[DigitalToday reporter Sangyeop Oh] The Financial Security Institute said on Dec. 31 it will revise and distribute its "2026 vulnerability analysis and assessment criteria". The revision was prepared to proactively respond to new security threats, including increased use of public cloud in the financial sector and crypto asset exchanges entering the regulated sector.

First, it overhauled the assessment framework for existing electronic financial infrastructure. It created a new "cloud management system" category as adoption of public cloud accelerates in the financial sector.

Reflecting a trend of diversification in virtualization system deployment, it expanded the scope of virtualization-related assessments to include "operating system (OS) and container virtualization systems". It also strengthened assessment criteria so risks can be continuously managed for aging systems or equipment no longer supported with security patches.

It also subdivided inspection items to improve the consistency of assessments. It split the existing single "server" category into "operating system (server)" and "middleware (web server-WAS)" to enable more precise diagnostics suited to the characteristics of each system. It also reflected revisions to the regulations on electronic financial supervision in the "information security management system" category so compliance with regulations is closely examined.

The biggest feature of the revision is the creation of assessment criteria tailored to crypto asset exchanges.

The institute focused on the fact that the IT environments of crypto asset exchanges are structurally different from those of existing financial companies. While existing financial companies mainly rely on on-premise environments, crypto asset exchanges have a high dependence on cloud. Key security threats also differ, going beyond customer information leaks to include theft of hot wallets.

The institute will create four new categories: crypto asset compliance, blockchain, wallets and smart contracts. It will verify security across crypto asset operations, management and use. This is a measure to systematically manage related risks as crypto assets are incorporated into regulated finance, including through the implementation of the Virtual Asset User Protection Act.

Park Sangwon, head of the Financial Security Institute, said the revision aims to improve the effectiveness of vulnerability analysis and assessment by reflecting a changing digital finance environment. He said he expects the refined criteria and expanded coverage to help check vulnerable factors in advance that could lead to hacking incidents and to strengthen a foundation of trust so financial consumers can use services safely.