The Financial Services Commission held a meeting on cybersecurity risks related to advanced AI models and response measures in the financial sector with chief information security officers (CISOs) from major financial companies and AI and cybersecurity experts on May 22.
At the meeting, officials reviewed cybersecurity threats related to Mythos AI and discussed a set of measures intended to promote the use of AI by financial companies to enable them to more effectively respond to newly emerging cybersecurity threats from advanced AI models and develop more productive and innovative financial services in their attempt to make AI transformation.
Speaking about the importance of building an AI-driven cyber defense system capable of shielding autonomous attacks originating from advanced AI models, Vice Chairman Kwon Dae-young of the Financial Services Commission said that cybersecurity risks presented by advanced AI models require financial companies to regularly conduct cyber hygiene practices, since it is not possible to make financial companies entirely immune to these newly emerging types of threats. In this regard, Vice Chairman Kwon further added that the AI transformation in the financial industry is much more than simply introducing a new technology—it involves a fundamental shift in how financial services are delivered.
Key Measures
I. Preemptively Identifying Cybersecurity Threats from Advanced AI Models
In close cooperation with related government ministries, the FSC has been closely monitoring international discussions on a variety of issues concerning advanced AI models, including their potential and capacity to be utilized as a cybersecurity defense mechanism.
In this process, the FSC will continue to maintain active communication with financial companies to provide and share any new factual findings and inform them about the need to strengthen cybersecurity measures if considered to be necessary.
II. Promptly Establishing AI-driven Cyber Threat Defense System
a) Easing rules on network separation
ü Network separation rules to be eased immediately for AI use in cybersecurity
The current network separation rules will be quickly eased for the use of AI for cybersecurity purposes—for instance, for using advanced AI models to assess vulnerabilities, establishing a cybersecurity defense system through SaaS security solutions, etc.
Financial companies equipped with a certain level of cybersecurity capabilities will be eligible to apply for the easing of network separation rules. More specifically, the eligible entities are 49 financial companies that have at least KRW10 trillion in assets and the regular staff size of 1,000 or more to come under the purview of the Electronic Financial Transactions Act with the requirement to appoint a CISO within the company.
For financial companies that have applied for the easing of network separation rules, an expert screening process will be carried out to assess their cybersecurity management and AI capabilities. Based on this review, the FSC will grant a temporary easing of network separation rules for one year through an issuance of a no-action letter.
The easing of network separation rules is only for the use of AI and SaaS programs for cybersecurity defense purposes to test vulnerabilities and use SaaS security tools. In this regard, qualified financial companies will need to comply with a certain level of cybersecurity rules that will help to make up for the easing of network separation rules. After running vulnerability tests, financial companies will also need to report their findings to the government regarding particular characteristics of cybersecurity threats of advanced AI models, anticipated risks when used in cyberattacks, and ways to ensure effective cyber defense. The information provided by financial companies will be utilized to draw up a detailed set of guidelines to bolster the cybersecurity capabilities of financial companies across all financial sectors.
The application and review process will take place in three phases to ensure efficiency. The first screening will take place for about 10 financial companies and it is expected to be completed by June-July this year. The second screening will take place for between 10 and 20 financial companies in August-September, and the third screening will take place for the rest in the fourth quarter of this year.
Additionally, for financial companies that have not applied for the easing of network separation rules, the Financial Security Institute (FSI) will provide assistance to check their AI vulnerabilities (until July, up to 17 companies).
ü Complete lifting of network separation rules to be considered for qualified entities
For financial companies that are equipped with advanced cybersecurity an AI capabilities, the FSC will seek to consider ways to completely lift the network separation rules through the financial regulatory sandbox program.
The slow pace of the easing of network separation rules currently taking place may hold back the financial industry from an AI transformation taking place rapidly across different enterprises. Thus, financial companies are in need of undertaking an AI-driven overhaul in terms of their business operations, organizations, and services. However, it is not possible to expect the same level of cybersecurity and AI capabilities from all financial companies. In this regard, the easing of network separation rules will be applied first to the financial companies that are deemed to be equipped with a sufficient level of cybersecurity and AI capabilities. As more financial companies become eligible and adequately capable to make a successful transition, it will be necessary in time to expand the complete lifting of network separation rules across all financial sectors in stages.
A rigorous screening process will be performed to ensure the selection of qualified financial companies that are equipped with advanced capabilities in cybersecurity and the use of AI. The selected companies will have opportunities to make use of AI in diverse areas, such as building an AI-driven cyber defense system and boosting productivity through the development of AI-driven products and services.
b) Bolstering organizational and operational capacity
There will be new advisory and consultative bodies established to provide expertise and advice on important policy issues concerning the easing of network separation rules and to collect relevant opinions and policy suggestions from across diverse financial sectors.
A new technology advisory group will consist of AI, cybersecurity, and information protection professionals and experts from academia and the cybersecurity sector. This advisory group will be tasked with assessing financial companies’ cybersecurity capacity and level of preparation in the process of implementing the easing of network separation rules. The group will also offer in-depth advice and policy suggestions in the areas of cybersecurity threats related to advanced AI models.
A financial sector taskforce on advanced AI cyber threat has already been established in April this year with officials from the FSC, the Financial Supervisory Service (FSS), the FSI, and the CISOs from across all financial sectors. This taskforce will continue to operate as an important channel of communication for having discussions about cybersecurity threats of advanced AI models between the government and the financial industry.
The FSI’s AI assistance function will be significantly bolstered to strengthen responses against AI-related cybersecurity threats and enhance communication with small- and medium-sized financial companies.
Based on its proven record of cybersecurity expertise, a new research institution will be set up at the FSI, which will focus on AI-related cybersecurity in the financial sector.
There will also be an AI cybersecurity support center established to make available comprehensive assistance for financial companies that are having difficulties in responding to cybersecurity threats of advanced AI models on their own. The center will share latest trends in AI technology and related cybersecurity threats, offer ideas for solution, and provide a screening for AI security vulnerabilities.
III. Assisting Financial Companies to Bolster Respond against AI Cyber Threats
In June 2026, the financial authorities will come up with detailed guidelines on AI cybersecurity to facilitate financial companies to more systematically and safety make use of advanced AI models.
The guidelines will enable financial companies to make self-assessment and improve upon their own IT infrastructure management systems and include details regarding the categorization of computing infrastructure and the prioritization of program patches. On-site assistance and information sessions will also be provided to help strengthen financial companies’ IT infrastructure management capabilities.
Additionally, for minor cyber system errors resulting from active security patch works, financial authorities plan to grant reduced sanction or exemption from liability on the condition of prompt restoration and consumer protection measures.
There will be enhanced cybersecurity support made available for small- and medium-sized fintech businesses as well. Costs related to AI-driven cybersecurity inspections and relevant tools to check vulnerabilities will be provided to boost the cybersecurity and response capabilities of smaller scale fintech businesses.
* Please refer to the attached PDF for details.