Korean regulators bolster CISO authority after repeated breaches, but distrust lingers

Korean regulators and parliament move in tandem to strengthen CISO authority at financial firms
Repeated hacking and data breaches fuel growing consumer concerns
Financial sector revamps security systems, but market says “lenient penalties are the real problem”

South Korea’s Financial Services Commission (FSC) is reviewing measures to raise the internal security standards of financial firms. The plan would grant chief information security officers (CISOs) access to security-related materials held by other departments, strengthening their authority and encouraging companywide responses to cyber risks. The move is widely seen as a response to a string of security incidents this year, including the Lotte Card hacking case and an internal data-leak incident at Shinhan Card.

FSC weighs expanding CISO authority at financial firms

According to financial authorities on December 30, the Financial Services Commission (FSC) is reviewing a plan to expand the authority of chief information security officers (CISOs) at financial institutions. The core idea is to include provisions in the forthcoming Digital Financial Security Act that would require other departments to provide CISOs with information needed for security inspections. The act is expected to let financial firms build their own security frameworks, while imposing high levels of punitive fines if incidents occur. After gathering feedback from major financial companies, the FSC plans to submit the proposal to the National Assembly.

The FSC’s focus on CISO authority reflects ongoing criticism that many firms treat cybersecurity as the responsibility of the information security department alone, rather than making organization-wide investments in capability building. In practice, CISOs may hold C-level titles but are often seen as having less internal clout than executives such as chief financial officers (CFOs) or heads of sales. Security teams are frequently viewed as non-revenue units or as little more than a compliance “shield.” One finance-sector official said CISOs are often not granted full decision-making authority over budgeting, staffing, or adopting new systems, adding that many end up serving largely symbolic roles.

The National Assembly is also discussing legislation to elevate the CISO role. Last month, Yoo Dong-soo, a lawmaker from the Democratic Party of Korea, introduced a partial amendment to the Electronic Financial Transactions Act aimed at strengthening CISO authority. The bill would require CEOs to grant CISOs substantive powers and responsibilities so they can carry out their duties independently, and would mandate board approval when appointing a CISO. It also includes provisions to guarantee a two-year term, along with separate compensation and performance-evaluation standards, to ensure CISOs can conduct security work with greater independence.

Security gaps at card firms come to light

The recent string of security incidents is a key reason regulators and lawmakers are moving in tandem to tighten cybersecurity at financial institutions. In August, Lotte Card suffered a hacking incident that leaked customer data affecting 2.97 million people. It was the largest breach in 11 years, since the mass leak involving three card companies in 2014, and the exposed information reportedly included payment-related details such as some customers’ card numbers and expiration dates. On-site inspections by the Financial Supervisory Service and the Financial Security Institute found that the stolen data totaled about 200GB—more than 100 times the 1.7GB Lotte Card initially reported to the regulator.

More recently, Shinhan Card was found to have leaked 192,088 records of personal information belonging to merchant owners, triggering concerns over internal controls. Authorities believe 12 employees from five branches were involved. From March 2022 to May this year—about three years and two months—they unlawfully extracted personal data including merchant owners’ names, mobile phone numbers, and dates of birth. The information was used to solicit new card sign-ups. To avoid leaving traces in the company’s security logs, the employees reportedly photographed the data on their smartphones or copied it down by hand and shared it, effectively bypassing internal controls. Shinhan Card did not detect the leak for more than three years and only learned of it recently after a whistleblower tip was filed with the Personal Information Protection Commission.

Because the case involved prolonged, unauthorized use of customer information at the sales front line, criticism has intensified over weaknesses in Shinhan Card’s internal data management. Shinhan Card said the incident was misconduct by a handful of employees rather than an external hack, but consumer concerns persist that similar leaks could recur given the industry’s reliance on recruiters and aggressive sign-up practices.

Concerns persist despite security upgrades

As repeated security incidents have sharply worsened public sentiment, financial institutions have moved to overhaul their internal security systems. One example is NongHyup Bank, which appointed Executive Vice President Jung Tae-young—widely regarded as a groupwide cybersecurity expert—as both chief information security officer (CISO) and chief privacy officer (CPO). The bank also established a reporting structure in which the CPO reports security matters directly to the chairman of NongHyup Financial Group. It is rare for a bank to place the CPO directly under the holding company chairman; most banks have CPOs reporting to the bank CEO or operating under the compliance function. NongHyup Bank is also the only bank in Korea where a vice president-level executive oversees information security.

Card companies have likewise been increasing security budgets and hiring additional personnel to brace for future incidents. Data submitted by eight card issuers to lawmaker Park Chan-dae of the National Assembly’s Political Affairs Committee show that combined information-security spending rose about 22.6%, from roughly $83 million in 2021 to about $101 million in 2025. By company, KB Kookmin Card posted the largest security budget this year at about $20 million, while Hyundai Card employed the largest security workforce, with 120 staff. Hyundai Card has also recorded the steepest growth, boosting its security budget by 83.4% over the past five years.

Even so, market participants argue that simply spending more money or appointing specialists will not resolve the underlying problem. They point to institutional and cultural shortcomings in Korea’s financial sector that continue to heighten cyber-risk. Compared with advanced economies, Korea’s penalties for personal data breaches remain relatively weak. Because there is little precedent of large-scale class-action lawsuits over data leaks, standards for determining penalties are vague, and victims often fail to receive adequate compensation even when suits are filed.

Regulatory action over the August Lotte Card data breach, for example, has yet to be finalized. While industry expectations suggest a fine of up to about $62 million, no substantive discussion has taken place even four months after the incident. Critics say that even if penalties are imposed, they are unlikely to be severe enough by global standards to meaningfully raise awareness. Some argue that fines are often smaller than the costs companies incur to strengthen security systems and hire personnel, undermining incentives to treat cybersecurity as a true priority.