In an effort to support the financial sector's transition to artificial intelligence (AI), South Korea's financial authorities announced plans to temporarily relax network separation regulations for security-focused AI applications. They are also considering a complete removal of these regulations for certain financial institutions in the future. Additionally, the authorities aim to bolster the establishment of an AI-based security framework in the financial sector through the creation of a Financial AI Security Research Institute and the development of AI security guidelines.
The Financial Services Commission (FSC) revealed these measures during a meeting on May 22, led by Vice Chairman Kwon Dae-young. The meeting focused on addressing security threats posed by high-performance AI and included participation from the Financial Supervisory Service, the Financial Security Institute, and chief information security officers (CISOs) from major banks, securities firms, and credit card companies, along with AI and security experts.
The FSC has decided to temporarily ease network separation regulations for security-focused AI applications. This includes allowing the use of high-performance AI for vulnerability assessments and the implementation of security Software as a Service (SaaS) solutions.
This initiative comes in response to growing concerns about cybersecurity threats in the financial sector, particularly following the introduction of Anthropic's high-performance AI, Mythos. The FSC stated, "AI attacks must be defended against with AI," reflecting industry demands for a more flexible approach to existing network separation regulations.
However, eligibility for this temporary easing will be limited to financial institutions with a certain level of security capability. Specifically, 49 financial companies with total assets exceeding 10 trillion won and a workforce of over 1,000 employees, each having a dedicated CISO, will be eligible. The FSC plans to evaluate the security management capabilities and AI utilization of these applicants before issuing a non-objection letter, allowing for a one-year temporary relaxation of network separation regulations.
The timeline for this initiative has also been outlined. The first phase will involve up to 10 companies, with procedures expected to be completed between June and July. A second phase will select an additional 10 to 20 companies between August and September. Further evaluations will be conducted in the fourth quarter to accommodate remaining applicants.
Financial institutions benefiting from the relaxed regulations will be required to share the results of their AI-based vulnerability testing and security SaaS usage with the government. The FSC aims to accumulate insights on the characteristics of high-performance AI security risks and response strategies, which will inform future guidelines for the entire financial sector.
Moreover, the FSC indicated that it would consider completely removing network separation regulations for certain financial companies. The strategy involves selecting firms with advanced security capabilities and AI utilization to create successful case studies that can be disseminated throughout the financial sector.
If full relaxation is implemented, these financial institutions could not only establish AI-based security frameworks but also expand the use of AI across various operations and services, including chatbot consultations, asset management, credit assessments, corporate finance, and internal controls.
The FSC will also enhance its organizational and support structures. A private technical advisory group composed of AI, security, and information protection experts will be established to assess the security capabilities and readiness of financial institutions and to provide advice on domestic and international AI security threats and policy issues.
The "High-Performance AI Security Threat Response Team" that has been operational since April will transition to a permanent operational structure. This team will include representatives from the FSC, the Financial Supervisory Service, the Financial Security Institute, and CISOs from all sectors to regularly check on field challenges and response statuses.
The FSC also plans to strengthen the functions of the Financial Security Institute by establishing a Financial AI Security Research Institute to analyze trends in AI-based cyberattacks and develop response strategies. Additionally, an AI Security Support Center will be created to assist small financial institutions and fintech companies with vulnerability assessments and threat trend sharing.
Next month, the FSC will introduce AI security guidelines for the financial sector. These guidelines will include practical standards such as criteria for classifying computing resources and prioritizing security patches. The FSC will also conduct on-site briefings and provide tailored support for financial institutions.
To address minor system disruptions that may occur during the security patching process, the FSC is considering measures to reduce penalties or provide immunity. This comes in response to ongoing concerns from the financial sector about delays in applying necessary security patches due to fears of accountability for system errors.
Support measures for small fintech companies will also be included. The FSC plans to enhance the security capabilities of these firms, which may lack sufficient resources for security responses, by providing financial support for AI-based security assessments and vulnerability testing tools.
Kwon Dae-young emphasized, "High-performance AI security threats cannot be completely blocked like a cold virus; they are threats that must be managed while coexisting. Just as we wear masks, a routine cyber hygiene practice of establishing AI defense systems is necessary in the financial sector."
He added, "The financial sector's transition to AI is not just about adopting new technology; it signifies a fundamental transformation of financial services. The government will also pursue bold regulatory improvements to enable the productive, inclusive, and trustworthy use of AI in finance."
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.