After the emergence of the high-performance artificial intelligence (AI) model Mytos, which is known to be capable of planning and carrying out hacking attacks on its own, tension is rising across the financial sector. Financial authorities have decided to ease network separation rules to allow the use of AI for security purposes, judging that existing security systems would have limits if AI-based cyber attacks become a reality. They also said they will consider fully lifting the network separation rules for financial companies with security capabilities and the ability to use AI, prompting analysis that it could be a turning point for the sector's AI transformation (AX).

The Financial Services Commission recently held a meeting chaired by Vice Chairman Kwon Dae-young (권대영) on responding to security threats in the financial sector related to high-performance AI and announced response measures that included the plan.

The starting point of the measures is Mytos. The FSC explained that high-performance AI such as Mytos can not only find old security vulnerabilities that are difficult to detect with existing vulnerability-detection programs, but can also develop to the level of planning and executing hacking attacks on its own.

Security in the financial sector has relied on humans to check vulnerabilities and detect attacks. Concerns are growing that if AI emerges as an attacker, it could surpass the speed and scope of existing response systems. The FSC has held a series of risk review meetings and situation response team meetings since April to discuss response measures.

Still, financial authorities do not view Mytos solely as a threat. They judge that using AI that could be used for attacks for defence as well could greatly improve vulnerability detection and breach response capabilities.

But the current network separation rules have been cited as an obstacle to building AI-based security systems. Network separation is a representative financial security regulation that minimises hacking risks by separating a financial company's internal work network from external internet networks. It is credited with contributing to stronger security in the financial sector, but criticism has also been raised that it makes it difficult to use generative AI and cloud-based security solutions.

The FSC therefore decided to temporarily ease network separation rules only for AI use for security purposes. The measure applies to financial companies with total assets of 10 trillion won or more and 1,000 or more full-time employees, and that have a dedicated chief information security officer (CISO). The FSC expects about 49 companies will be eligible to apply. Selected financial companies will be able to conduct vulnerability tests using high-performance AI and use security software-as-a-service solutions. The FSC plans to expand the scope sequentially after step-by-step screening.

The part that the industry is watching lies elsewhere. The FSC said in its announcement that it will also consider a plan to fully lift network separation rules for financial companies with advanced security capabilities and the ability to use AI.

The financial sector has continuously called for improvements to network separation rules to expand the use of generative AI and drive work innovation, but assessments say it is unusual for the possibility of a full lifting to be mentioned as a policy direction. With the policy shift at the FSC, the financial sector is also moving to speed up building AI-based security systems.

◆ 'AI blocks AI'... Financial firms build security systems

KB Financial said it is strengthening a group-wide integrated security system under the principle of responding to AI attacks with AI in order to counter cyber threats based on ultra-high-performance AI.

It said it operates a practical hacking simulation system using an in-house AI agent and AI from external specialised institutions, and has also built a 24-hour security monitoring system that combines an AI agent and robotic process automation. It also said it launched a 'Group Cyber Security Center', described as the financial sector's first pre-emptive system based on simulated infiltration, and completed a three-stage zero-trust 구축 for its group cloud environment.

Shinhan Financial is also responding to cyber breach threats by introducing its in-house AI diagnostic tools into asset vulnerability checks and hacking simulations.

It said it applies attack surface management, cyber threat intelligence and dark web detection, and uses automated security monitoring to detect and analyse the latest financial security threats and vulnerability information in real time. Based on the results of a pilot project on adopting zero trust by the Ministry of Science and ICT and the Korea Internet and Security Agency (KISA), in which Shinhan Bank participated, the group is also pushing to expand and apply a group-wide security model.

Hana Financial is also working to strengthen AI-based security capabilities by operating real-time vulnerability checks for externally exposed systems and a zero-trust-based security system. It is also expanding group-wide simulated penetration training and the introduction of AI-based security solutions.

In the financial sector, assessments say the easing of regulations is an unavoidable step to secure AI competitiveness. With generative-AI-based work innovation moving quickly, there are limits to competing with global financial firms under the existing regulatory framework alone.

Still, some point out that the benefits could be concentrated among large financial companies. Since eligibility to apply for the special case is effectively limited to major financial firms, there are concerns that gaps in AI use could widen with small and mid-sized financial companies or fintech firms. The accountability framework for security incidents that could occur after easing network separation is also cited as a subject for future discussion.

A financial sector official said, "I understand that domestic financial companies have been showing moves since the emergence of Mytos to strengthen AI-based security response capabilities across the board," adding, "There may be a view that easing network separation could raise security concerns, but there needs to be a direction of gradually supplementing it in line with the changed environment. There is a clear limit to simply blocking it."

The official added, "Regarding concerns about widening gaps between small and mid-sized financial firms or fintechs and large firms in security and AI use, I think the effects that can be obtained later are greater," and said, "Because they do not have sufficient capacity for large-scale security investment, it would be effective for major financial firms to first build effective models and spread them across the entire industry."

Analysts inside and outside the financial sector say the step could become an inflection point that determines the pace of the financial industry's AI transformation, beyond a simple easing of security regulations. As discussions of AI security threats triggered by Mytos have led to easing network separation rules and debate over the financial sector's AX transformation, attention is focusing on how far financial authorities will go with regulatory innovation.

Financial authorities plan to speed up follow-up measures as well. Through the 'Financial AI Security Research Institute' and the 'AI Security Support Center' within the Financial Security Institute, they will strengthen AI threat analysis and security response support systems, and plan to prepare AI security guidelines in June. They also plan to expand security support for small and mid-sized fintech companies.

Vice Chairman Kwon Dae-young of the FSC said, "A major AX transformation in finance is a fundamental improvement to the constitution of financial services," adding, "The government will also actively move to improve systems for the financial sector's use of AI."