The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Cybersecurity Regulation for Financial Sector: Policy Suggestion based on New York's Cybersecurity Regulation (23 NYCRR 500)

국내 금융 사이버보안 규제의 국제경쟁력 제고를 위한 연구: 미(美) 뉴욕 주 금융 사이버보안 규정 (23 NYCRR 500)을 중심으로

  • Kim, Docheol (Graduate School of Information Security, Korea University) ;
  • Kim, Inseok (Graduate School of Information Security, Korea University)
  • Received : 2018.09.13
  • Accepted : 2018.11.24
  • Published : 2018.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

In March 2017, the State of New York became the first state to implement regulation specific to cybersecurity for financial institutions. Unlike previous regulations regarding information security, it has set a minimum requirements to establish cybersecurity program based on risk assessment results, protect Nonpublic Information, designate of CISO, and report to regulatory entity. This paper presents a need for a new cybersecurity policy in Korea by examining newly adopted cybersecurity regulation in the United States. Finally, the paper identify policy suggestions based on the United States's approach as they have successfully implemented the program.

세계 금융 및 사이버보안 중심지인 미국에서 최초로 제정된 금융부문 사이버보안 규제인 '뉴욕 주 금융 사이버보안 규정(23 NYCRR 500)'이 2017년 3월 뉴욕에서 시행되었다. 기존의 금융 정보보안 법률과 달리 23 NYCRR 500은 위험평가 기반 정책수립, 비공개 데이터의 보안 강화, 정보보안 최고 책임자(CISO) 지명, 내부위험요소 제거, 연간보고 의무 등을 규정함으로써 뉴욕 내 영업활동을 하는 은행, 보험회사 등 모든 금융기관들은 내 외부 위협으로 부터의 안정성을 입증해야 할 책임이 강화되었다. 본 논문은 뉴욕의 새로운 금융 사이버보안 규정과 기존 미국 금융 법률체제를 분석하고 국내 금융부문 사이버보안 규제(전자금융거래법 및 전자금융감독규정)와의 비교분석을 통해 국내 금융서비스 산업의 국제경쟁력 강화를 위한 금융부문 사이버보안 규제 개선 방안을 제시한다.

Keywords

KJGRBH_2018_v23n4_87_f0001.png 이미지

Process of 23 NYCRR 500 Finalizations

KJGRBH_2018_v23n4_87_f0002.png 이미지

Cybersecurity Risk/Maturity Relationship in FFIEC Cybersecurity Assessment Tool

KJGRBH_2018_v23n4_87_f0003.png 이미지

Relationship between Cybersecurity Regulation and its Related Organizations

List of Korean Banks Registered to NYDFS

KJGRBH_2018_v23n4_87_t0001.png 이미지

Title of the NYCRR and its Corresponding Departments

KJGRBH_2018_v23n4_87_t0002.png 이미지

Regulations within Title 23 of NYCRR

KJGRBH_2018_v23n4_87_t0003.png 이미지

GLBA Nonpublic Personal Information Definition

KJGRBH_2018_v23n4_87_t0004.png 이미지

Comparative Analysis of 23 NYCRR 500 and Information Security Laws for Financial Sector in South Korea

KJGRBH_2018_v23n4_87_t0005.png 이미지

Comparative Analysis of 23 NYCRR 500 and Information Security Laws for Financial Sector in South Korea (Continued)

KJGRBH_2018_v23n4_87_t0006.png 이미지

Comparative Analysis of 23 NYCRR 500 and Information Security Laws for Financial Sector in South Korea (Continued)

KJGRBH_2018_v23n4_87_t0007.png 이미지

References

  1. Dixon, H., "Maintaining Liability in AML and Cybersecurity at New York's Financial Institutions," Penn State Journal of Law & International Affairs, Vol. 5, No. 1, pp. 73-110, 2017.
  2. Do, H. J., "A Study on Cloud Computing for Financial Sector limited to Processing System of Non-Critical Information: Policy Suggestion based on US and UK's approach," The Journal of Society for e-Business Studies, Vol. 22, No. 4, pp 39-51, 2017. https://doi.org/10.7838/jsebs.2017.22.2.039
  3. Drew, K., "NYCRR History and the Process of Keeping it Up to Date: Important Information for Using this Database," Appellate Division 4th Dept. Law Library, Rochester, NY, 2014.
  4. Ernst & Young LLP, Cybersecurity requirements for financial services companies, https://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-requirements-for-financial-services-companies/$FILE/EY-cybersecurity-requirements-for-financial-services-companies.pdf, Feb. 2017.
  5. Federal Financial Institutions Examinati on Council(FFIEC), About the, https://www.ffiec.gov/about.htm, Aug. 2018.
  6. Federal Financial Institutions Examination Council(FFIEC), Cybersecurity Assessment Tool, May 2017.
  7. Federal Financial Institutions Examination Council(FFIEC), Information Technology Examination Handbook: Information Security, Sep. 2016.
  8. Federal Trade Commission(FTC), Financial Institutions and Customer Information: Complying with the Safeguards Rule, Apr. 2006.
  9. Financial Services Committee(FSC), Plan to Expand Cloud System within Financial Institutions, Jul. 2018.
  10. Financial Services Committee(FSC), Summary of Global Financial Center Planning and Development 2017-2019 in Korea, Sep. 2017.
  11. Financial Supervisory Services(FSS), Handbook for Regulation on Supervision of Electronic Financial Transactions, pp. 2-19, FSS, May. 2017.
  12. Hwang, I. H., Monetary Penalty is sweeping across NY, Alert for Korean Banks, MK News, http://news.mk.co.kr/news-Read.php?sc=30000001&year=2017&no=755334, Nov. 2017.
  13. IEEE Standards Association, GRAMM-LEACH-BLILEY ACT, http://grouper.ieee.org/groups/2600/presentations/Laws/GLBDoc.pdf, 2018.
  14. Kim, M., Mapping of NYDFS Cybersecurity Regulations to NAIC Insurance Data Security Model Law, Johnson Lambert, 2017.
  15. Kosseff, J., "New York's Financial Cybersecurity Regulation: Tough, Fair, and a National Model," Georgetown Law Technology Review, Vol. 1, No. 2, pp. 436-444, 2017.
  16. Michelle Misko, Choosing the Right Cybersecurity Assessment Tool, TraceSecurity, https://www.nascus.org/events/cyber2016/Misko.pdf, 2016.
  17. Mooney, J., Borden, R., and Jeanite, S., edgwick South Carolina's New Insurance Data Security Act: Pebbles Before a Landslide?, White and Williams LLP, 2018.
  18. New York State Department of Financial Services, 23 nycrr 500: Cybersecurity Requirements for Financial Services Companies, https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf, 2017.
  19. New York State Department of Financial Services, 23-NYCRR-500 DFS Cybersecurity Regulation, U.S. Department of the Treasury, 2017.
  20. New York State Department of Financial Services, History, https://www.dfs.ny.gov/about/history.htm, 2018.
  21. New York State Department of Financial Services, Who We Supervise, https://www.dfs.ny.gov/about/whowesupervise.htm, 2018.
  22. Park, W. I., “Protection of Personal Credit Information in the Cross-border Financial Transactions,” Kyung-Hee University Law Journal, Vol. 41, No. 1, pp. 149-176, 2006.
  23. Pruitt, J. S., Legal Alert: NY DFS Announces Proposal for Cybersecurity Rules for Financial Services Companies, Eversheds Sutherland (US) LLP, 2016.
  24. Thomson Reuter West Law, New York Codes, Rules and Regulations, https://govt.westlaw.com/nycrr/Index?transitionType=Default&contextData=(sc.Default), 2018.
  25. U.S. Government Publishing Office, Electronic Code of Federal Regulations, https://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=1e9a81d52a0904d70a046d0675d613b0&rgn=div5&view=text&node=16%3A1.0.1.3.38&idno=16, 2018.
  26. Yeandle, M., The Global Financial Centres Index 23, pp. 2-43, Z/Yen, 2018.

Cited by

  1. 개정된 유럽연합 지급결제서비스지침의 보안위험에 대한 제도적인 대응과 관련 국내 전자금융 규제와의 비교 연구 vol.24, pp.4, 2019, https://doi.org/10.7838/jsebs.2019.24.4.079
  2. 개인정보유출 사고 방지를 위한 중소기업의 사이버 위험관리 vol.17, pp.2, 2021, https://doi.org/10.15683/kosdi.2021.6.30.375