Financial Authorities Initiate Advancement of Financial Security Regulations... Focusing on Autonomy and Ex-post Regulation

by Yoo Jaehoon

Published 27 Dec.2022 06:00(KST)

Big Tech Grows Larger but Regulatory Loopholes Remain, Including Exemption from Disaster Recovery Center Installation
Task Force to Form 'Financial Security Regulatory Framework' in First Half of Next Year... Roadmap Discussions

[Asia Economy Reporter Yu Je-hoon] The government is reforming financial security regulations, shifting from preemptive regulations to autonomy, responsibility, and post-regulation. This decision comes from the judgment that preemptive, micro-level regulatory methods are ineffective in responding to rapidly changing IT environments and various security risks, as revealed by incidents such as the Kakao data center fire in October.

On the 27th, the Financial Services Commission announced that at the 5th Financial Regulation Innovation Meeting held on the 20th, they discussed the 'Financial Security Regulation Advancement Plan' containing these details. Accordingly, the financial authorities plan to form a 'Financial Security Regulatory System Improvement Task Force (TF)' in the first half of next year to begin reviewing a long-term roadmap in earnest.

The government's move to advance financial security regulations is due to the diversification of cyber threats such as ransomware and DDoS attacks targeting security vulnerabilities arising from the adoption of new technologies, as well as the intensification of so-called '3rd party risk,' where incidents like failures and information leaks in non-financial sectors spill over into the financial sector. The data center fire incident in October is a representative example.

Accordingly, the financial authorities plan to reorganize financial security regulations based on the principles of autonomy and responsibility, focusing on post-regulation. First, they intend to improve the regulatory system so that financial companies comply with financial security at an enterprise-wide level and establish autonomous security systems. Specifically, they will expand the authority of the Chief Information Security Officer (CISO) and elevate financial security as a core corporate value through obligations such as reporting important security matters to the board of directors.

Furthermore, security regulations will shift to being goal- and principle-oriented and focused on post-responsibility. The current Electronic Financial Transactions Act's obligation to ensure safety will be divided into ▲personnel, organization, and budget ▲internal control ▲system security ▲data protection, with the main principles and goals of financial security specified in the law and detailed provisions abolished. Corresponding parts of the Electronic Financial Supervisory Regulations will also retain only essential items, with detailed matters replaced by guidelines or explanatory documents.

If an autonomous security system is not established or a security incident occurs, post-responsibility will be strengthened, including the introduction of a penalty system. The management and supervision method will also shift to the principle of autonomous responsibility. Instead of supervising violations of existing security regulations, the financial authorities plan to focus on verifying the establishment and implementation of autonomous security systems.

Hot Picks Today

"It Has Now Crossed Borders": No Vaccine or Treatment as Bundibugyo Ebola Variant Spreads [Reading Science]

The Financial Services Commission plans to form a Financial Security Regulatory System Improvement TF in the first half of next year to actively review the roadmap. A Financial Services Commission official stated, "We will form a regulatory system improvement TF involving the Financial Supervisory Service, Financial Security Institute, and IT security experts in the first half of next year to begin reviewing a long-term roadmap," adding, "We also plan to prepare a detailed implementation schedule."