Topics Held "Economic Security and Cyber Security" seminar
On September 26, 2023, the Economic Security Seminar "Economic Security and Cyber Security" hosted by the Economic Security Task Force (Economic Security TF) of the Pharmaceutical Manufacturers Association of Japan (PMAJ) Industrial Policy Committee was held in web format for member companies. The seminar was attended by 103 participants and featured a lecture by Mr. Takahisa Kawaguchi, Chief Researcher, Tokio Marine Dealer, a report by the Economic Security TF's Cyber Security Sub-Team, and a Q&A session. Tokio Marine Deal has been supporting the activities of the Economic Security TF since November 2021.
Background of the seminar
The Economic Security TF of the Industrial Policy Committee of the Pharmaceutical Manufacturers Association of Japan (PALMA) was established in October 2021 as part of the Industrial Policy Committee of the PALMA, based on the idea that an organization to deal with economic security is needed in the PALMA in light of Japan's economic security legislation triggered by the decoupling movement between the US and China and the movements of economic organizations in response to such legislation. The Economic Security TF has established three sub-teams (Supply Chain, R&D, and Cyber Security) to deal with a wide range of economic security issues, and has been exchanging opinions with relevant ministries and agencies, responding to public comments on laws and regulations, and providing information to member companies by holding seminars.
This seminar will introduce some of the results of the Economic Security TF and Cyber Security subteams' discussions.
The first part of the seminar reviewed a wide range of issues and themes related to economic security and their impact on the industry, with a particular focus on cybersecurity-related topics in depth. In the second part, the cybersecurity subteam introduced case studies based on industry characteristics and risks, as well as points to keep in mind when taking countermeasures.
(2) Lecture by Takahisa Kawaguchi "Cyber Security Issues from Economic Security Perspective
Overview: Economic Security and Cyber Security
In 2022-2023, Japan made significant progress in its economic security policy: the Economic Security Promotion Law (Promotion Law) enacted in May 2022 was enforced and the system became more concrete, and economic security was emphasized in the National Security Strategy in December 2022. Looking outside of Japan, there are dizzying developments such as the G7 Hiroshima Summit 2023, the "Economic Security Strategy" of Europe, and the intensifying confrontation between the U.S. and China.
In light of these developments, the economic security risks that companies should address are not limited to the four themes of the Promotion Law. Depending on how they are categorized and organized, there are at least 18 economic security themes. Several of these have significant implications for the pharmaceutical industry.
And in relation to "cybersecurity," the focus of today's seminar, strengthening cybersecurity of mission-critical infrastructure (No. 2 in Table 1 below), security clearances (No. 5), industrial espionage and cybersecurity measures (No. 6), and security over data (No. 7) are worth noting.
Table 1 Economic security-related policy issues and themes (as of August 2023)
*For the first publication and details of each theme, see Takahisa Kawaguchi and Ayeka Watanabe, "Shifting Economic Security Environment and Corporate Risk Management," Risk Management Frontline (September 20, 2023).
Background: Cyber Security Issues as U.S.-China Conflict
The U.S.-China conflict is behind policy discussions on economic security in general, and similarly, the U.S.-China conflict is behind cybersecurity issues (except for security clearances, which have Japan-specific circumstances).
Since the 2010s, two cybersecurity issues have emerged between the U.S. and China. According to the U.S. side's argument, (1) China is conducting cyber-attacks against U.S. and other private companies for the purpose of forced transfer of advanced technology, and (2) China may conduct cyber-attacks through Chinese companies under its control or influence. Regarding the former, an agreement was reached by President Barack Obama and President Xi Jinping in September 2015 to ban cyber industrial espionage, but the general view is that this agreement has now collapsed. Regarding the latter, the U.S. and several countries are concerned about the National Intelligence Act (enacted in June 2017), which requires any organization, including Chinese companies, to "support, assist, and cooperate" with Chinese government intelligence activities, and the U.S. and several other countries have regulated the participation of Chinese telecom equipment manufacturers and others in government procurement and critical infrastructure procurement.
Discussion: Overlapping areas of economic security and cyber security
Against the backdrop of this U.S.-China confrontation in the cyber field, cybersecurity issues are attracting attention in Japan from the perspective of economic security. Among the areas where economic security and cyber security intersect, several themes have no small impact on the industry.
The "Strengthening Cyber Security of Core Infrastructures" in the Promotion Law is a system under which the government conducts prior screening of critical facilities, software, services, and contractors of 14 core infrastructure projects that meet certain size and other conditions. The purpose is not general cyber security measures, but to exclude companies under the control or influence of foreign governments from procurement, etc. (prevention of "specific sabotage" in the terminology used in the Promotion Law). Currently, the pharmaceutical industry is not a target industry. However, "ports" and "medical care," which were not designated industries, are being considered for additional designation in light of recent large-scale cyber-attack damage. If a cyber attack that causes large-scale damage occurs in the pharmaceutical industry, the possibility of additional designation cannot be denied.
Industrial espionage and cybersecurity measures" address industrial espionage and forced technology transfer through cyberattacks by foreign governments, military, intelligence agencies, and their "contractors. For example, in September 2022, the U.S. Department of Health and Human Services alerted the public to a hacking group called APT41, which continuously targets the healthcare industry, including biotechnology companies, cancer research facilities, and pharmaceutical companies.
The G7 Hiroshima Summit 2023 and other meetings have expressed concern about the security of data, including unauthorized government access by foreign governments and restrictions on the transborder transfer of personal and industrial data. The accumulation, transfer, sharing, and analysis of data generated and collected during business processes is essential for business efficiency and innovation, but governments are tightening regulations on data under the guise of security.
Security clearance" refers to eligibility screening for access to information designated as classified, and a related bill (the Revised Economic Security Promotion Act) is scheduled to be submitted to the ordinary Diet session in 2024. It is expected that information related to economic sanctions, cyber threat information, etc. will be designated as important information for economic security purposes.
Response: Economic security response and cyber security response required of companies
Finally, we would like to introduce our response system for overall economic security, and among them, cyber security measures. In all of these areas, the division of roles and cooperation among the first, second, second.5, and third lines of defense in the "three lines of defense" risk management system are important.
As indicated in the introduction, the economic security-related topics that companies face are very broad and depend on the changing external environment. Therefore, companies are expected to address a variety of economic security risks without "omissions or omissions" and to respond to individual economic security risks. The characteristics of companies and organizations that are able to effectively respond to economic security issues and risks are: (1) individual economic security themes and risks, such as cyber security measures, security trade management, and research integrity, are addressed in the first line (business units) and the second line, and (2) economic security themes and risks in general and policy trends in general are addressed in the second line. (2) general economic security themes/risks and general policy trends are handled by functions such as Line 2.5. The "Line 2.5 functions" include the risk management department, corporate planning department, department dedicated to economic security, policy liaison department, etc., in the case of a permanent organization.
Even in cybersecurity measures that take economic security into account, it is expected that roles will be shared and collaboration will take place within the organization. It is important that the first line of business and the second line of IT and security take basic cybersecurity measures and investments, and that the second and fifth lines of business (risk management and policy liaison) collaborate with the second line of business to collect and deploy policy and regulatory information and implement additional measures that take economic security into account.
3) Cyber Security Sub-Team Report
Characteristics of the Pharmaceutical Industry
Nobuko Tsuruoka, Leader, Cyber Security Subteam, Economic Security Task Force, Industrial Policy Committee, Pharmaceutical Manufacturers Association of Japan (PAP)
Due to the nature of their business, pharmaceutical companies handle a large amount of sensitive information, including R&D information and medical information of patients and clinical trial participants. In addition, a critical mission in society is the need to ensure the stable delivery of pharmaceutical products to patients.
As we will specifically touch on in the case study, the impact of cyber attacks on our business has been expanding in recent years due to changes in the industry structure, social environment, and technological innovation. Looking at the external environment in turn, the number of cyber-attacks is on the rise in both Japan and the U.S. In particular, ransomware damage is increasing in the likelihood of occurrence, with industry categories including pharmaceutical businesses ranking at the top in both countries.
Under these circumstances, specific responses will depend on the business judgment of each company, but it is necessary to take action both in terms of prevention during normal times and contingency measures. In this report, we examined the situations that can be assumed by the member companies of the Pharmaceutical Manufacturers Association of Japan (PMAJ) through specific cases, and then reported on points to keep in mind when building a response system in case an incident actually occurs.
Case Study
Information leakage from inside
Yuichiro Akao, Member, Cyber Security Sub-Team, Economic Security Task Force, Industrial Policy Committee, Pharmaceutical Manufacturers Association of Japan (PAP)
The impact of an information leak on a pharmaceutical company can be significant, including loss of reputation, loss of international superiority in research and development, and a decrease in the number of participants in clinical trials. In addition, as the drug discovery process has shifted from vertical integration to horizontal division of labor, the risk of information leakage has also increased due to an increase in the number of people changing jobs as a result of the increase in external organizations such as universities, venture companies, venture capitalists, contract research organizations (CDMOs), contract manufacturing organizations (CMOs), and contract research organizations (CROs). The risk of information leakage is also increasing. It has become clear that the most common routes of information leakage are from current employees and mid-career retirees. The following is a case study of a major chemical manufacturer that illustrates the causes and countermeasures for information leakage.
(1) Case Study
A major chemical manufacturer (Company A) experienced an information leak from employee B to China.
| a. | A Chinese company contacts Company A's employee B via a business version of SNS. The company asks him for technical guidance and offers him a position as an advisor. |
| b. | Although Company A had always controlled access to confidential information, Employee B copied technical information related to the manufacturing process onto an external memory device and sent it to the Chinese company via e-mail. |
| c. | An internal investigation of Company A revealed the misconduct, and Employee B was dismissed with disciplinary action and criminal charges were filed against him. |
| d. | The Osaka Prefectural Police files charges against Employee B for violation of the Unfair Competition Prevention Law. |
| e. | The Osaka District Court convicts former employee B of two years in prison, fined 1 million yen, and suspended for four years. |
(2) Analysis of Causes of Information Leakage and Countermeasures
There is a theory called the Fraud Triangle, which states that internal fraud is likely to occur when the three elements of "motive," "opportunity," and "justification" are aligned. For each element in an information leak, the causes are listed in Figure 1.
Figure 1 Fraud Triangle and Causes of Information Leakage
Countermeasures include understanding economic security, dealing with those who have expressed an intention to leave the company, strengthening security measures, building appropriate relationships with employees, and ensuring compliance training. It is important to take the necessary measures for your company while promoting an understanding of the external environment.
Case Study
Cyber attacks on supply chain
Member of Cyber Security Subteam, Economic Security Task Force, Industrial Policy Committee, Pharmaceutical Manufacturers Association of Japan (PALMA)
The stable supply of pharmaceuticals is an important mission of a pharmaceutical company. Therefore, we will introduce the characteristics and countermeasures of cyber attacks on the supply chain that could be a threat to this mission, along with examples of such attacks.
(1) Relationship between economic security and cyber attacks
Cyber attacks by the Russian government against Ukraine began around 2015. After the invasion of Ukraine, attacks were seen as retaliation against other countries that expressed support for the country. Although the relationship with the Russian government is unclear, there was a cyber attack on the outsourcing company of a major Japanese automobile manufacturer after Japan announced economic sanctions against Russia. In general, cyber attacks on supply chains are characterized by prolonged and widespread damage, and this case also resulted in extensive damage.
(2) Attacks that exploit weaknesses in the supply chain
As smart factories and the IoT advance and factory systems tend to have more opportunities to communicate with those outside the region, "attacks that exploit weaknesses in the supply chain" has risen in the rankings of the "10 Major Threats to Information Security" by the Information-technology Promotion Agency, Japan (IPA) ( Table 2 ).
Therefore, in November 2022, the Ministry of Economy, Trade and Industry (METI) published the "Guidelines for Cyber and Physical Security Measures in Factory Systems" ( https://www.meti.go.jp/policy/netsecurity/wg1/factorysystems_guideline. html ) ("Factory Security Guidelines").
Table 2 Ten Major Threats to Information Security 2023
*From IPA website ( https://www.ipa.go.jp/security/10threats/10threats2023.html )
(3) Countermeasures against cyber attacks on supply chains
The life cycle of factory systems in a production area is often combined with that of machinery and equipment, and is said to be 10 to 20 years or longer. As a result, in many cases, it is difficult to know what is where and how they are connected.
Therefore, it is important to manage and visualize these factory systems in a ledger, and to establish a system that can promptly detect any unusual communication within the production area ( Figure 2 ).
Figure 2 Countermeasures against cyber attacks on supply chains
(4) Countermeasures for contract manufacturers
In order to ensure a stable supply of our own pharmaceutical products, we need to strengthen our defenses against cyber attacks, including those of our contract manufacturers. Successful use of the already published self-check sheets and external assessment services will help visualize and improve the defense capability of contract manufacturers and in-house manufacturing sites.
Matters to be addressed when establishing an information security incident response system
Nobuko Tsuruoka, Leader, Cyber Security Sub-Team, Economic Security Task Force, Industrial Policy Committee, Pharmaceutical Manufacturers Association of Japan (PALMA)
Ideally, information security incidents should not occur, but it is impossible to prevent them completely in today's environment. In order to be effective, it is important in principle to proceed with response studies while assuming specific situations.
(1) Role assignment for incident response
When the organization responsible for leading the entire incident and the related departments responsible for their individual roles cooperate in the event of an incident, the division of roles and the scope of information sharing between the organizations should be organized to enable a rapid response that avoids unnecessary confusion.
(2) Internal response system
A system must be established to enable the prompt understanding of information in the event of an incident. This is especially important from the perspective of legal compliance, as personal information protection regulations sometimes require a deadline from the time the incident is identified to the time it is reported to the authorities.
(3) External collaboration system
When an incident occurs, it is also necessary to respond outside the company. By confirming in advance who to cooperate with, who to contact (division of roles within the company), and when cooperation is necessary, omissions can be prevented and appropriate response can be expected in the proper order of priority.
(4) Public announcements outside the company
By assuming specific hypotheses in accordance with current trends, it is expected to establish criteria for judging incidents that have a significant impact on business to the extent that reporting is necessary, and to enable prompt and accurate disclosure.
4. questions on the day of the seminar
A question and answer period was held after each presentation and report. Questions were asked about the characteristics of each industry in establishing an economic security risk management system, points to keep in mind when traveling to China, specific examples of assumed scenarios when establishing an incident response system, and the division of roles between the company-wide crisis management response department and the information security incident response department.
(Ms. Nobuko Tsuruoka, Leader, Cyber Security Subteam, Economic Security Task Force, Industrial Policy Committee)