The Financial Services Commission of South Korea has outlined a package of measures to address cyber risks from advanced AI models in the financial sector, centred on wider use of AI and software as a service tools for cybersecurity. The main step is an immediate phased easing of network separation rules for eligible financial companies so they can use advanced AI models for tasks such as vulnerability testing and cyber defence, alongside plans for new guidance and support arrangements. Eligibility initially covers 49 financial companies with at least KRW10 trillion in assets and 1,000 or more regular staff that are subject to the Electronic Financial Transactions Act requirement to appoint a chief information security officer. After expert screening of cybersecurity management and AI capabilities, the commission will grant one year of temporary relief through no action letters. The measure is limited to AI and SaaS tools used for cybersecurity purposes, and participating firms must report vulnerability test findings so the government can develop more detailed sector guidance. Reviews will run in three rounds, with about 10 firms in June and July, 10 to 20 in August and September, and the remainder in the fourth quarter. The commission will also consider complete lifting of network separation rules through the financial regulatory sandbox for firms with more advanced cyber and AI capabilities, while the Financial Security Institute will support up to 17 non-applicant firms with AI vulnerability checks until July. Further measures include a new technology advisory group, continued operation of the financial sector taskforce on advanced AI cyber threats, a strengthened AI assistance function at the Financial Security Institute, a new research institution focused on AI-related cybersecurity, and an AI cybersecurity support center for firms that lack internal capacity. Detailed AI cybersecurity guidelines are due in June 2026 and will cover self-assessment of IT infrastructure management, including infrastructure categorization and patch prioritization. Financial authorities also plan reduced sanctions or liability exemptions for minor system errors arising from active security patching if firms restore services promptly and take consumer protection measures, alongside extra support for smaller fintech firms' AI-based security inspections and vulnerability tools.
South Korea Financial Services Commission2026-05-25
South Korea Financial Services Commission launches phased easing of network separation rules for AI cybersecurity at 49 large financial companies
South Korea’s Financial Services Commission announced measures to address cyber risks from advanced AI in finance, centred on phased easing of network separation rules so eligible firms can use AI and SaaS cybersecurity tools. It will grant one-year relief via no action letters to large institutions that pass expert screening, require vulnerability test reporting, and may fully lift network separation through the regulatory sandbox. The commission will also issue AI cybersecurity guidelines in June 2026.