South Korea's Financial Supervisory Service is moving to fix weak internal controls and shortcomings in oversight focused on post-incident responses, which have been cited as root causes of repeated hacking and IT system failures.

The Financial Supervisory Service said on Monday it held a meeting with the National Assembly, financial associations, the Financial Security Institute, academia and domestic and overseas security firms to shift the financial security paradigm. The meeting was arranged amid concerns that current security awareness, risk management levels and supervision methods make it difficult to eradicate IT and information security incidents.

Participants included lawmaker Lee Jung-moon (이정문) of the National Assembly's Political Affairs Committee, heads of banking, financial investment, life insurance, non-life insurance and specialised credit finance associations, the head of the Financial Security Institute, and officials from academia and the security industry. They discussed ways to control IT and security risks and domestic and overseas best practices, focusing on the Financial Supervisory Service's plan for preventive digital risk supervision.

Participants agreed that as security threats become increasingly intelligent and sophisticated, financial security needs to be embedded as an organisational culture to prevent incidents. They also agreed fundamental changes are needed, including stronger management accountability, improved organisational culture and expanded investment in people and resources.

Lee Chan-jin (이찬진), governor of the Financial Supervisory Service, said recent security breaches and system outages in the financial sector often stem from failure to comply with basic obligations or weak internal controls. He stressed the need to fundamentally change the financial security paradigm.

He added the watchdog will shift supervision from a focus on post-incident sanctions to prevention to establish proactive risk management at financial companies.

The watchdog plans to select high-risk companies for intensive management and overhaul incident response systems to minimise consumer harm when breaches occur. It said it will hold those responsible strictly to account under a zero-tolerance principle if an incident occurs amid failure to meet basic obligations or weak internal controls.

It also asked the National Assembly to swiftly process a proposed amendment to the Electronic Financial Transactions Act to strengthen the safety of electronic financial transactions, and urged financial associations to embed a security-focused culture across the sector and expand IT and information security investment.

Lee Jung-moon said IT incidents such as hacking have been occurring frequently in the financial sector. He said it is most important to secure the safety of electronic financial transactions to strengthen consumer trust. He added the watchdog's shift to preventive supervision is timely and stressed the need for thorough IT risk management so the public can use digital finance with peace of mind.

Support needed to build internal controls at small and mid-sized financial firms

The watchdog's supervision plan consists of five pillars: shifting security awareness, establishing proactive risk management, shifting to preventive supervision, establishing incident response systems and improving institutions.

To raise security awareness among employees at financial companies, it will expand tailored communication such as management meetings and practitioner workshops. It will also strengthen identification and management of IT assets and vulnerability analysis and assessment so financial companies can identify risk factors early and respond on their own.

It also plans to strengthen checks for security vulnerabilities and intensively manage high-risk companies, while using the integrated financial security monitoring system, FIRST, to quickly share threat information and upgrade self-inspection and correction systems.

It will also strengthen digital resilience through various response drills such as joint disaster recovery transition training, simulated hacking and bug bounties, and overhaul response systems so services can resume quickly when incidents occur.

Financial associations, the Financial Security Institute and academia also expressed support for preventive supervision and pledged cooperation. Financial associations said they will support implementation by sector, and the Financial Security Institute said it will help strengthen security capabilities at financial companies by sharing threat information and upgrading response drills.

Kang Byung-hoon (강병훈), a professor at KAIST, said thorough identification and management of IT assets should come first to prevent large-scale breaches. He stressed the need to support the building of internal controls at small and mid-sized financial companies with weak security.

The watchdog said it will push ahead with related tasks at speed so the preventive supervision system works effectively in the field, starting with this meeting. It said it plans to continue communication to raise security awareness across the financial sector and establish proactive risk management.