Research and Studies

Home > Research and Studies > BOJ Reports & Research Papers > Financial System Report > Financial System Report Annex Series "Key Considerations for Risk Management in Using Cloud Services"

Key Considerations for Risk Management in Using Cloud Services

March 8, 2021
Financial System and Bank Examination Department
Bank of Japan

Abstract

Cloud services are on-demand services that use shared computer system resources (servers, middleware, storage, etc.) accessible via a network, and have become an integral part of many financial institutions' systems. With the digital transformation (DX) trends in recent years, cloud services are often seen as the dominant option for the use of new digital technologies; therefore, it is becoming necessary for the top management of financial institutions to have basic knowledge of cloud services. This has raised questions on how best to manage security and availability in using cloud services.

In this paper, the Bank of Japan summarizes the important issues that financial institutions need to address to dispel such concerns in the order of security management, availability management and resilience assurance, and vendor management. The Bank also provides explanations on cost control, the system development framework and securing human resources, and formulating cloud policies, in order to enjoy the expected benefits of cloud services. In the Appendix, the Bank compiles a list of control items and practices that address these important issues, based on information obtained in cooperation with financial institutions, cloud services providers, and others.

The Bank hopes this paper will help the top management of financial institutions and the stakeholders to maintain and improve their IT governance by increasing their awareness of cloud service and related risk management practices.

Notice

Please contact the Financial System and Bank Examination Department at the e-mail address below to request permission in advance when reproducing or copying the contents of this Annex for commercial purposes.

Please credit the source when quoting, reproducing, or copying the contents of this Annex for non-commercial purposes.

Inquiries

Computer System Risk and Business Continuity Group, Examination Planning Division,
Financial System and Bank Examination Department, Bank of Japan

E-mail : csrbcm@boj.or.jp