Financial authorities have decided to apply immunity from penalties for minor IT disruptions that occur during financial companies' responses to artificial intelligence (AI) security threats. This measure aims to encourage financial institutions to conduct security tests and implement emergency patches without the fear of penalties, especially as the risk of cyberattacks using high-performance AI increases.
On July 2, the Financial Services Commission announced that it held a meeting of the Immunity Review Committee on June 30 to discuss and approve immunity measures for IT disruptions arising from AI security tests and security patches. The commission also distributed guidelines titled 'Frontier AI Security Threat Response Guidelines for the Financial Sector' to financial companies.
In the future, if financial companies utilize AI for security purposes—such as vulnerability assessments, port scanning, or automated penetration testing—or execute emergency security patches for vulnerabilities disseminated by the Financial Services Commission, the Financial Supervisory Service, or the Financial Security Agency, they will be exempt from penalties and fines if certain conditions are met, even if minor IT disruptions occur.
The conditions for immunity include the absence of intent, financial damage of less than 100 million won (approximately $85,000), and a maximum system disruption time of four hours. Additionally, any leakage of customer information, excluding personal credit information, must involve fewer than 10,000 cases. However, if a personal credit information breach occurs, relevant penalties will apply regardless of this immunity.
The financial authorities also plan to ensure rapid recovery measures and consumer protection. Financial companies are required to establish measures to prevent the spread of damage, including pre-testing, rollback options, kill switches, and service isolation. They must also inform customers in advance about the timing and scope of security tests and patches, as well as alternative service routes, and implement remedial actions in case of damage.
The newly distributed guidelines consist of six areas: strengthening management responsibility, vulnerability and patch management, asset and supply chain management, AI-based defense automation, joint responses and resilience in the financial sector, and preventing the spread of breaches. The guidelines emphasize that the boards of directors and chief executive officers of financial companies should treat AI security threats as a core agenda item and grant the chief information security officer (CISO) substantial authority over budget and personnel management.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.
