[Asia Economy Reporter Song Hwajeong] Financial authorities are pushing for improvements in cloud and network separation regulations to stably support the digital transformation in the financial sector.
On the 14th, the Financial Services Commission (FSC) announced that it will conduct a comprehensive review of cloud and network separation regulations to enable the expanded application of digital new technologies in finance, and will promote phased institutional improvements to prepare for the possibility of financial IT system accidents.
The FSC explained, "As the digital transformation of financial services accelerates, demand for digital new technologies such as cloud, big data, and artificial intelligence (AI) is increasing in the financial sector. However, current financial security regulations such as cloud and network separation are excessively strict, continuously raising concerns that they hinder financial innovation. Accordingly, the government has listened to opinions from experts and stakeholders and prepared improvement measures for cloud and network separation regulations to promote digital innovation."
The evaluation criteria for Cloud Service Providers (CSPs) will be drastically reduced from the current 141 items to 54 items. Financial companies must conduct evaluations of CSP soundness and safety before using cloud services. Currently, the evaluation consists of a total of 141 items (109 basic protection measures and 32 additional protection measures for the financial sector), which are numerous and contain overlapping items, posing the greatest burden in the current procedure. Under the improvement plan, the evaluation items will be simplified to 54 (16 mandatory and 38 alternative items), and especially for non-critical tasks, only the mandatory items need to be evaluated. The FSC stated, "While rationally improving procedures such as CSP evaluations, we plan to secure the accountability of financial companies by having the Information Security Committee review and approve them."
Additionally, a representative evaluation system will be introduced to reduce the evaluation burden on financial companies. Previously, even if a specific financial company conducted a CSP evaluation to use a particular cloud, other financial companies had to perform separate CSP evaluations to use the same cloud, causing inconvenience. Going forward, the Financial Security Institute will evaluate CSPs on behalf of financial companies, and financial companies will be able to utilize the evaluation results from the Financial Security Institute.
Furthermore, the criteria for assessing the importance of cloud-utilized tasks will be clarified, and cloud usage procedures will be differentiated according to task importance. Separate evaluation criteria will be established for new forms of cloud SaaS (Software as a Service), and submission documents such as those for outsourcing operation standards will be simplified. Also, prior reporting for cloud usage will be changed to post-reporting.
Network separation regulations will also be gradually relaxed. First, exceptions to network separation regulations will be applied to development and test servers, and exceptions for non-financial tasks and SaaS will be pursued. The FSC stated, "Current network separation regulations are uniformly applied regardless of the scope of financial companies' tasks. Based on securing the accountability of financial companies and strengthening security monitoring by the Financial Security Institute, we will promote phased relaxation of network separation regulations to reduce the scope of tasks subject to network separation and consider allowing financial companies to choose between physical and logical separation."
The FSC plans to announce for public comment amendments to the Enforcement Decree of the Electronic Financial Transactions Act and supervisory regulations reflecting these institutional improvements within this month, aiming for prompt revision and implementation starting in 2023. Additionally, by the end of this year, the "Guidelines for Using Cloud Computing Services in the Financial Sector" will be revised to provide concrete procedures and standards that the entire financial sector can practically refer to.
An FSC official said, "To ensure early stabilization of institutional improvements such as guideline revisions, starting next month, the FSC, Financial Supervisory Service, Financial Security Institute, and financial associations will jointly operate an interpretation team to communicate thoroughly with financial companies and other stakeholders. Since improvements to cloud and network separation systems require the establishment of internal control standards based on the autonomous responsibility of financial companies, we will inspect internal control systems such as the composition and operation status of information security committees in financial companies during the second half of the year," he added.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
