Financial institutions can now freely utilize software services (SaaS—Software as a Service) for creating documents and conducting video meetings internally. Since 2013, major organizations that handle significant amounts of information, such as financial companies, have been required to follow “network separation” rules, which mandate the isolation of internal and external networks. This change eases those restrictions somewhat.
On the 20th, the Financial Services Commission stated that updated enforcement guidelines for electronic financial supervision regulations would come into force, enabling financial institutions to adopt SaaS solutions without undergoing prior innovation financial service assessments.
SaaS generally encompasses services that allow for document creation, teamwork, and video meetings through cloud-based servers, necessitating an internet connection. Examples are Google Docs and the video conferencing tool “Zoom.”
Previously, financial institutions needed to go through innovation financial service reviews in order to utilize SaaS because of South Korea’s network separation regulations, which require isolating internal banking systems from external internet networks. Although this approach decreased the risk of hacking, it faced criticism for being overly restrictive on work efficiency. Moreover, with the recent introduction of AI company Anthropic’s AI model “Mithos,” which can independently identify and exploit software vulnerabilities, worries emerged that basic network separation may no longer be adequate to prevent cyberattacks.
From today onwards, financial institutions are allowed to utilize SaaS without restrictions, aiming to boost cooperation not only among internal teams but also with international branches and business collaborators. The Financial Services Commission mentioned that this move will decrease redundant manual work and enhance internal performance management systems.
Nevertheless, the Commission enforced network separation rules for situations involving confidential data, including resident identification numbers, unique codes, or personal credit details such as loan information. For data that has been anonymized—where identifying information is concealed—financial institutions are still required to adhere to the procedures for innovation financial service designations.
In addition, financial organizations are permitted to utilize SaaS services that have been assessed by personal data breach response agencies such as the Financial Security Institute. They are also required to implement protective measures for devices that access SaaS and submit semi-annual evaluations of information security controls to internal information safeguard committees.
Industry experts see this as a move away from South Korea’s network separation approach, indicating a move towards the global standard “zero trust.” Zero trust combines networks while providing detailed access based on security levels. The Financial Services Commission said, “With increasing demands to use external network resources for AI development, current network separation regulations are no longer enough. We will quickly broaden exceptions for SaaS to generative AI services.”
jasdooit 
Leave a comment