The Financial Services Commission plans to allow the use of artificial intelligence (AI) for security purposes by easing network separation rules for financial firms.
The Financial Services Commission (FSC) on the 22nd held a roundtable on responding to security threats related to high-performance AI, chaired by Vice Chair Kwon Dae-young, with AI and security experts and chief information security officers (CISOs) from major financial companies in banking, securities, and cards in attendance.
The Financial Services Commission (FSC) decided to ease network separation rules for the use of AI for security purposes. This will allow the use of AI for security purposes, including vulnerability assessments using high-performance AI and building defense systems through security software as a service (SaaS) solutions.
Because the government will not separately subsidize AI build-out costs, eligibility will be limited to financial firms with a certain level of security capability. The 49 financial companies subject to the Electronic Financial Transactions Act that must appoint a dedicated chief information security officer (CISO) are those with total assets of at least 10 trillion won and at least 1,000 full-time employees. For applicant firms, after expert evaluations of security management capabilities and AI utilization skills, the Financial Services Commission (FSC) will temporarily ease network separation rules for one year through reporting to the commission and the issuance of a no-action letter.
Financial firms subject to the eased rules will be able to use AI and SaaS for security purposes, such as vulnerability testing using high-performance AI and leveraging security SaaS solutions. In return, they must comply with security disciplines that supplement the relaxed network separation and report to the government the identified characteristics of high-performance AI security risks, the anticipated risks if used for offensive purposes, and effective defense and response practices confirmed by tests. The government plans to use this information to flesh out guidelines to strengthen cybersecurity across the financial sector.
Applications and reviews will proceed in first to third rounds. The first round, considering the urgency of high-performance AI security threats, will conclude in June–July, selecting up to 10 financial companies based on test readiness and security management capabilities. The second round, targeting 10–20 companies including additional applicants and firms needing supplementary preparation, will proceed in August–September, and the third round will be conducted in the fourth quarter, taking into account remaining demand.
Separately, for financial firms that do not apply to the program, the government plans to support AI vulnerability assessments of external attack surfaces that are possible without easing network separation, through the Financial Security Institute. Up to 17 companies can be supported by July. For financial companies with highly advanced security capabilities and AI utilization skills, it will also consider fully lifting network separation rules. This will be pursued through procedures such as the designed innovation financial service program.
Guidelines to support systematic responses by financial firms will also be prepared in June. The guidelines will include practical standards such as criteria for classifying IT resources and prioritizing program patches, enabling financial companies to self-inspect and supplement their IT asset management systems. The Financial Services Commission (FSC) also decided to provide tailored support, including on-site assistance and briefings, to strengthen IT asset management capabilities. In cases where minor IT system failures unavoidably occur during active security patching, it will pursue penalty mitigation or immunity, provided there is prompt recovery and consumer protection measures.
Going forward, the Financial Services Commission (FSC) plans to allow a full lifting of network separation for financial firms deemed to have excellent security capabilities. The criteria for a full lift will be finalized after discussions with the industry.