The Financial Services Commission (FSC) has introduced a roadmap to bring about improvements to IT network security in the financial services industry, the regulator says in a statement.
The roadmap, which was launched after discussions with private-sector experts, financial industry groups, and officials from the Financial Supervisory Service (FSS) and Financial Security Institute (FSI), aims to ease the stringent IT network separation regulations that have been in place since 2014 and to update financial data security rules.
Reason for revamp
IT network separation is a mandatory security measure that involves physically separating internal networks from external networks to protect sensitive data and systems from external threats. It was introduced following a large-scale financial computing accident in 2013.
While the measure has been effective in safeguarding financial systems from cyber threats such as hacking and ransomware, it has also led to inefficiency and is an obstacle to research and development by financial services companies on the use of new technologies like cloud computing and AI.
The FSC said, “In particular, with the rapid transition of software into a cloud-based software as a service (SaaS) and the growing importance of generative artificial intelligence (AI), network separation may not only present a source of inconvenience but also stand in the way of boosting the competitiveness of the financial industry.
“Therefore, after 10 years of introducing the rules on network separation, the FSC plans to seek a paradigm shift for finding an appropriate balance between innovation and security by upgrading outmoded regulations and overhauling rules and regulations on financial data security over the medium to long term.”
The roadmap
The authorities will seek to ease relevant regulations gradually and in stages.
While seeking to promptly resolve hurdles through the regulatory sandbox programme, the authorities will also prepare safety mechanisms to ensure cyber and information security until a self-regulating and autonomous data security system is fully established.
Generative AI
First, financial companies will be allowed to make use of generative AI technologies. Most generative AI services are based on a cloud-based internet environment. However, domestic financial sectors face obstacles in embracing generative AI due to the restrictions placed on their access to Internet networks. In this regard, a regulatory exemption will be granted through the regulatory sandbox programme to allow them to have access to the Internet under the condition that financial companies have in place sufficient security assurance measures to prevent cybersecurity risks. The FSS and FSI will carry out inspections and offer consultations on the matter of cyber security to those applying for this regulatory exemption.
Cloud-based software as a service
Second, financial companies will be allowed to make use of the cloud-based software as a service (SaaS) for more types of operational functions. Currently, the use of SaaS is permitted only for certain types of back-office functions, such as document management and human resources management. The use is prohibited in handling customers’ personal credit information. In this regard, the scope of SaaS usage will be expanded to include the areas of cyber and information security and customer relations management. In this case, too, financial companies will need to prepare sufficient security assurance measures to gain regulatory exemption.
R&D
Third, improvements will be made to financial companies’ research and development environments. The physical separation of networks and the restrictions placed on the use of personal credit information have been barriers for financial companies in conducting research and development projects to launch personalised services. In this regard, authorities will seek to revise regulations on electronic financial services to ease current rules on the physical separation of networks and allow the use of pseudonymised data to promote the development of more innovative financial services.
After adequately examining the progress of the aforementioned regulatory exemption programmes, the FSC will allow financial companies to directly handle personal credit information in non-pseudonymised formats. In this regard, additional security assurance measures will be required in line with the expanded scope of data usage.
As a medium- to long-term goal, the FSC will work towards a regulatory system centred on autonomous cyber security and self-accountability. In this regard, financial companies will be required to strengthen internal governance on cyber security matters. There will be penalties in the event of cyber security failures. Regulatory reforms intended to bolster the management of third-party risks will also be implemented.
Timeline
Starting on 22 August 2024, the authorities will hold a series of information sessions with financial institutions and offer consultations on security assurance measures that financial companies will need to be considered for the regulatory exemption programmes.
Application for the regulatory sandbox will open in September. Following an application review process, the use of generative AI in financial sectors may become available as early as the end of this year.