The Financial Supervisory Service (FSS) will conduct a thorough inspection of IT control implementations at financial institutions in the second half of the year. Recent system failures and security breaches in the financial sector have been attributed to inadequate basic controls, including poor program change management, insufficient processing capacity, and firewall configuration errors. The FSS plans to examine power supply systems at data centers and the security obligations of cloud-based business software.
On June 29, the FSS held a virtual meeting on "Financial IT Risk Response" with 491 electronic financial institutions, sharing its inspection focus for the upcoming months. The institutions involved include banks, insurance companies, financial investment firms, savings banks, credit finance companies, credit information providers, mutual finance, and electronic financial service providers.
The FSS reported that its inspections in the first half of the year revealed deficiencies in basic IT controls, such as program change management and performance management. With ongoing incidents of system failures and breaches, along with the increased use of generative artificial intelligence and sophisticated cyberattacks, there is a growing need to enhance the incident response capabilities and internal IT controls of financial institutions.
According to the FSS, the main causes of recent electronic financial incidents can be categorized into three areas: inadequate impact analysis during program changes leading to missing logic or insufficient testing, equipment failures, communication line disruptions, or insufficient processing capacity, and incorrect policy application during system changes such as firewall adjustments.
As a result, the FSS will prioritize inspections of IT control implementations in the second half of the year. It will also review the operational status of power supply systems, including uninterruptible power supplies (UPS), emergency generators, and aging batteries, to prevent data center fires.
Compliance with information security obligations for cloud-based office management and software as a service (SaaS) will also be part of the inspection. This follows the amendment of electronic financial supervision regulations in April, which allowed for certain exceptions in SaaS usage. The FSS plans to verify whether the SaaS used meets the "satisfactory" rating from the Financial Security Institute, the protective measures for access devices, and whether there are biannual evaluations of information security controls and reports to the information security committee.
The FSS emphasized the importance of financial institutions proactively assessing and improving their internal IT control systems, especially as regulations are being relaxed with the shift towards AI. With many self-inspections planned for the second half of the year, the FSS urged executives, including CEOs, to take responsibility for risk assessments and to swiftly address any identified issues through a comprehensive self-correction system.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.