my timesThe Korea Times
  1. Economy

INTERVIEW Financial CEOs urged to reform mindset on security

Listen
By Lee Kyung-min
  • Published Jan 5, 2020 8:03 pm KST
  • Updated Jan 5, 2020 8:39 pm KST

Financial Security Institute (FSI) President Kim Yeong-gi speaks during an interview with The Korea Times at the institute on Yeouido in Seoul, Dec. 12. / Korea Times photo by Shim Hyun-chul

Digital innovation meaningless without security

By Lee Kyung-min

No development without security, no security without development. As simple and banal as this may sound, no other statement can better encapsulate the growing yet oftentimes neglected importance of financial security amid digitization, according to the head of a private security institute.

“Digital innovation is meaningless without security,” Financial Security Institute (FSI) President Kim Yeong-gi said in an interview with The Korea Times.

“Once compromised, consumer trust is lost. Getting it back is hard, a reason why prevention is the best precaution, especially in the financial industry with people's money at stake,” the former Financial Supervisory Service (FSS) and Bank of Korea (BOK) official said.

The financial industry is undergoing major changes amid digitization, an industry-wide initiative to better meet customers' fast-changing needs.

With technological developments, however, come security threats just as fast or sometimes even faster with their methods of attack increasingly varied and wildly sophisticated, posing a greater risk of security breaches and data theft.

This is why the functions and responsibilities of the FSI have become as crucial as ever.

“The attackers may have improved their methods of attack but so have our capabilities of monitoring, emergency response and information sharing. We are trying to be a step ahead of cyberattackers in preventing what would be irrevocable damage,” Kim said.

The FSI data showed that of 9.6 million of the most disruptive cyberattacks analyzed in 2019, 2.7 million cases were notified to its 192 members, including banks, securities, brokerages, insurers and card firms, to help them better stay alert and prepared.

Of over 41.8 million cases of malware analyzed, the 55,049 most frequently used methods were also shared.

Financial Security Institute (FSI) President Kim Yeong-gi speaks during an interview with The Korea Times at the institute on Yeouido in Seoul, Dec. 12. / Korea Times photo by Shim Hyun-chul

The Fourth Industrial Revolution, defined by rapid development of new technologies, will inevitably entail security vulnerabilities.

This, in his view, is why security should be considered as an integral part of any digital service from the outset, in what he says should be a governing principle: security by design and security by default.

“Technologies involving artificial intelligence or blockchain can and will bring us experiences no one had ever imagined before. But they certainly will be accompanied by vulnerabilities against which vaccine or other protection programs should be set up pre-emptively. This may sound impossible, but is not if you design structure services with security concerns in mind,” Kim said.

Security costs money, almost always unrelated to immediate profit generation. Yet when a security breach happens, the consequences are far-reaching.

CEOs of major companies regardless of industries, he said, have little regard of this, a mindset that needs to be fundamentally changed.

“Strengthening security should be an investment, not an additional cost that may or may not be considered after an attack happens. This is why security-aware directives should come from the top, the leadership of the businesses,” he said.

Robot-advised financial consultations, insuretechs, will be among many services that will benefit.

“Consumers will be afraid of who will have access to their private information on health or financials as well as how it is collected, stored and managed. Heightened awareness about security risks will be a sure way to boost consumer protections in the long term,” he said.

Cloud service security assessment

The FSI's growing competence is illustrated by the financial regulator's decision that its institute conduct a security review without which no firms ― domestic or global ― can provide cloud services.

Cleared for operation are local cloud service providers including Korea's largest portal Naver, IT solution developers Naver Business Platform (NBP), NHN Corp., Korea's second-largest mobile carrier KT and Samsung SDS, an IT subsidiary of Samsung Group.

Also cleared was Washington-based American multinational technology company Microsoft whose senior official came to Korea to discuss details and specifics about the review.

Awaiting the go-ahead is Amazon Web Services (AWS), the most lucrative subsidiary of Amazon that provides on-demand cloud computing platforms.

“Senior AWS official Chad Woolf visited us Nov. 5 for consultation and we recommended that they submit related data for us to accurately assess their standard of security. He happily complied and promised further cooperation.”

Helping fintechs

The role of the institute has been highlighted recently, with the introduction of open banking, a new system integrating financial services on a shared, unified platform among traditional industry players and fintech firms.

The organization with 228 officials with extensive expertise and knowledge of cyberattacks is well-positioned to use its years of experience helping fintechs.

The budding firms with much growth potential are currently struggling from a lack of financial and human resources to hold up to the same scrutiny as their peers including major commercial banks.

“Under the open banking system, the possibility of cyberattacks and the subsequent security breaches are much more pronounced given they all share the same platform. If there is a leak, the whole system will be compromised in a matter of seconds,” he said.

The FSI offers a comprehensive security review service to fintechs on whether they meet certain requirements and standards strong enough detect and counter malicious cyber intrusions.

“Our top priority is to offer financial service providers with security checks and identify their vulnerabilities to better help them prepare against outside attacks. Our mission will not stop until they are able to do that on their own. We are happily committed,” Kim said.