[Background]

Due to current network separation regulations, financial companies and electronic finance business operators cannot use SaaS on internal work networks, creating limitations on work efficiency and the utilization of new technologies.

Accordingly, network separation regulations have been exceptionally waived through the Regulatory Sandbox since Sep '23, allowing the use of external applications such as SaaS on internal work networks. This amendment aims to formalize the Regulatory Sandbox into a regular system.

However, according to Article 2-3, Paragraph 3 of the Detailed Enforcement Regulations, information protection controls must be applied and approved by the Information Protection Committee when waiving network separation regulations. Therefore, information protection controls* suitable for SaaS must be applied even when exempting SaaS from network separation regulations.

*Since security risks such as hacking and information leakage increase, strengthening alternative information protection controls to manage and control these risks is essential.

[Main Points]

A. Reporting on the Implementation of Information Protection Controls following SaaS Network Separation Exceptions

New insertion of Article 2-3, Paragraph 4 requiring semi-annual reporting to the Information Protection Steering Committee on the implementation status of information protection controls regarding SaaS security risks.

B. Amendment of Alternative Information Protection Control Items for Network Separation (Annex 7)

Creation of new control items specialized for SaaS to control security risks (similar to the security measures currently evaluated by the Financial Security Institute when designating SaaS Regulatory Sandboxes) in addition to existing information protection control items.