type and the nature of the event. The supervisory response after major incidents has emphasised the quality of the post-incident analysis and the speed with which lessons are translated into change, alongside the immediate technical response.
For institutions setting their Japan agenda, the practical priorities follow the revision. Make sure the board sees a current cyber posture view rather than a project update. Confirm that the third-party inventory reflects the providers that actually carry critical operations rather than the providers with the largest contracts. Use threat-led testing to learn rather than to demonstrate. And treat shared infrastructure events such as Zengin as live scenarios that the institution must be able to absorb, not as someone else's problem.

