SGI ransomware attack puts lax financial cybersecurity rules under scrutiny

SGI’s company flag flutters in the wind in front of the firm’s headquarters in Seoul, Wednesday. Yonhap

Seoul Guarantee Insurance (SGI), Korea's largest comprehensive guarantee insurance firm, restored its core computer systems Thursday, four days after a suspected ransomware attack paralyzed its operations, the company said.

However, criticism persists over the firm's inadequate cybersecurity measures, as it had failed to obtain key cybersecurity certifications, highlighting a lax approach to data protection, according to industry experts.

It was revealed that SGI had not acquired the Information Security Management System (ISMS) or the Personal Information & Information Security Management System (ISMS-P) certifications, which assess whether an organization has established appropriate safeguards for information and data privacy. These certifications are issued by agencies such as the Korea Internet & Security Agency.

Financial institutions in Korea are not legally required to obtain these certifications, and SGI had not pursued them voluntarily.

The government is also facing backlash for failing to make such standards mandatory for the financial sector, despite the companies' handling of highly sensitive personal information.

SGI suffered a system disruption following a cyberattack on Monday, which led to the suspension of key services, including issuing and verifying guarantee insurance policies through its website. With core systems for major operations like mortgage loan guarantees disrupted, the firm had to resort to manually processing applications for select products.

SGI established a round-the-clock response center on Wednesday and pledged to fully reimburse any verified losses.

In addition to the system disruptions, concerns have emerged that the hackers may have gained access to SGI's primary database. If confirmed, this could mean that sensitive financial data submitted by customers during insurance applications may have been exposed.

The company's failure to obtain ISMS and ISMS-P certifications has raised questions about its commitment to protecting sensitive data and drawn criticism for neglecting cybersecurity measures, despite being a public financial institution in which the state-run Korea Deposit Insurance Corp. holds an 83 percent stake.

SGI received substantial public funding during the 1997 Asian financial crisis and was listed on the Korea Exchange this March as part of efforts to recover those funds.

Although not legally required to obtain the certifications, SGI stated in its securities filing at the time of its IPO that it intended to pursue certification to enhance its response to cybersecurity threats.

gettyimagesbank

Experts say the current scope of mandatory cybersecurity certifications is too narrow, warning that ransomware attacks could trigger a domino effect disrupting critical financial infrastructure.

Under the Act on Promotion of Information and Communications Network Utilization and Information Protection, mandatory certification applies to internet service providers in Seoul and major cities, large data centers and top-tier hospitals with annual revenue over 150 billion won ($108 million), among others.

"The financial sector handles more sensitive data than telecoms but remains a cybersecurity blind spot," Korea University cybersecurity professor Lim Jong-in said. "Expanding mandatory certification is essential to prevent serious damage from data breaches."

Financial authorities have launched an inspection into SGI. Depending on the root cause of the incident, the Financial Supervisory Service, the country's financial watchdog, may conduct a formal audit.

The Financial Services Commission (FSC), the nation's top financial regulator, is also reviewing potential violations of the Electronic Financial Transactions Act as well as any regulatory gaps related to ransomware.

"Our immediate focus is on minimizing damage. Afterward, we will examine whether SGI breached any relevant laws and prepare to address gaps in ransomware regulations if needed," an FSC official said.

SGI, meanwhile, said it will maintain close cooperation with related agencies to ensure stable operations.

"We will address customer inconveniences, proceed with compensation and transparently share updates and further actions based on the investigation outcomes," an SGI official said.