Introduction To achieve the digital transformation of the financial sector, it is crucial to maximize the potential of cloud services. However, in the Republic of Korea (ROK), cloud computing and IT migration in financial firms remain in the incipient stage because of massive information leaks in the past and subsequent loss of trust in cloud services. From October 2012 to December 2013, 140 million users’ personal data held by KB Card, NH Card, and Lotte Card were leaked, including credit card numbers, bank account numbers, social security numbers, mobile phone numbers, addresses, salaries, and marital status. The data breach was traced to an employee of the Korea Credit Bureau, who sold the stolen data. In response, regulatory authorities mandated the physical network separation of the intranet and internet for all domestic financial institutions. The strict regulation of cloud computing and network security, however, hindered the adoption of digital technologies, including cloud services, by the financial sector. Regulators have since finetuned the rules to support the sector’s digital transformation. The adoption of cloud services can be further promoted by rebuilding trust in its reliability and stability. Increased Efficiency A cloud service provider delivers a wide array of online services, such as data storage, computer infrastructure, and software. In the ROK, affiliates of Amazon and Microsoft lead this market, followed by affiliates of Google and Oracle. Leading domestic providers include the affiliates of Hana Financial Group, Naver, and Koscom. Financial firms can subscribe to cloud services to manage and modernize their IT systems in a relatively shorter time and at a lower cost. With cloud services flexibly managing their data centers, client firms can cope with increased online traffic even during peak periods. They can also save on time and money since they do not need to establish their own data center and programs. For instance, Citibank saved on operational costs and improved application performance after transferring its back-office applications to the cloud. In addition, using the cloud for mobile banking or payments increases the speed of data processing, which improves services for financial consumers. According to an Accenture survey of executives from some of the world’s large banks, some 82% of respondents―who are most conservative toward a cloud transition for security reasons―indicated that they already shifted 50% or more of their mainframes to a cloud server or plan to do so. Spain’s Santander, a top-20 global bank by total assets, has transferred over 80% of its worldwide computer systems to the cloud as of May 2022. Slow Pace of Adoption The low penetration rate of cloud services among Korean financial firms stems from trust issues arising from incidents of massive information leaks in 2013 and the threat of a cyberattack from the Democratic People's Republic of Korea. These risks led to requiring companies to physically segregate their external and internal networks. In 2016, regulations were eased to allow the use of a cloud server for research and management support as long as this does not handle client information. Subsequently, domestic financial firms began to use the cloud for emails and messenger services. In 2019, the use of cloud servers was allowed to handle personal credit information and unique identification information under certain conditions. This led to an increasing number of financial firms using cloud servers for client services and at-home work. However, except for some insurers and investment firms, data suggests that domestic financial firms are not using cloud-based services for data analysis or core operations, such as mobile banking and contract management. For example, savings banks and smaller financial firms indicated they have yet to feel the need to adopt cloud services, or are reluctant to do so due to the additional cost. Moreover, Korean financial institutions are allowed to use cloud services for less important tasks only. Regulatory authorities still do not allow the storing of personal data in the cloud even though financial institutions need them for big data analysis. Improving Cloud Security With the use of cloud computing services, such as software as a service (SaaS), gaining popularity in the financial sector, the regulatory authorities plan to allow financial institutions to apply for exemption under the financial regulatory sandbox program starting August this year. The program grants an exemption from the requirement to separate their intranet and internet physically so they can test new services. Financial institutions will have to verify the stability of SaaS in the sandbox for 2 years. Only then will regulations on cloud services be eased and the expansion of cloud services to important tasks, such as electronic financial transactions, be allowed. Banks and financial institutions can adopt four strategies to strengthen the security of cloud services. Clearly classify information by their importance and grant different levels of access to information. Separating critical from noncritical information assets and limiting access to critical information, such as personal data, are the fundamental aspects of ensuring data security in the financial sector. Yet, these are still not being done properly. Financial institutions need to enhance data management efficiency and tap. They can tap a wide array of technologies to strengthen data protection, such as those that enable automatic anonymization of personal data. Adopt a Zero Trust security system. Zero Trust is a security strategy that prevents any external party or device from accessing a corporate network unless it is explicitly deemed necessary. The Korea Information Security Industry Association (KISIA) has established the Korea Zero Trust Alliance (KOZETA) with the country’s leading IT security companies as members to verify the stability of this strategy. Manage concentration risks. Issues surrounding cloud concentration risk were raised in the country in October 2022, when fire broke out at the SK C&C data center, the country’s leading IT service provider. The fire led to the breakdown of services, including financial services offered by two tech giants, Kakao and Naver, for up to 72 hours. Cloud concentration risk is not limited to the ROK with the surge in global market share of some cloud service providers posing a systemic risk. To address this problem, a multi-cloud strategy, which is the use of cloud services from more than one cloud provider for processing different workloads, should be taken. Wells Fargo in the United States is adopting this strategy. Cultivate expertise on internal cloud service and security. Companies need to have their own cloud computing and financial security experts. Even if they entrust critical tasks to a third party, companies also need to have an extensive knowledge of the task to make sure it is done well. As the data breaches that occurred in 2012 and 2013 show, the organization or company also bears the responsibility for such incidents even if a third party is at fault. Moreover, training and educating cloud and security experts in the company are important as most security breaches on a cloud server are caused by lack of user expertise or management lapses. Resources Korea Institute of Finance website. Ask the Experts Christopher Byungho Suh Director/Senior Research Fellow, Financial Innovation Division, Korea Institute of Finance Christopher Byungho Suh’s research areas include digital transition of financial firms, digital financial platforms, financial regulatory innovations, and crypto assets. He currently works as an ombudsman at the Financial Services Commission (FSS) and was a senior advisor to the governor of FSS. He holds a bachelor’s degree in history from Seoul National University and a PhD in economics from the University of Michigan at Ann Arbor. Korea Institute of Finance (KIF) The Korea Institute of Finance provides expert analysis for the development of the Republic of Korea's financial sector and financial policy. Leave your question or comment in the section below: View the discussion thread.