Even if a minor IT disruption occurs while a financial company conducts security tests or security patches to respond to frontier AI security threats, it will be exempt from sanctions if certain requirements are met.
The Financial Services Commission said on Thursday it reviewed and approved an exemption measure for IT disruptions that occur during AI security tests and security patching at an exemption review committee meeting held on June 30. It also prepared and distributed a "Frontier AI security threat response guide for the financial sector" to help financial companies respond to frontier AI security threats.
The measure is a follow-up to a "high-performance AI security threat response meeting" held on May 22. The FSC said it finalised the plan by gathering views from the financial industry together with the Financial Supervisory Service and the Financial Security Institute, and reflecting input from a private technical advisory group composed of AI, security and legal experts.
The exemption applies to security tests such as vulnerability and port scanning and automated penetration attempts using AI for security purposes, as well as emergency security patches for vulnerabilities disseminated by the FSC, the FSS and the Financial Security Institute. It includes operating system and software patches and comparable changes to IT equipment.
Exemption requirements will be assessed comprehensively, including whether the disruption is minor, whether swift recovery measures are in place and whether consumer protection steps are implemented.
A minor IT disruption refers to cases such as those with no intent, financial damage of less than 100 million won and system outage time of up to 4 hours. The benchmark for customer information leaks is fewer than 10,000 cases, excluding personal credit information.
Financial companies must prepare work plans for pre-testing, preventing damage from spreading and ensuring service continuity. This includes having recovery and alternative measures such as rollback, a kill switch, service module isolation, failover and manual processing.
Consumer protection measures are also needed. Financial companies must provide advance notice through their websites and text messages of the timing, scope and details of security tests or patches and alternative service channels, and must prepare and implement relief measures if consumer damage occurs.
The scope of exemption includes sanctions and status-related disciplinary measures against institutions and employees, and administrative fines. If a personal credit information leak occurs, sanctions under the Credit Information Act will apply regardless of this exemption measure.
The FSC said it distributed financial sector response guidelines along with the exemption measure. A joint response system for the financial sector will also be established.
It will pursue risk information sharing, the development of joint detection rules and joint supply chain inspections, centred on the Financial AI Security Research Institute. It also recommended a zero-trust-based security system and network segmentation to prepare for the possibility that an intrusion could quickly spread to internal systems.
The guidelines present action guidance and best practices for financial companies to reference in security operations, and failure to comply will not lead to disadvantages such as sanctions. The FSC said it plans to continuously update the guidelines by reflecting results such as AI tests conducted for security purposes.
The FSC said, "As domestic and overseas situations related to frontier AI security threats are changing rapidly, we prepared the plan with an emphasis on lowering financial companies' anxiety and encouraging proactive security strengthening measures." It added, "We hope the financial industry will actively move to strengthen management measures such as IT resource management, vulnerability detection and the application of security patches."