Even if a minor computer disruption occurs during a financial company's security testing and patching of generative artificial intelligence (AI), the company and responsible employees can be exempted from penalties if they restore service quickly. With the emergence of frontier AI such as Anthropic's "Mythos," cyber security threats are growing, and the aim is to encourage active security responses in the financial sector.
The Financial Services Commission said on the 2nd that it held an indemnity review committee on the 30th and approved "indemnity measures for computer disruptions occurring during AI security testing and patching." It also distributed the "guidelines for responses in the financial sector to frontier AI security threats" to financial companies.
Accordingly, financial companies will be excluded from sanctions if they cause a computer disruption while using AI for security purposes to conduct tests or while applying security patches in response to vulnerabilities disseminated by the Financial Services Commission (FSC), the Financial Supervisory Service, the Financial Security Institute, and others.
However, financial companies must immediately implement rapid restoration and consumer protection measures when a computer disruption occurs. They must also prepare a work plan that includes prior testing and measures to prevent the spread of damage. Whether to grant indemnity will be determined comprehensively by considering the severity of the disruption, restoration efforts, and consumer protection measures. Standards include cases where there was no intent, financial damage is less than 1 billion won, system downtime is within 4 hours, and fewer than 10,000 cases of customer data are leaked. Incidents involving the leakage of personal credit information under the Credit Information Act are excluded from indemnity.
The Financial Services Commission (FSC) also distributed guidelines containing response procedures in six areas so financial companies can actively respond to AI security risks. The guidelines include strengthening management's responsibility, vulnerability and patch management, and asset and supply chain management.
An official at the Financial Services Commission (FSC) said, "We will continue to flexibly and swiftly refine the guidelines by reflecting changes in domestic and overseas conditions related to frontier AI."