The Financial Supervisory Service will step up inspections of corporate insurance agencies (GA; General Agency), which had been a blind spot in security management. The Financial Supervisory Service plans to establish security inspection standards to examine the security conditions of GAs. A plan is also under review for insurers that outsource work to GAs to inspect the GAs.
According to the financial authorities on the 9th, the Financial Supervisory Service will draw up standards to inspect the IT security conditions of corporations that are entrusted with work by financial companies, including GAs. It is expected to look into whether external access to internal networks is effectively blocked, such as whether a two-factor authentication system has been introduced.
Once the standards are established within the year, the Financial Supervisory Service plans to either inspect GAs directly or have insurers conduct the inspections. According to the "third-party risk management guidelines for insurers" released by the Financial Supervisory Service in Nov. last year, insurers must systematically assess whether there are risk factors in the process of entrusting product sales to GAs.
According to the Korea Insurance Research Institute, there are about 4,000 GAs nationwide. Of these, roughly 60% are inspected by the Financial Security Institute upon request from the financial authorities. Due to limitations in personnel and other resources, security inspections are not properly carried out for the remaining 40%.
The move to establish standards is seen as an effort to strengthen oversight of GAs, whose security is relatively weak compared with large insurers, amid a series of cyberattacks targeting financial companies. Last year, about 2.97 million individuals' personal information was leaked at Lotte Card, and the virtual asset exchange Upbit suffered an incident in which member assets worth 40 billion won were stolen due to an external attack.
GAs also tend to be weak in internal controls. The Financial Supervisory Service classified more than half, or 52%, of GAs with 500 to fewer than 1,000 affiliated agents as grade 4 (vulnerable) and grade 5 (risky) in internal controls. The evaluation items include whether an IT system has been built and is in operation. An official at the Financial Supervisory Service said, "We plan to decide on security inspection methods as soon as the draft standards are released."