Executive Summary/ Key Questions

• What exactly is a "ransomware attack"?
  ー It is an attack where a virus infects PCs or systems, locking them or encrypting data to make them unusable. Attackers demand a "ransom" in exchange for lifting these restrictions. Recently, the mainstream tactic has shifted to double extortion, where they not only encrypt the data but also threaten to leak stolen confidential information if the ransom is not paid.
• What are the common entry points, and what misconceptions exist regarding backups?
  ーMore than half of the entry points exploit VPN vulnerabilities, though infections via suspicious emails remain highly common. Furthermore, even if companies back up their data, nearly 85% actually fail to restore it successfully. Complacency—thinking you are safe just because you have a backup—must be avoided; regular testing and drills to ensure data can actually be restored are essential.
• What legal liabilities could a company face if attacked?
  ー TDespite being the victim, a company faces the risk of being held liable as a "wrongdoer" toward the following parties:
  　・　Individuals & Customers: Liability for damages resulting from personal data leaks.
  　・　Business Partners: Compensation for financial losses caused by system downtime, delivery delays, or business suspension.
  　・　Shareholders & Authorities: Potential lawsuits against executives for breach of due care (due to inadequate preparation), as well as criminal penalties or public disclosure for failing to report leaks under the Personal Information Protection Act.
• What is the most critical aspect of the "initial response" immediately after an attack?
  ー "Rapid reporting" and "documenting the decision-making process."
  　・　Reporting: If there is a risk of a personal data leak, a preliminary report must be submitted to the Personal Information Protection Commission within 3 to 5 days of discovery.
  　・　Documentation: To prove to courts or regulatory authorities later that your decisions were sound, every step of the response must be recorded in detail. Seeking objective advice from external counsel is highly effective in proving that your response was appropriate.
• How is "paying the ransom" viewed from a legal perspective?
  ー Paying the ransom is an extremely high-risk action.
  　・　Risk of Re-victimization:: Your company will be labeled as a "payer," making it a prime target for future attacks.
  　・　Legal Violations: If the payee is on an international sanctions list (such as terrorist organizations), your company faces secondary risks, including being designated on sanctions lists by the United States and other jurisdictions.
• What effective measures can be taken during peacetime to minimize potential damage?
  ー It requires more than just introducing IT tools; "creating evidence" and "establishing a response framework" are crucial.
  　・　Evidence Creation: Discuss cybersecurity at board meetings and record the minutes. Allocate an appropriate budget to deploy proper equipment and personnel, and carefully document these actions to demonstrate due care.
  　・　Framework Establishment: Establish an emergency contact network (including police, lawyers, and specialized vendors) and develop a Business Continuity Plan (BCP) tailored to cyberattacks. Subscribing to cyber insurance is also an effective proactive measure.