Japan’s Financial Services Agency releases draft policy to strengthen cybersecurity at crypto exchanges
Summary
- Japan’s Financial Services Agency said it has released a draft cybersecurity enhancement policy for crypto asset exchange operators and begun a public comment process.
- The FSA said cold wallets alone are insufficient to ensure adequate security and emphasized the need to strengthen security management frameworks across the entire supply chain.
- It said the draft includes measures such as mandatory CSSA, expanded participation in JPCrypto-ISAC, and implementation of TLPT to raise the security level of crypto exchange operators.
Forecast Trend Report by Period
Japan’s Financial Services Agency (FSA) has released a draft policy aimed at strengthening cybersecurity for crypto asset (cryptocurrency) exchange operators.
According to CoinPost on the 11th (local time), the FSA announced the “Draft Policy for Promoting Cybersecurity Enhancements for Crypto Asset Exchange Businesses, etc.” and began a public comment period running until 17:00 on March 11. The move comes amid a string of cyberattacks targeting crypto exchanges worldwide and resulting asset outflows.
The FSA noted that recent attacks are expanding beyond the theft of signing keys to more indirect and sophisticated methods, including social engineering techniques and intrusions into the networks of external contractors. It stressed that relying solely on cold wallets makes it difficult to ensure sufficient safety and that stronger security management frameworks are needed across the entire supply chain, including outsourced vendors. It also cited the possibility of state involvement in some attacks aimed at obtaining foreign currency.
The draft policy is built around three pillars: “self-help, mutual help, and mutual help (public support).”
On the self-help front, starting in fiscal 2026 the FSA will mandate the Cybersecurity Self-Assessment (CSSA)—which it already applies to other financial sectors—for all crypto asset exchange operators. It will also review items such as the expertise and staffing standards for security personnel, external audit methods, and requirements for managing contractors.
On the mutual-help front, the FSA will call for strengthening the Security Committee functions of the Japan Virtual and Crypto Assets Exchange Association (JVCEA), a self-regulatory body, and will promote expanded participation by operators in JPCrypto-ISAC, the industry information-sharing organization.
On the public-support front, it will continue the international joint blockchain research currently underway in FY2025 and aims to have all exchange operators participate within three years in “Delta Wall,” a joint cybersecurity exercise for the financial sector. In addition, during 2026 it plans to conduct threat-led penetration testing (TLPT) in live operating environments for selected operators and share common issues with the industry.
YM Lee
20min@bloomingbit.ioCrypto Chatterbox_ tlg@Bloomingbit_YMLEE
![Bitcoin retakes KRW 100 million amid reports of secret US-Iran contacts…$72,000 in focus [Kang Min-seung’s Trade Now]](https://media.bloomingbit.io/PROD/news/3beef0db-a8f6-4977-9dca-6130bf788a69.webp?w=250)
