The Financial Security Institute is discussing ways to tighten post-certification inspection standards for the personal information and information security management system (ISMS-P) for financial companies with the financial authorities and the Personal Information Protection Commission (PIPC). With the Ministry of Science and ICT signaling it will revoke ISMS-P for corporations found to have inadequate security through post-inspections, the Financial Security Institute is also expected to present inspection standards that reflect the characteristics of financial companies. As cyberattacks targeting financial companies have continued recently, the intent is to more strictly screen the eligibility requirements for maintaining ISMS-P certification to raise security levels.
According to the financial industry on the 6th, the Financial Security Institute plans to soon hold discussions with the financial authorities, the Personal Information Protection Commission (PIPC) and others on strengthening ISMS-P post-inspection standards. Measures such as increasing inspection items for elements that can threaten security, including malware, are expected to be discussed.
ISMS-P certification is an accredited system that evaluates whether there is effective response to cyber intrusion threats and whether corporations' information protection systems and customers' personal information protection management systems are operated appropriately. It is regarded as the highest-level management system certification in Korea. The certification scope includes whether the organization necessary for information protection is in place and the adequacy of personal information processing. Without certification, companies face disadvantages such as not receiving extra points in bids for projects conducted by public institutions. If an entity obligated to obtain certification fails to do so, fines are imposed.
While the Personal Information Protection Commission (PIPC) mainly prepares ISMS-P evaluation standards, the Financial Security Institute is involved in items related to financial transaction. In these discussions as well, the Financial Security Institute plans to present elements needed to strengthen security at financial companies.
The government conducts an annual post-review of corporations that have obtained ISMS-P certification, checking key items such as password management, encryption application and personal information processing. This is to determine whether they can maintain certification. The Financial Security Institute inspects financial companies, while the Personal Information Protection Commission (PIPC) handles corporations in other sectors.
The Financial Security Institute is moving to these talks because a theory that the ISMS-P system is useless has emerged as cyberattacks on domestic corporations have continued. Last year, at the virtual asset exchange Upbit, 44.5 billion won in member assets was leaked externally due to hacking, and Lotte Card also had personal information for 2.97 million members leaked. Coupang last month saw 33.7 million customer account details exfiltrated, and Shinhan Card had 190,000 merchant owner records leaked. All of these corporations have obtained ISMS-P certification.
In response, the Ministry of Science and ICT and the Personal Information Protection Commission (PIPC) last month held a countermeasure meeting with certification bodies, including the Korea Internet & Security Agency (KISA) and the Financial Security Institute, as well as private-sector experts, and decided to implement more detailed ISMS-P revocation standards and procedures. The core is to revoke certification after deliberation if significant defects are found in the annual post-review, or in cases of refusal to undergo inspection, failure to submit materials or false submissions. If certification is revoked, fines are imposed and disadvantages are applied in bids for public institution projects. Once certification is revoked, reapplication is not allowed for one year thereafter.
An official at the Financial Security Institute said, "Relevant agencies have formed a consensus that post-review standards need to be strengthened and are at the stage of setting the direction."