To let financial companies use cloud-based software (SaaS) more freely, the financial authorities will ease network separation rules. The authorities said on the 20th they would pre-announce a revision to the Detailed Enforcement Rules of the Electronic Financial Supervision Regulations that recognizes exceptions to network separation when a financial company uses cloud-based application software on its internal business network, on the condition that it meets certain security requirements.
The move is part of an institutional overhaul to boost financial companies' office processing efficiency and IT resource utilization while improving internal and external collaboration environments. Until now, even when the financial sector sought to use external cloud services to streamline work, most cases had to undergo an innovative financial service review due to network separation rules. However, given that 32 financial companies have stably operated 85 SaaS-related innovative financial services recently, the authorities decided to institutionalize this to a level that can be permitted on a standing basis.
Under the revision, SaaS is defined as an "application software service" under the Enforcement Decree of the Act on the Development of Cloud Computing and Protection of Its Users and will not be subject to the network separation rules of Article 21 of the Electronic Financial Transactions Act. However, cases that handle personal information or personal credit information are excluded from the exception.
Alongside easing network separation, security reinforcement measures will proceed in parallel. Financial companies may use only SaaS that has undergone security evaluations by incident response agencies such as the Financial Security Institute, and they must mandate specific security controls including security management of business terminals, network encryption, monitoring of the processing of important information, and minimization of access rights. They also must check the status of information security implementation once per half-year and report to the Information Security Committee.
The authorities expect the revision of the detailed enforcement rules to allow financial companies to quickly adopt a wide range of cloud-based software, including document creation, video conferencing, and human resources management. This is expected to deliver effects such as ▲ improved work efficiency ▲ strengthened collaboration among domestic and overseas branches ▲ IT infrastructure expense reductions.