Financial watchdog chief warns Korean firms underinvest in cybersecurity amid hacks

Financial Supervisory Service (FSS) Gov. Lee Chan-jin holds a press conference at FSS headquarters in Seoul, Monday. Courtesy of FSS

The level of investment in cybersecurity by Korean companies is far below that of other major countries, the head of the country's financial watchdog warned Monday, amid a string of recent hacking incidents at major firms, including SK Telecom, Lotte Card, Coupang and Upbit.

Financial Supervisory Service (FSS) Gov. Lee Chan-jin noted that the recent security breaches are not simply due to technical errors but reflect a lack of proper risk awareness.

“Looking at these recent incidents, there’s no comparison with the U.S., and even compared to the international average, the level of security investment by Korean companies is extremely low,” Lee said during his first press conference since taking office in August. “Companies do not fully recognize the risk that a breach of such systems could potentially bankrupt them.”

According to data from the Financial Security Institute, Korean companies allocate only 6.4 percent of their IT budgets to cybersecurity. Within the financial and insurance industries, the figure rises to 9.6 percent on average, yet this remains far below the 13 percent typical among leading global financial institutions and well under the 20-something percent among some European banks.

Lee stressed the importance of strong system security for domestic financial firms, particularly as they actively expand into stablecoins and digital assets. He added that virtual asset operators are equally subject to these security requirements.

“A breach exposing sensitive personal financial information could trigger consumer anxiety and endanger the very survival of financial firms,” he said.

Lee stressed that current laws fall short on system security and consumer protection, and authorities are planning legal reforms to make cybersecurity investment essential for corporate survival.

Financial Supervisory Service (FSS) Gov. Lee Chan-jin attends a press conference at FSS headquarters in Seoul, Monday. Yonhap

Regarding concerns that banks’ financial soundness could be weakened after being hit with massive fines over the mis-selling of equity-linked securities (ELS) tied to the Hang Seng China Enterprises Index (HSCEI) in Hong Kong, Lee said authorities are considering several relief measures, such as reducing fines and easing capital requirements.

The comments come as weakening financial soundness at lenders could disrupt key government financial policies, such as productive finance and inclusive finance.

ELS are structured products linked to a stock or index. Banks faced backlash for selling high-risk HSCEI ELS without adequate explanation, leading to heavy consumer losses amid China’s property curbs, U.S.-China tensions and global rate hikes.

Five banks — KB Kookmin, Shinhan, Hana, NH NongHyup and Standard Chartered Bank Korea — received preliminary notifications of fines totaling about 2 trillion won ($1.4 billion), marking the largest fines since the enactment of the Act on the Protection of Financial Consumers in 2021.

Banks were reportedly shocked by the unexpectedly high fines, as analysts at securities firms had estimated total fines for the banking sector at up to 680 billion won, based on the Financial Services Commission’s (FSC) recently revised penalty guidelines.

The final fine amount is expected to be confirmed in the first half of next year following a resolution by the FSC.

When fines are imposed, banks usually must recognize 600 percent — six times — of the amount as operational risk, boosting risk-weighted assets (RWA) for up to 10 years. If the 2 trillion won fines are finalized, the RWA could rise by 12 trillion won, cutting the CET1 ratio, a key indicator of banks' capital adequacy, by about 100 basis points and straining loans and government financial policies.

Lee said his agency is well aware of these concerns and is actively coordinating with the FSC and other relevant authorities to minimize the impact.

“We are ensuring consumer protection while considering legal limits on fines and minimizing policy concerns, and we understand these factors will be reflected in the FSC’s final decision,” Lee said.

Since fines can be reduced by up to 75 percent, banks are making every effort to seek reductions based on the voluntary compensation measures they have implemented. Under the law, proactive voluntary compensation can serve as a basis for such mitigation.

“We are mindful that institutions that have diligently implemented post-incident remedies should be given due consideration when imposing fines," Lee said.