Skip to content
日本語
Back to dashboard
Cross-cutting 🌐🇯🇵

Business Continuity (BCP)

Business continuity is the precondition for keeping Monster Strike, FamilyAlbum and public-sports betting running 24/7 against a stack of compounding risks — Tokyo/Nankai megaquakes, Mt Fuji ashfall, ransomware (IPA's #1 organizational threat), concentration on cloud and third parties like AWS and Cloudflare, geopolitical fragmentation and pandemics. MIXI's Tokyo HQ and game infrastructure are the key concentration points, and it must also satisfy the parallel incident-reporting clocks of Japan, the US, India and the EU.

Fresh Updated 2026-06-20 Next review 2026-07-20 29 Sources
Region:

So What? (Implications for MIXI)

  1. ACTION

    Break cloud/region concentration and design for graceful degradation

    Monster Strike is hybrid on-prem+AWS, and external failures like AWS us-east-1 (Oct 2025) or Cloudflare (Nov 2025) can cause global stoppage. Build a dependency map for critical services, multi-region failover, fallback paths for CDN/auth/payments, and explicit feature-degradation modes.[5][6][15]

  2. ACTION

    Prioritize ransomware and supply-chain resilience

    As IPA's #1 and #2 threats, Asahi (~JPY5bn, ~3 months), KADOKAWA (2-month outage, data leaked despite a paid ransom) and US Change Healthcare (~USD2.46bn) show stoppage is real. Stand up immutable backups, vendor/SaaS security audits, an IR and ransom-stance policy, tabletop exercises, and a process to meet the PPC's 3-5-day prompt-report clock.[7][4][9][26][18]

  3. BET

    Engineer geographic dispersion and disaster-mode operations against Tokyo concentration

    Assuming a Tokyo quake (up to 18,000 deaths, JPY83tn, up to 8.4m stranded commuters), the Nankai Trough (JPY292tn; government targets an 80% death cut) and Mt Fuji ashfall (up to ~30cm in central Tokyo), build safety-confirmation, remote operations, an alternate HQ and a DR site outside the high-seismic/volcanic zone. FamilyAlbum's overseas growth disperses demand, but Tokyo-concentrated operations and talent still need a separate hedge.[1][2][3][22][29][14]

  4. ACTION

    Govern third-party/vendor concentration with a DORA-style critical-provider register

    Since concentration on AWS, Cloudflare and key SaaS can trigger global outages, MIXI should voluntarily adopt the DORA-style practices of registering 'critical ICT third parties,' planning substitutability/exit and monitoring concentration. Even if unregulated, embedding vendor audits and SLA/redundancy requirements into contracts is what underpins continuity.[20][5][6]

  5. WATCH

    Consolidate multi-jurisdiction incident-reporting clocks into one IR playbook

    Reporting clocks differ by jurisdiction — PPC (3-5-day prompt report), India DPDP (72 hours) plus CERT-In (6 hours), US SEC (4 business days) and EU DORA. Given FamilyAlbum's 175-country footprint, build a single incident-response playbook with a jurisdiction matrix and an automated decision on which authority must be notified within how many hours.[18][21][23][20]

  6. WATCH

    Get ahead of regulatory continuity expectations (reporting duties, ISO 22301, finance-grade)

    Phased active-cyber-defense enforcement (from 2026), breach-reporting duties, ISO 22301 / Cabinet Office guidelines and the FSA's operational-resilience expectations (which may reach the public-sports betting business) are raising the bar for BCP disclosure. MIXI should monitor its ability to evidence BCM alignment and exercise records in its integrated report and to regulators.[8][16][17][24][14]

  7. WATCH

    Maintain permanent remote-operation capability and staffing redundancy against health crises

    The institutionalization of the WHO Pandemic Agreement plus 2026 H5N1/Disease X alerts and shrinking health ODA show the next crisis may arrive with thinner preparedness than last time. Keep safety-confirmation, work-from-home operations, staff cross-training and a travel policy as permanent BCP elements, and validate them through exercises.[10][28]

Top risks & opportunities

PESTLE analysis

P E S T L E
P Political

An active-cyber-defense law that frames cyber as national security, target reallocation by Russia/China-linked actors, Taiwan Strait submarine-cable cuts and chip geo-concentration tie corporate BCP to state-level risk.

  1. 🇯🇵 Japan's Active Cyber Defense laws passed on 16 May 2025 and were promulgated on 23 May; they impose mandatory serious-incident reporting on 15 critical-infrastructure sectors, with phased enforcement from 2026 (a public-private council targeted for autumn) — squarely placing cyber inside the national-security domain.[8]
  2. 🇯🇵 2026 threat outlooks describe Russia- and China-linked state-aligned actors reallocating their focus toward Japanese firms and critical infrastructure, with supply-chain attacks intersecting geopolitical risk; combined with the new active-cyber-defense regime, game and social operators now fall within the blast radius of state-level risk.[27]
  3. Through 2025 submarine cables around Taiwan were repeatedly cut — ECA2 was severed in September and 9 of Taiwan's 24 cables were reported damaged. Asia's international connectivity is a target for 'weapon-less aggression,' a hidden single point of failure for any service that depends on cross-border links.[11]
  4. TSMC makes roughly 90% of the world's advanced chips, an extreme geographic concentration in Taiwan; Strait tensions are pushing nations to diversify, but longer lead times for servers, devices and GPUs undermine the assumptions behind capacity expansion and DR build-out.[12]
  5. 🇮🇳 India is intensifying pressure for local storage and in-country processing via the DPDP Act and data-sovereignty policy, with domestic DC investment commitments reportedly swelling toward ~USD180bn; should FamilyAlbum operate and grow in the Indian market, data residency, in-country DR and the 72-hour / CERT-In 6-hour reporting posture become policy-level preconditions.[25][21]
E Economic

A single incident can already mean billions of yen — or billions of dollars — in losses; megaquake macro damage runs into the tens-to-hundreds of trillions, raising the threshold for BCP investment via the cost of downtime.

  1. 🇯🇵 A 29 September 2025 ransomware (Qilin) attack halted production and shipping across Asahi Group's 30 domestic plants, forcing manual workarounds; it caused roughly JPY5bn in lost revenue and, per the final probe (Nov 2025), exposure of up to ~1.9m individuals' personal data (~1.5m customers) with 115,513 records confirmed leaked, recovery dragging into December — a textbook case of 'loss of the digital backbone = business stoppage.'[4]
  2. The 19 July 2024 CrowdStrike incident knocked out ~8.5m Windows devices via a single software update, with direct losses estimated at ~USD5.4bn for the US Fortune 500 alone — proof that one external vendor's defect can trigger a global stoppage even when you are blameless.[13]
  3. 🇺🇸 The February 2024 ransomware attack (ALPHV/BlackCat) on US-based Change Healthcare (a UnitedHealth subsidiary) halted payment and claims processing for ~2 months, cost UnitedHealth ~USD2.46bn, affected ~193m people and saw data still leak despite a USD22m ransom — a US lesson in how the stoppage of one back-end clearing house can paralyze a whole industry.[26]
  4. 🇯🇵 Megaquake macro damage is estimated at ~JPY292tn for the Nankai Trough and ~JPY83tn for a Tokyo metropolitan quake; the latter splits into JPY45tn direct damage plus JPY38tn of lost output/services in the first year — confronting firms with simultaneous HQ-and-supplier shutdown.[1][2]
S Social

Pandemics are being institutionalized internationally while a megaquake's 'disaster-related deaths' were estimated in the tens of thousands for the first time and stranded commuters at up to 8.4m — putting employee safety, staffing and public trust at the core of BCP.

  1. The WHO Pandemic Agreement was adopted by the 78th World Health Assembly on 20 May 2025 (124 in favour, 0 against), institutionalizing international preparedness for the next health crisis and re-raising continuity premises like remote operation and staffing; it enters into force after 60 ratifications.[10]
  2. 🇯🇵 The 2025 estimates put 'disaster-related deaths' on the map for the first time — up to ~52,000 for the Nankai Trough and ~41,000 for a Tokyo quake — a human toll approaching direct deaths driven by inadequate support during evacuation, making safety-confirmation, staff welfare and community trust a social BCP duty.[1][2]
  3. 🇯🇵 The new Tokyo quake estimate (Dec 2025, weekday-noon scenario) puts stranded commuters at up to ~8.4m and evacuees at up to ~4.8m — above the previous ~8.0m projection; for MIXI, whose HQ and staff are concentrated in Tokyo, immediate safety-confirmation, hold-in-place / no-mass-return protocols and the duty of care for employees become the top priority of first-response BCP.[29][2]
  4. 2026 health-threat analyses flag H5N1 avian flu spreading into mammals and dairy cattle as a 'Disease X' pandemic risk, call diagnostics 'the weakest link in preparedness,' and note health ODA running 30-40% below 2023; the next crisis may arrive with the world less prepared than after COVID, making permanent remote-operation capability, staffing redundancy and travel policy a continuity premise.[28][10]
T Technological

Ransomware is IPA's #1 organizational threat for a 6th year and supply-chain attacks #2; as the global AWS and Cloudflare failures showed, concentration on cloud and third parties is the dominant technical chokepoint.

  1. 🇯🇵 IPA's 'Information Security 10 Major Threats 2026' ranks ransomware #1 for a 6th straight year and supply-chain attacks #2 for a 4th, with AI-related cyber risk debuting at #3; it explicitly flags a run of 2025 cases escalating into business stoppage — a direct hit to always-on game and social services.[7]
  2. 🇯🇵 Ransomware damage on Japanese firms kept cascading into 2026 — Murata Manufacturing (unauthorized access on 6 Mar) and the Washington Hotel chain (Feb) among the victims; manufacturing accounts for ~28% of domestic victims, with intrusions via subcontractors and supply chains rising sharply, and a 'long tail' of recovery threatening always-on services.[19]
  3. The 20 October 2025 AWS us-east-1 outage, triggered by a DNS race condition, took down 140+ services for ~15 hours; DynamoDB's control plane was not decoupled from us-east-1, so a single-region fault cascaded worldwide — exposing the absence of a true multi-region design.[5]
  4. 🇺🇸 AWS us-east-1 (Northern Virginia) is the de facto hub of the global control plane, and its October 2025 failure rippled worldwide; the dependence of global delivery — including FamilyAlbum's key US market — on a single US region forces a rethink of geographic dispersion and failover design.[5][14]
  5. On 18 November 2025 Cloudflare — which handles ~20% of global web traffic — suffered a ~5h46m outage (11:20-17:06 UTC) from an oversized file generated by an internal config change; not an attack but a self-inflicted misconfiguration that simultaneously downed ChatGPT, X and others — the concentration risk of edge/CDN dependency.[6]
  6. 🇮🇳 India's data-center net additions doubled in 2025 (~387MW added), bringing total capacity to ~1,520MW, with Mumbai the largest demand/supply hub (~48% of 2025 absorption) and the main landing point for international submarine cables; yet a structural reliance on diesel-generator backup remains. As global stacks like FamilyAlbum expand toward emerging Asian sites, capacity opportunity coexists with power and connectivity risk.[25]
  7. 🇯🇵 Monster Strike reportedly runs on a hybrid of on-premise data centers and AWS, and 'server-equipment failures' have forced emergency maintenance recurring in 2023, 2025 and 2026 — a MIXI-specific continuity issue showing that both owned hardware and cloud can each become a single point of failure.[15]
L Legal

Personal-data breaches require prompt and full reports to the PPC plus individual notification; active-cyber-defense duties, the US SEC, India's DPDP, EU DORA, ISO 22301 and the Cabinet Office guidelines raise the legal bar for disclosure and continuity across jurisdictions.

  1. 🇯🇵 Under the amended APPI, leaks involving sensitive data or likely malicious intent trigger a 'prompt report' (within ~3-5 days) and a 'full report' (within 30 days, 60 for unauthorized-access cases) to the Personal Information Protection Commission, plus notification of affected individuals — a very short legal clock once an incident hits.[18]
  2. 🇯🇵 The Active Cyber Defense law mandates government reporting of serious incidents by 15 critical-infrastructure sectors and may pull in connected private-system providers and IT vendors; even if MIXI is not directly designated, its partner and outsourcing network may require indirect compliance.[8]
  3. The EU's Digital Operational Resilience Act (DORA) entered into application on 17 January 2025; it mandates serious-ICT-incident reporting and oversight of ICT third parties (cloud, data centers, etc.), designating 'critical third-party providers' and forcing remediation of concentration risk — raising the global bar for vendor-concentration governance.[20]
  4. 🇺🇸 The US SEC's cyber-disclosure rule requires public companies to disclose material incidents on a Form 8-K (Item 1.05) generally within 4 business days of a materiality determination; despite a 2025 industry petition to rescind it, the rule has become the de facto benchmark for investor expectations on incident disclosure.[23]
  5. 🇮🇳 India's DPDP Rules 2025 require an initial intimation to the Data Protection Board without undue delay, a detailed report within 72 hours, and notification of affected individuals; CERT-In directions add a '6-hour' incident-reporting duty — so any FamilyAlbum operation in the Indian market must satisfy multiple rapid-response clocks at once.[21]
  6. 🇯🇵 The FSA has folded operational resilience (the ability to keep critical operations running at a minimum level under severe events) into its supervisory guidelines, the FISC Security Guidelines were revised to a 13th edition in March 2025, and alignment with DORA is advancing; with a licensed, money-handling public-sports betting business, MIXI may be held to finance-grade continuity standards.[24]
  7. ISO 22301, the international BCM standard, and its certification market are growing fastest in Asia-Pacific (~17% CAGR 2025-33); in Japan the Cabinet Office's 'Business Continuity Guidelines' (March 2023) set the BCM baseline — making certification/alignment increasingly load-bearing as a B2B and IR trust signal.[16][17]
E Environmental

New Tokyo and Nankai Trough damage estimates were issued in 2025 and Mt Fuji ashfall plans revised; the geographic concentration of MIXI's Tokyo HQ and data centers in a seismically and volcanically active zone is the largest, unavoidable BCP premise.

  1. 🇯🇵 In March 2025 the Cabinet Office issued new Nankai Trough estimates — up to ~298,000 deaths, ~2.35m buildings destroyed/burned and ~JPY292tn in economic damage; on 1 July 2025 the government revised its basic plan, targeting an 80% cut in deaths and 50% in destroyed buildings over a decade and expanding measures from 48 to 205.[1][3]
  2. 🇯🇵 The new Tokyo metropolitan quake estimate (19 December 2025, first revision in 12 years) puts deaths at up to ~18,000, ~400,000 buildings destroyed/burned and ~JPY83tn in damage; 100% seismic retrofitting would cut collapses ~90%, but it forces firms to confront simultaneous loss of Tokyo-concentrated HQ, talent and comms.[2]
  3. 🇯🇵 A worst-case Mt Fuji eruption could drop up to ~30cm of ash on central Tokyo, reaching the Kanto plain within 1-2 hours and paralyzing transport, power and comms; the Cabinet Office warned in November 2025 (via a CG video) of a 'national crisis-level' event and Tokyo revised its ashfall response plan in September 2025 — adding volcanic ash to earthquakes as a hazard that directly hits data-center cooling, commuting and logistics.[22]
  4. 🇯🇵 MIXI's information-security materiality commits to 'establishing a BCP and thorough countermeasures to keep services running in emergencies'; with a Tokyo HQ and Monster Strike infrastructure, geographic dispersion of HQ/data centers and operational continuity under disaster are disclosed obligations it will be measured against.[14][15]

Timeline

  • 2024-02-21 US Change Healthcare ransomware halts payments/claims for ~2 months
  • 2024-06-08 KADOKAWA/Niconico hit by ransomware, ~2-month outage
  • 2024-07-19 CrowdStrike incident downs ~8.5m Windows devices worldwide
  • 2025-01-17 EU DORA enters application (oversight of ICT third parties, concentration risk)
  • 2025-03 FISC Security Guidelines revised to 13th edition (finance IT resilience)
  • 2025-05 World Health Assembly adopts the WHO Pandemic Agreement
  • 2025-05-16 Japan's active-cyber-defense laws enacted (promulgated 23 May)
  • 2025-07-01 Nankai Trough basic plan revised (80% death-reduction target)
  • 2025-09-29 Asahi Group ransomware halts 30 plants / Tokyo revises Mt Fuji ashfall plan
  • 2025-10-20 AWS us-east-1 outage downs 140+ services for ~15 hours
  • 2025-11-14 Cabinet Office releases Mt Fuji ashfall CG video, warns of 'national crisis-level' event
  • 2025-11-18 Major Cloudflare outage disrupts the global web for ~5.8 hours
  • 2025-12-19 New Tokyo metropolitan quake estimate released (first in 12 years; up to 8.4m stranded commuters)
  • 2026-01-29 IPA's '10 Major Threats 2026' published (ransomware #1 for a 6th year)
  • 2026-03 Wave of ransomware hits Japanese firms incl. Murata Manufacturing
  • 2026 H5N1 pandemic-potential risk and a diagnostics gap come into focus (Disease X preparedness)
  • 2026 Active cyber defense phased enforcement & public-private council (planned)
  • 2026 India DPDP Rules' 72-hour breach-notification regime ramps up (planned)

Entities

  • 内閣府 防災担当 / 中央防災会議Government
  • IPA(情報処理推進機構)Government
  • 個人情報保護委員会(PPC)Regulation
  • NISC / 能動的サイバー防御Regulation
  • 金融庁(FSA)/ FISCGovernment
  • EU DORARegulation
  • 米SEC サイバー開示規則(Item 1.05 8-K)Regulation
  • インドDPDP法 / CERT-InRegulation
  • Amazon Web Services (AWS)Tech
  • CloudflareTech
  • ISO 22301Regulation
  • Qilin / BlackSuit(ランサムウェア集団)Tech
  • ALPHV / BlackCatTech
  • 村田製作所Company
  • Change Healthcare / UnitedHealthCompany
  • モンスト / Monster StrikeProduct
  • みてね / FamilyAlbumProduct
  • TIPSTAR / 公営競技Product
  • ムンバイ データセンター集積Market
  • TSMCCompany
  • WHO 緊急・パンデミック管理部門Government
  • 帰宅困難者対策(東京都/中央防災会議)Government

Sources

  1. [1] 【詳細】地図で見る南海トラフ巨大地震の被害想定(2025年版) — 時事通信社(時事ドットコム), 2025-03
  2. [2] 「首都直下地震の被害想定」の見直しの概要と前回想定との比較 — 東京海上ディーアール, 2025-12
  3. [3] 南海トラフ地震、インフラ・建築対策の新項目 死者数8割減へ政府計画改定 — 日経クロステック, 2025-07
  4. [4] Asahi confirms 2025 cyberattack led to leak of 115,513 sets of personal data — The Japan Times, 2026-02
  5. [5] AWS Outage Analysis: October 20, 2025 — ThousandEyes (Cisco), 2025-10
  6. [6] Cloudflare outage on November 18, 2025 — Cloudflare, 2025-11
  7. [7] プレス発表「情報セキュリティ10大脅威 2026」を決定 — IPA(情報処理推進機構), 2026-01
  8. [8] 能動的サイバー防御の導入による基幹インフラ事業者への影響 — PwC Japan, 2025
  9. [9] BlackSuit ransomware gang claims attack on KADOKAWA corporation — BleepingComputer, 2024-06
  10. [10] World Health Assembly adopts historic Pandemic Agreement — PAHO / WHO, 2025-05
  11. [11] 相次ぐ海底ケーブル切断事件(2025年9月)|台湾海峡・「見えない戦争」の攻防 — キヤノングローバル戦略研究所(CIGS), 2025-09
  12. [12] Why Taiwan Fears 'America First' Risks Eroding Its 'Silicon Shield' — Stimson Center, 2025
  13. [13] CrowdStrike disruption direct losses to reach $5.4B for Fortune 500, study finds — Cybersecurity Dive, 2024-07
  14. [14] 情報セキュリティとプライバシー(マテリアリティ/サステナビリティ) — 株式会社MIXI, 2025
  15. [15] ミクシィ、『モンスト』で緊急メンテ…サーバー機器の障害対応のため — gamebiz, 2025-05
  16. [16] 事業継続ガイドライン -あらゆる危機的事象を乗り越えるための戦略と対応-(令和5年3月) — 内閣府(防災担当), 2023-03
  17. [17] Best Practice Business Continuity with ISO 22301 — SGS, 2025-04
  18. [18] 個人情報保護法の基礎と企業対応・改正動向(漏えい等報告義務) — BUSINESS LAWYERS, 2026
  19. [19] Japanese Firms Suffer Long Tail of Ransomware Damage — Dark Reading, 2026
  20. [20] Digital Operational Resilience Act (DORA) — EIOPA (EU), 2025-01
  21. [21] Data Breach Notification Obligations Under the DPDP Act & DPDP Rules — King Stubb & Kasiva, 2025
  22. [22] Vivid portrayal of ash fall damage in Tokyo from Mt. Fuji eruption: Cabinet Office releases CG video — Science Japan (JST), 2025-11
  23. [23] SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure — U.S. Securities and Exchange Commission, 2023-07
  24. [24] Dialogue between the FSA and FISC (operational resilience, FISC Security Guidelines) — Financial Services Agency (Japan), 2025-12
  25. [25] India data centre capacity more than doubled to 387 MW in 2025, total stock 1,520 MW — DD News (India), 2026-01
  26. [26] The complete story of the 2024 ransomware attack on UnitedHealth (Change Healthcare) — Kaspersky, 2024
  27. [27] Japan Cyberattacks 2026: Russia, China, and the Reallocation — CybelAngel, 2026
  28. [28] Six major health threats that could shape 2026: here's what experts are watching — Gavi, the Vaccine Alliance, 2026
  29. [29] 【詳細】地図で見る首都直下地震の被害想定(2025年版) — 時事通信社(時事ドットコム), 2025-12