The financial authorities selected 10 financial companies to use artificial intelligence (AI; Artificial Intelligence) for security purposes and will ease the network separation (separating internal and external networks within financial companies) rule for one year. During this period, these financial companies will establish internal control measures and introduce high-performance AI and software as a service (SaaS; Software as a Service) with global certifications to conduct security vulnerability tests.
On the 23rd, according to the financial authorities, the Financial Services Commission recently issued a no-action letter with these details to the financial institutions selected as the first batch for eased network separation rules. The financial authorities recently selected 10 financial companies—including commercial banks such as Shinhan, Hana, and Woori; KakaoBank; KB Securities; NH Investment & Securities; Samsung Fire & Marine Insurance; and Hanwha Life Insurance—as the first financial institutions for a "security-purpose AI/SaaS utilization test."
Earlier, the Financial Services Commission (FSC) decided to ease the network separation rule first for 10 financial companies with strong AI and security capabilities among 49 financial firms with total assets of 10 trillion won or more and 1,000 or more full-time employees. The need has grown for domestic financial companies to build AI-based security capabilities because of concerns that high-performance AI, such as Anthropic's "Mythos" in the United States, could be misused for cyberattacks on financial institutions.
The financial authorities said, "Given the need to exceptionally apply network separation to quickly and effectively devise response measures, in cooperation with the government and related agencies, against cyberthreats that have been advanced and made more intelligent by recent high-performance AI models."
According to the no-action letter, financial companies may introduce only AI/SaaS services that have obtained international and domestic certifications such as ISO 27001, SOC 2, CSAP, and FedRAMP. They must establish continuous management and systems for AI/SaaS information security controls and collect and preserve for at least one year monitoring and log records on access and usage histories, administrator activities, and abnormal behavior. They must also establish procedures for responding to security incidents and failures related to AI/SaaS services.
Financial companies may use only managed AI in which the AI provider manages infrastructure, security, and updates on their behalf. In particular, they must sign a mandatory "non-training agreement" to ensure that data used by the financial company is not used to train AI models. They must register and manage access terminals and users/administrators, and apply multi-factor authentication to AI/SaaS administrator accounts. They must also set up a control system that monitors whether important information—such as personal credit information and unique identification information—is entered, processed, transmitted externally, or leaked.
The financial authorities will apply a one-year exemption from the AI/SaaS network separation rule for security purposes to these financial companies and will consider fully lifting the rule based on test results afterward. After accumulating cases from the first selected financial companies, they plan to select the second group in the third quarter.