|
|
|
|
|
Newsletter | December 2013
|
|
|
|
|
|
|
BANKING |
|
|
|
Strengthening IT Security of Electronic Financial Transactions |
|
|
|
On September 17, 2013, the Financial Services Commission (the “FSC”) proposed amendments to the Supervisory Regulations of Electronic Financial Transactions (the “Amendment”) which includes the amendment details of the Electronic Financial Transactions Act (the “EFTA”), the Enforcement Decree to the EFTA and the implementation details for a comprehensive plan for strengthening IT security of electronic financial transactions which was announced by the FSC in July 2013.
|
|
|
|
Public opinions regarding the Amendment have been monitored until October 12, 2013, and the Amendment became effective as of December 3, 2013.
|
|
|
|
The details of the Amendment are as follows:
|
|
|
|
Vulnerability Analysis/Assessment
|
|
|
|
If a financial company has more than 2 trillion won in total assets and at least 300 employees, Chief Information Security Officer (CISO) shall establish a self-evaluation department or outsource the analysis/assessment function and perform annual vulnerability analysis/assessment on the company’s IT systems. |
|
|
If a financial company has less than 2 trillion won in total assets and fewer than 300 employees, the list of analysis/evaluation items may be reduced and there is no duty to establish a self-evaluation department. |
|
|
* A financial company that does not perform the vulnerability analysis/assessment is subject to a fine of up to KRW 20,000,000. |
|
|
Information Protection Committee |
|
|
A financial company shall establish an information protection committee which deliberates/decides on important information protection matters such as the plan for information technology sector* in accordance with Article 21(4) of the EFTA, the vulnerability analysis/assessment, and employees who violate IT security related rules. |
|
|
* A financial company that does not submit the plan for information technology sector is subject to a fine of up to KRW 10,000,000. |
|
|
Promoting the Comprehensive Plan (the “Plan”) for Strengthening IT Security of Electronic Financial Transactions |
|
|
Duty to Separate Financial IT Networks: Any IT centers for financial companies must separate its internal IT network from outside networks such as the Internet. |
|
|
Stricter Access Control over Information Processing System: Authentication in addition to ID/PW must be required for manager/operator of information processing system. |
|
|
Back to Main Page |
|
|
|
|
|
If you have any questions regarding this article, please contact below: |
|
|
|
|
|
|
|
For more information, please visit our website: |
|
|
|
|
|
|
|