To Be Strengthened

The financial authority has prepared mandatory regulations to strengthen the information protection levels of financial institutions. There is keen interest in whether the financial sector can recover lost customer confidence.

There have been many incidents this year, including the hacking of Hyundai Capital, the computer network problem at Nonghyup bank, the leakage of personal information at Samsung Card, and unauthorized personal credit checks by Standard Chartered First Bank Korea Limited and Korea Exchange Bank.

Financial institutions must allocate more than 5% of their total IT budgets to “IT security.” However, some have not been following this guideline. In the first half of this year, 4 out of 16 banks had not spent the required 5% of their total IT budget on IT security. Last year, when the IT security budget required by law was lower, the number of banks spending less than 5% totaled 9. The situation is quite similar with credit card companies. Only 3 out of 7 credit card firms allocated more than 5% of their total IT budgets to IT security. In the first half of this year, the total IT security budget for the banking sector totaled 109,152 billion won and exceeded 5% of the total IT budget of 1.919 trillion won. However, participation rates were far less than 50%. Although banks were allocating the budgets, they did not actually commit any money. This is because the existing “more than 5%” guideline was a non-mandatory recommendation.

IT Security Market for Financial Institutions Worth Over 100 Billion Won Annually

Against this backdrop, it was pointed out that comprehensive measures are needed to strengthen IT security. “As we learned from the Nonghyup incident, the financial sector’s IT security is not the only problem for the financial sector and financial authority, and is directly linked to national security,” emphasized Han Ki-ho, a member of the Grand National Party, on September 23, during an audit session of government offices.

As a result, the allocation percentage of the financial sector’s IT security budget will jump from 5% to 7%. With this policy, the value of the IT security market is estimated to exceed 100 billion won per year. The Financial Services Commission announced on September 28 that it was planning to add a policy revising the IT security budget to the Regulation on Supervision of Electronic Financial Activities, and that it will pass the revised regulation at a regular meeting. On October 4, the commission revealed that it will legalize the revision, expecting to receive an evaluation from the Regulatory Reform Committee and Korea Ministry of Government Legislation by November. In short, the financial authority is set to review the overall IT strategies of financial institutions.

“Overseas financial companies allocate 10% of their total IT budgets to network security. Our goal is to gradually increase the percentage of Korea’s IT security budget to the overseas level,” said an official from the financial authority. However, the commission decided to increase the percentage to 7% initially considering some financial companies which are now not able to meet even the 5% recommendation.

“Violent Clash” in Positions between Financial Authority and Financial Institutions

While the financial authority is pushing ahead with measures to strengthen security, the financial sector is holding its position, saying, “The measures could be ineffective.” It claims that increased expenditure does not necessarily mean reinforced security. An official from the financial authority explained, “7% is not too much to ask for. It is the minimum investment for infrastructure to set up financial security systems.”

The financial authority decided to establish a new regulation, which requires assigning more than 5% of the total IT workforce to network security, and maintaining half of those as regular workers. However, the financial sector showed a lukewarm response. An official from a financial corporation pointed out, “Hackers’ attacks can be defended, but it all depends on how IT security specialists are utilized, rather than the size of budget. The bigger the security workforce is, the higher the possibility information leaks out.” This means that it will be more effective if a small number of IT experts are hired to strengthen security.

Up to now, most financial institutions have replaced their IT security workforces with outside companies, with most of their own security employees having temporary positions. The reason for this is to lower costs as well as leave the job to dedicated experts. However, the financial authority regards this behavior as the source of security problems. Temporary workers, who feel a weaker sense of belonging to their companies, are giving corporate information to rival firms. “The reason why local financial companies can spend less on IT security than their foreign counterparts is that local IT technologies are superior to those of overseas rivals. We are concerned about reporting our strategies to the authority because of the possible leakage of this information,” said the official from the financial corporation. Following the statement, an official from the financial authority stated, “Considering the burdens of companies, the execution date will be delayed two years, and 50% of outside staff who work regularly in the company, will be acknowledged as company IT workers.”

Revisions Should Be Implemented from a Long-term Perspective

There is a precondition to strengthening the financial authority’s right to supervise IT. When financial accidents occur, it should be clear who is responsible. What draws attention to the revisions is that the financial authority has the right to inspect not only financial institutions but also related IT companies if necessary. According to the revisions, the financial authority requires financial firms to report causes and follow-up measures for financial accidents in any form. Therefore, it appears that the process to clarify who is responsible for incidents between “financial institutions and IT companies” will be simplified.

In the past, most cases were settled through voluntary reconciliation between the parties involved. Experts advised, “The revisions are necessary in order to strengthen the information protection level of financial firms. However, the revisions should be implemented gradually, taking the size of financial firms into account in order to provide them enough time to prepare their workforces and budgets.” It is hoped that customers will be able to enjoy their innate right to protection under the reinforced IT supervision policies. Above all, the gap between the financial sector and financial authority needs to be narrowed.

What are the revisions of the Electronic Financial Transactions Act and Regulation on Supervision of Electronic Financial Activities?

The revisions related to electronic financial activities are the Ele-ctronic Financial Transactions Act, the Enforcement Decree of the Electronic Financial Transactions Act, and the Regulation on Supervision of Electronic Financial Activities. The main point is that the financial authority is to enforce supervision standards that were previously only suggested in order to str-engthen the information protection level of financial companies.

Subparagraph 4 of Article 21 (new)

Financial institutions designated by presidential decree shall set up a plan for electronic financial activities and IT areas annually and submit it to the Financial Services Commission after receiving the representative’s signature.

Subparagraph 2 1 of Article 21 (new)

In order to secure the stability and credibility of electronic financial transactions, financial institutions and electronic financial businesses shall analyze and evaluate the weakness of electronic financial infrastructure and report the results to the Financial Services Com-mission.

Subparagraph 2 1 of Article 40 (new)

In case of inspecting financial institutions or electronic financial businesses, the Governor of the Financial Services Commission may inspect related electronic affiliates if it is acknowledged that the goal of inspection cannot be met only with the inspection on the financial institutions or electronic financial businesses.

Subparagraph 1-1 of Article 8 of Chapter 2

Financial institutions and electronic financial businesses shall secure more than five-hundredths of the total workforce for information technology personnel and more than five-hundredths of the information technology personnel for information security staff.

Subparagraph 4-2 of Article 8 of Chapter 2

Financial institutions and electronic financial businesses shall allocate more than seven-hundredths of the total nformation technology budget to information protection.

Subparagraph 4 of Article 20 of Chapter 5

Financial institutions and electronic financial businesses shall establish security measures in the analysis and designing stages in order to ensure the security and credibility of data processing systems.

Article 22 of Chapter 5

In order to ensure the security and efficiency of data processing systems, financial institutions and electronic financial businesses shall set up and follow data processing system supervision guidelines.