TOKYO -- About half of Japanese financial institutions have been on the receiving end of a cyberattack since 2015, with a little more than 10% falling prey to varying degrees, a Bank of Japan survey released Monday shows.
Of the 411 banks, credit associations and other financial institutions surveyed, 1.2% said they suffered significant fallout from a cyberattack while 9.7% noted a minor impact. The issues included viruses sent through email and difficulty viewing home pages.
Distributed denial-of-service attacks, whereby attackers overwhelm servers by flooding them with information requests, have risen worldwide in recent years. In June 2015, Seven Bank's home page fell victim to such an attack. Ransomware, which threatens to wipe out infected computers' data unless a ransom is paid, has also been confirmed in many cases.
But robust digital defense systems do not come cheap. Japanese financial institutions are spending an average of 178 million yen ($1.59 million) on cybersecurity in the current fiscal year ending in March. The costs, which include system development and personnel expenses, totaled just 113 million yen two years ago. More than 60% of the financial institutions said they did not have a sufficient number of cyberdefense personnel.
Japan's megabanks continue to boost their defenses, but attackers are turning their attention to small and midsize regional financial institutions, whose cybersecurity responses vary drastically depending on the institution's strength and other factors.
Although the Japanese banking industry has so far avoided a major information leak or similar event, "The scope of cyberattacks has spread rapidly over the past year or two to another level," cautioned Keisuke Kamata, managing director of Financials ISAC Japan, an association that supports financial institutions' cybersecurity efforts. Japanese banks must urgently create systems that enable them to adapt to ever-changing cyberattack techniques and other developments, Kamata added.
The BOJ's first-ever survey on cybersecurity was conducted in April, targeting financial institutions with accounts at the central bank. As a next step, the bank aims to deepen its cyberdefense discussions with the institutions.