Lee Chan-jin, governor of the Financial Supervisory Service, said that if information technology (IT) and information security incidents recur in the financial sector due to inadequate internal controls, the agency will apply a zero-tolerance policy and hold those responsible to account.
At a "financial security paradigm shift" roundtable on Apr. 7 at the Financial Supervisory Service headquarters in Yeouido, Seoul, the governor said, "If IT incidents are repeated due to failure to fulfill basic obligations or poor internal controls, we will respond with a zero-tolerance policy." Lawmakers, financial associations, and officials from domestic and overseas security companies attended the event.
The Financial Supervisory Service plans to shift its supervisory approach from post-incident sanctions to preemptive prevention. Lee Chan-jin said, "There is a sense of crisis that the current supervisory framework has limits in preventing recurring security incidents," adding, "Not only external hacking but also system failures caused by internal factors continue, so we need to fundamentally change the financial security paradigm."
To that end, the Financial Supervisory Service will build a preemptive supervisory system. It will use the Financial Information security integrated monitoring system (FIRST), which began operating in Feb., to strengthen round-the-clock monitoring and feedback, and will identify financial companies with high incident risk for intensive oversight.
It also called on financial companies to strengthen preemptive risk management. It will require systematic identification and management of IT assets, mandate at least one security vulnerability analysis and assessment per year, and encourage the establishment of autonomous vulnerability remediation systems.
It also asked the National Assembly to swiftly pass amendments to the Electronic Financial Transactions Act. The bill would allow regulators to impose a penalty surcharge of up to 3% of revenue on financial companies in the event of a hacking incident. If the bill passes, virtual asset service providers could face comparable levels of sanctions. The current maximum penalty surcharge is 5 billion won.
Lee Jeong-mun, a lawmaker of the Democratic Party of Korea who serves on the National Policy Committee, also said he would support related legislation to raise the level of information protection in the financial sector.
Security experts at the roundtable noted that data leaks due to basic management negligence and ransomware attacks using artificial intelligence (AI) are increasing, and stressed that expanding security investment and training specialized personnel at financial companies is urgent.
Heads of financial associations also agreed on the need to shift the financial security framework and said they would strengthen emergency response drills and other capabilities. The Financial Supervisory Service plans to prepare guidelines for responding to major electronic financial incidents in the financial sector and to swiftly push ahead with related tasks such as joint disaster recovery drills.