Today, Mizuho Bank, Ltd. submitted its revised plan for IT system upgrades and updates through the end of October, in conformance with the business improvement order dated September 22, 2021.
Both Mizuho Financial Group, Inc. and Mizuho Bank, in light of the recent series of IT system failures, have been exercising great care in our implementation of system upgrades and updates. This has entailed examination and thorough screening of the need to upgrade or update individual components, as well as evaluation of the potential impacts on customers and settlement operations in the event of a failure and of our measures to prevent such impacts.
As we are treating the business improvement order with the utmost seriousness, we have completed a reassessment and review as below.
Our top priority is the stable operation of our IT system, and we will do all in our power to ensure upgrades and updates proceed steadily and securely. All of our employees will continue to work together towards this goal.
1. Reassessment and review of the plan for scheduled upgrades and updates to the IT system
In regard to the business improvement order's direction to reassess and review with consideration to past system failures, the necessity and urgency of upgrades and updates to the IT system, and the risks to banking operations, we have clarified our confirmation and decision–making criteria for scheduled releases as below.
We will integrate releases fulfilling these confirmation and decision–making criteria into our implementation plans. However, we will delay any releases that require additional measures and time to fulfill the confirmation criteria as well as any releases that do not fulfill the decision–making criteria.
(1) Measures in light of past system failures
In light of past system failures, we have clarified the following conditions for releases in which the greatest consequence in the event of a system failure would be a critical impact on a large number of customers and/or on settlement operations:
・In principle, avoid releases at times when there is a high system load due to online processing, batch processing, or similar and to avoid releases at the beginning and end of the month
・In advance of migration processing of large volumes of data, conduct performance assessments accounting for processing volume on the date of the migration, including the load on other systems with potential to have an impact.
In addition, we have added review of system quality, release plans, and appropriate scheduling to our project screening process.
(2) Measures in light of the necessity and urgency of upgrades and updates to the IT system
We have further clarified our decision–making criteria for necessity and urgency. The specific criteria are as follows.
1) Upgrades/updates necessary to prevent further system failures and to ensure stable system operation
2) Upgrades/updates to enhance security and ensure protection of users
3) Upgrades/updates that respond to requests or complaints from customers and that would cause inconvenience to customers if delayed
4) Upgrades/updates necessary in connection with changes to various frameworks or with changes to in–use or linked external systems, platforms, operating systems, or similar
5) Upgrades/updates related to preserving and maintaining hardware and addressing obsolescence and similar issues
In considering delays to releases of upgrades/updates other than those above, we will also account in our decision–making for the possibility of such delays causing releases to overlap and thus affecting our ability to secure an adequate release framework.
(3) Measures in light of risks to banking operations
Releases that could have a significant impact on banking operations critical for a large number of customers or for settlement systems require even stronger risk control. As such, we will analyze the greatest potential risks and engage in more cautious development and preparation of release frameworks. In addition, we will further enhance our inspection and checking in this area not only by reconfirming the comprehensiveness of our system contingency plan and the procedures and required time for restoration but also by establishing and enhancing business contingency plans and managing risks.
2. Securing an effective management framework for upgrades and updates to the IT system
We have been endeavoring to secure an effective management framework for upgrades and updates to the IT system, in doing so confirming the results of system quality evaluations and preparations for system operation. In light of the recent series of system failures, we have reviewed our confirmation and evaluation process as follows and added more multifaceted checks.
(1) Additional approval process accounting for impact on customers
When the department with jurisdiction over the system determines that there is a potential risk of a release leading to a system failure with an impact on customers, either in regard to settlements or in regard to a broader range of services, the department with jurisdiction over the relevant operations, products, or services will take part in the approval process. Through the process, based on the nature and extent of the potential impact, we will assess and confirm the adequacy of measures to respond to customers and decide on the implementation of the release.
(2) Additional approval process accounting for upgrades/updates requiring multifaceted checks
In regard to upgrades/updates that require multilayered confirmation of large–volume data processing and technical features as well as of impact on customers, the IT Infrastructure & Project Management Department newly established in July 2021 will take part in the approval process. Through the process, we will assess the adequacy of the contingency plan and the management framework and decide on the implementation of the release.
3. Reporting by October 29 deadline set in the business improvement order
In response to the business improvement order, Mizuho Bank will report the plan for scheduled upgrades and updates to the IT system based on the approach outlined above.
In addition, Mizuho Financial Group will verify the results of Mizuho Bank's reassessment and review of the plan and also verify the plan to ensure an effective management framework.