This content is from: Local Insights

FSS announces guide to IT network security best practices

On March 9 2011 Korea's Financial Supervisory Service (FSS) announced its Best Practice Guidelines for Internal Use and Management of Information Technology. The Guidelines are effective from April 1 2011, although where a financial institution needs time for implementation of new systems, the FSS will allow the institution until October 1 2011 to come into compliance.

According to the Guidelines, the FSS expects a financial institution to:

  • adopt internal access-control rules and practices to control and log the use of institutional IT assets and information, including access by external service providers and contractors;
  • adopt archival systems to store and index copies of communications sent and received by email, SMS, and other electronic methods;
  • strengthen controls over distribution of institutional proprietary information, including adoption of systems to restrict use of institutional assets only for official purposes;
  • control removable media including floppy disks, writable and rewritable CDs and DVDs, external hard disk drives and USB flash storage devices;
  • prohibit disclosure of trade secrets, customer financial information, and the spread of market rumours; and
  • limit the proliferation of unsolicited commercial email and SMS messages advertising investment opportunities (spam messages).

Details of the standards and methods of implementation are set forth in greater detail in the Guidelines.

Data protection has emerged as a significant policy concern in Korea. Unauthorised disclosures of financial information have subjected financial institutions to criminal prosecution and fines of hundreds of thousands of dollars, as well as significant civil liability to the parties about whom the disclosed information pertains. Courts have awarded as much as W1 million (US$883.65) per individual plaintiff, making the unauthorised disclosure of large databases potentially a disastrous event.

Additionally, a Bill is pending in the National Assembly which will unify the disparate data-protection standards found in the Act on the Use and Protection of Credit Information, which applies to financial institutions, and the Act on Promotion of Information and Communication Network Utilisation and Information Protection, which applies to other data users generally, as well as increase the sanctions and remedies available for breach of duties.

While the Guidelines are not strictly mandatory in a legal sense, they will have a significant normative effect as an expression of reasonable industry standards and the expectations of regulatory officials concerning responsible network-management practices for data protection. Thus it is recommended that all financial institutions in Korea take notice of the Guidelines and conduct a thorough review of practices to determine the extent of their compliance with the Guidelines.

Hwang Mok Park has prepared an English translation of the Guidelines. IFLR readers are invited to contact the author by email at to receive a complimentary copy.

Brendon Carr

© 2021 Euromoney Institutional Investor PLC. For help please see our FAQs.

Instant access to all of our content. Membership Options | 30 Day Trial