What is an Internal Control System? Obligations Under the Japanese Companies Act and Financial Instruments and Exchange Act, and the Responsibilities of Directors

An internal control system refers to the mechanisms within a company designed to prevent illegal activities and information leaks. The internal control system is defined in both the Japanese Companies Act and the Japanese Financial Instruments and Exchange Act, and companies that meet certain requirements are obligated to establish an internal control system.

In corporate management, it is crucial for compliance to properly construct, operate, and maintain an internal control system.

In this article, we will explain what an internal control system is, particularly focusing on the internal control system for mitigating the risk of cyber incidents, and the responsibilities borne by directors.

What is an Internal Control System?

An internal control system is a system that companies and organizations establish and apply appropriate processes and systems to comply with laws, regulations, and industry standards.

Especially for listed companies, it is necessary to properly build an internal control system and manage risks to improve the company’s credibility and brand image.

Internal Control System under the Japanese Companies Act

The internal control system under the Japanese Companies Act is defined by Article 362, Paragraph 4, Item 6 of the Companies Act as,

“The establishment of a system to ensure that the execution of directors’ duties complies with laws and the articles of incorporation, and other systems necessary to ensure the propriety of the business of the stock company and the business of the corporate group consisting of the stock company and its subsidiaries, as prescribed by the Ministry of Justice Ordinance.”

This is defined as the exclusive authority of the board of directors.

The internal control under the Companies Act can be said to be a system aimed at ensuring the propriety of the business of a stock company and its group companies, such as subsidiaries.

Internal Control System under the Japanese Financial Instruments and Exchange Act

Under the Financial Instruments and Exchange Act, listed companies, etc. have an obligation to submit internal control reports. Listed companies, etc. must establish an internal control system under the Financial Instruments and Exchange Act and disclose its contents.

The internal control system under the Financial Instruments and Exchange Act, unlike the Companies Act, is required from the perspective of investor protection.

Companies Obligated to Establish Internal Control Systems

Companies that meet certain criteria are obligated to establish internal control systems. The companies that bear this obligation are defined in the Japanese Companies Act and the Japanese Financial Instruments and Exchange Act.

Under the Japanese Companies Act, large companies, specifically those with a board of directors, are required to establish an internal control system. A large company is defined as a company with a capital of 500 million yen or more, or a company with debts of 20 billion yen or more (Article 2, Paragraph 6 of the Japanese Companies Act).

Companies that have established an internal control system must include an overview of the operation of the internal control system in their business reports. In addition, in companies with a board of corporate auditors, the auditors conduct an audit of the internal control system as part of their audit of the execution of duties by the directors.

On the other hand, under the Japanese Financial Instruments and Exchange Act, listed companies and the like, which submit securities reports, are obligated to establish an internal control system and disclose its contents. These companies need to disclose an internal control report for each business year along with the securities report.

Directors May Be Held Responsible for Deficiencies in Internal Control Systems

In the event of a cyber incident such as unauthorized access or information leakage related to the internal control system, who bears the responsibility?

If a security system vulnerability leads to information leakage, the party suffering damage (such as customers) due to the leakage may claim damages based on obligations not fulfilled or illegal actions under the Japanese Civil Code.

Directors, under the Japanese Companies Act, are entrusted with the management of the company and have a duty to perform their tasks with the care of a good manager to prevent harm to the company (duty of care in management).

According to court precedents, the obligation to establish an internal control system is considered one of the duties of care in management.

Therefore, if an information leak occurs and a claim for damages is made against the company by the party suffering the damage, the director may also be asked to compensate for the damage if it is found that the director violated the duty of care in management by not taking measures to increase the security level or eliminate vulnerabilities to prevent such leaks.

Case Law on Internal Control Systems

As mentioned above, companies and directors are obligated to establish internal control systems. Let’s proceed with our discussion based on specific case examples.

Yakult Case Tokyo District Court Decision (Tokyo District Court Decision, December 16, 2004 (Heisei 16))

Yakult suffered significant losses due to speculative derivative trading aimed at offsetting unrealized losses on securities. In response, shareholders filed a representative lawsuit against the then management team, seeking compensation of 53.3 billion yen.

In this case, whether a risk management system for derivative trading was in place was disputed.

The court ordered the former vice president, who handled derivative trading as the asset management officer, to pay 6.7 billion yen for “violating his duty of care as a director”. However, the responsibility of other management members was not recognized because the company had “a certain risk management system in place”. After the loss occurred, the court denied the inadequacy of the risk management system, citing reasons such as the rapid development of awareness about the risks of derivative trading (= it was not sufficient at the time of occurrence). The second trial in the Tokyo High Court in May 2008 and the Supreme Court also supported the first and second trials.

In this trial, it was indicated that the content of the internal control system should be determined by referring to administrative studies on risk management and risk cases.

JCOM Stock Misorder Case (Tokyo High Court Decision, July 24, 2013 (Heisei 25))

This is a case where a Mizuho Securities employee mistakenly entered an order for JCOM stocks entrusted by a customer as “selling 610,000 shares at 1 yen” instead of “selling 1 share at 610,000 yen” into the computer, causing significant damage to the customer.

Mizuho Securities noticed the error and initiated cancellation procedures, but due to a flaw in the Tokyo Stock Exchange’s system, the cancellation was not made, and the stock price plummeted due to an unusually large number of sell orders. As a result, damages exceeding 40 billion yen occurred. Mizuho Securities argued that the reason they could not cancel the misorder and suffered a loss exceeding 40 billion yen was due to a bug in the TSE’s system, and sought damages from the TSE.

In this trial, whether the “system bug was gross negligence” was a major point of contention. The Tokyo High Court ordered the TSE to pay about 10.7 billion yen, stating that “not exercising the authority to suspend trading promptly was gross negligence on the part of the TSE”.

Whether it was technically possible for the TSE to discover and deal with this bug was also a point of contention, but the Tokyo High Court avoided making a judgment on the technical aspect, stating, “The claims of the expert opinions submitted are conflicting and it is difficult to judge which is superior”.

However, the Tokyo Stock Exchange was found to be grossly negligent for not cancelling the transaction despite noticing that clearly abnormal transactions were taking place.

As such, in cases where the court cannot make a judgment on the technical aspect, unlawful acts may be recognized by focusing on points other than technology.

Summary: Consult Lawyers for Building an Internal Control System

Especially for listed companies, it is necessary to properly build and operate an internal control system for risk management.

In the event of an information security-related accident, if the company is found to have not taken appropriate information security measures according to its size and business content, there is a risk that the company will be held liable for breach of contract. At that time, there is also a possibility that directors may be sued for damages on the grounds of violation of the duty of care. Please consult a lawyer who is familiar with IT and corporate legal affairs about the internal control system for information security as soon as possible.

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the internet, and law. The need for legal checks in the construction of internal control systems is increasingly growing. Our firm provides solutions to many companies aiming for compliance adherence.