Six of the top 10 savings banks cut their information security budgets this year. With hacking incidents erupting one after another in the financial sector—Seoul Guarantee Insurance Company and Welcome Financial Group recently, followed by Lotte Card—critics say reducing information security budgets shows a lack of awareness about hacking risks.
According to data on annual information security budget allocations for savings banks received by People Power Party lawmaker Kim Sang-hoon of the National Policy Committee from the Financial Supervisory Service on the 1st, six of the top 10 by asset size reduced their information security budgets from the previous year. The annual information security budget allocation refers to the portion of a company's total one-year budget earmarked for information security and indicates the company's focus on information protection.
OK Savings Bank, which increased its asset size this year to take the No. 1 spot, made the largest cut, reducing its information security budget from 8.1 billion won last year to 5.7 billion won this year. Still, OK Savings Bank has recorded the highest level of information security spending in the industry for several years. Welcome Savings Bank of Welcome Financial Group, which suffered a hacking incident, also reduced its budget from 2.3 billion won last year to 1.8 billion won this year. In addition, ▲ DB Savings Bank ▲ Shinhan Savings Bank ▲ Hana Savings Bank ▲ Pepper Savings Bank cut their information security budgets from a year earlier. All 10 savings banks increased their total budgets from the previous year, but most kept information security budgets flat or reduced them.
Some also saw a decline in the share of information security staff. The information security staffing ratio is the share of staff dedicated to information security compared with information technology (IT) personnel. Among the 10 companies, the ratios fell year over year at ▲ OK Savings Bank (9.4%→9%) ▲ Welcome Savings Bank (6.7%→6.4%) ▲ Shinhan Savings Bank (11.8%→11.1%). However, all met the voluntary standard suggested by the Financial Security Institute (5% of IT staff). For Welcome Savings Bank, both the budget and the information security staffing ratio decreased from the previous year.
With hacking incidents occurring in succession at second-tier financial institutions such as SGI Seoul Guarantee, Welcome Financial Group, and Lotte Card, a red alert has been raised over the security of the secondary financial sector. In the case of the Welcome Financial Group hack, the incident occurred when its affiliate, the lending company Welrix F&I, was hit by a ransomware attack by a hacker group. It was also pointed out that lending companies are not subject to the Electronic Financial Transactions Act, meaning there are no specific regulatory requirements for their security systems.
Financial authorities are focusing on the fact that the spate of hacking incidents has been concentrated in the secondary financial sector. They are also reviewing punitive penalty surcharges on corporations that repeatedly suffer personal data leaks and considering institutional supplements to strengthen regulation of the secondary financial sector.
A Digital Financial Security Act to establish the foundation for voluntary security in the financial sector is also expected to be enacted within this year. The bill would impose strong liability on financial companies when information is leaked due to hacking and other causes. The idea is to grant autonomy for financial companies to build their own security systems, but to punish them severely if an incident occurs. With President Lee Jae-myung also calling for strong measures against financial company hacking incidents, the legislation of the Digital Financial Security Act is expected to gather speed.
Kim Seung-joo, a professor at the Graduate School of Information Security at Korea University, said, "Taking this opportunity, the government should refer to overseas examples of voluntary security to set a minimum regulatory line and create a structure that can hold corporations accountable after incidents," and noted, "If corporations cannot take responsibility for damages, they should have the resolve not to offer financial services at all."