Exemption for Minor System Failures with Consumer Protection Measures

"Granting Budget and Personnel Authority to Chief Information Security Officers"

When a financial institution experiences a minor system failure during security-related artificial intelligence (AI) testing or while applying security patches, it will now be exempt from penalties, provided that it has implemented sufficient consumer protection measures.


Yonhap News Agency

Yonhap News Agency

View original image

The Financial Services Commission (FSC) announced on July 2 that it held an Exemption Review Committee meeting on June 30 and deliberated and approved exemption measures for system failures that occur during AI security testing and the implementation of security patches. The FSC also distributed the "Frontier AI Security Threat Financial Sector Response Guidelines," which outline best practices for financial institutions to address AI-related security threats.


The core of these exemption measures is that if a system failure occurs while using AI for security purposes, the institution will not be penalized so long as it promptly restores operations and maintains a robust consumer protection framework.


The scope of exemptions covers cases in which: ▲ security testing is conducted using AI for security purposes, ▲ emergency security patches or equivalent changes to IT equipment are implemented in response to vulnerabilities disseminated by the FSC, the Financial Supervisory Service (FSS), or the Financial Security Institute (FSI).


The requirements for exemption will be assessed comprehensively, taking into account whether swift recovery measures and consumer protection actions have been established and implemented in the case of minor system failures. A minor system failure refers to an IT incident that does not fall under the sanctionable category according to the detailed enforcement rules of inspection and sanction regulations. This is limited to cases where there is no intent, monetary damages are less than 100 million won, the system downtime is up to four hours, and less than 10,000 pieces of customer information (excluding personal credit information) are leaked.


Swift recovery measures refer to the preparation of a work plan, including pre-testing and measures to prevent the spread of damage and ensure service continuity, which is then reported to management. Consumer protection actions include providing prior notice to customers and implementing remedies for any damages incurred. This applies when financial institutions notify customers in advance—through their website, SMS, etc.—of the timing, targets, details, and alternative service channels for security tests or patches, and take remedial actions if consumer damages occur.


The exemption covers organizational and individual sanctions, status-related disciplinary actions, and fines. However, if a personal credit information leak occurs, sanctions will be imposed according to the law, regardless of these exemption measures, in accordance with the Credit Information Act.


The FSC also distributed the AI security threat response guidelines to financial institutions. The guidelines cover six key areas: ▲ strengthening executive responsibility ▲ vulnerability and patch management ▲ asset and supply chain management ▲ AI-based automated defense ▲ joint response and resilience enhancement in the financial sector ▲ systems to prevent the spread of breaches.


The FSC emphasized that it is desirable for boards of directors and chief executive officers (CEO) to grant chief information security officers (CISO) actual authority over budget allocation and personnel management. It also recommended that a dedicated response team under the direct supervision of the CISO be formed and operated for AI security threat monitoring and rapid response.



An FSC official stated, "We expect that the exemption measures and distribution of guidelines will encourage the financial sector to take more active and rapid action to strengthen management controls," adding, "We will actively pursue various policy initiatives to support the AI transformation of the financial sector, including a complete lift of network separation regulations."


This content was produced with the assistance of AI translation services.

© The Asia Business Daily. All rights reserved. Unauthorized AI training and use prohibited.

Today’s Briefing