The Financial Supervisory Service issued management cautions to five financial companies that poorly managed outsourcing to external specialist firms or failed to properly conduct in-house IT audits.
On the 23rd, according to the financial sector, the Financial Supervisory Service (FSS) recently conveyed management cautions and improvement items of this nature to Carrot General Insurance, Jeju Bank, BC Card, KB Savings Bank, AXA General Insurance, and Hana Securities. They outsource related tasks to external specialist firms to focus on core operations and streamline electronic financial transactions, but an FSS inspection found that there was no department or system in place to manage third-party services.
In particular, Carrot General Insurance, AXA General Insurance, and KB Savings Bank had set up IT audit organizations but did not audit the appropriateness of work related to outsourced vendors for about three years. The Financial Supervisory Service (FSS) said, "They should establish audit plans that include outsourced work and strengthen the management of work appropriateness for outsourced vendors."
BC Card has outsourced cloud service infrastructure and security operations to outsourced vendors, yet it did not run internal audit procedures for them. Its IT governance management level was also inadequate, as it did not prepare operational status reports for the cloud services under outsourced management.
There were also concerns that enterprise-wide disaster recovery would not proceed smoothly, as a separate disaster recovery system was being operated for the outsourced cloud service infrastructure.
Hana Securities conducts business impact analyses in each department to prepare a business continuity plan (BCP) in case of emergency, but each department set recovery time objectives regardless of the business impact analysis results.
There was also a problem in which, due to insufficient coordination among departments, the core operations selected by the business impact analysis differed from the core operations in the IT emergency plan. The Financial Supervisory Service (FSS) said, "After reviewing appropriateness, they should finalize the business impact analysis results and reflect those results in the IT emergency plan."