Korea's Kakao fire and the FSC's tightening of digital resilience rules
The October 2022 Pangyo data centre fire disrupted KakaoTalk and Kakao-linked financial services for days. Korea's response has reshaped digital resilience supervision for the sector.

On 15 October 2022, a fire in the SK C&C data centre in Pangyo, south of Seoul, took down KakaoTalk and a long list of dependent services, including Kakao Pay and Kakao Bank functionality, for periods ranging from hours to several days. The incident drew unusually direct public and political attention because Kakao services sit at the centre of daily life in Korea, and because the dependence of multiple financial functions on a single facility had not been widely understood outside the industry.
Korea's regulatory architecture for financial technology risk sits primarily with the Financial Services Commission, which sets policy, and the Financial Supervisory Service, which supervises. The Electronic Financial Transactions Act and its associated Electronic Financial Supervisory Regulations set baseline expectations for electronic finance providers on system safety, internal controls, outsourcing and incident reporting. The cloud and outsourcing rules were progressively liberalised through 2018 and 2019 to enable wider use of public cloud, with a corresponding expectation that institutions would manage the resulting third-party and concentration risks rigorously.
After the Kakao incident, the FSC and the Ministry of Science and ICT issued a series of measures focused on data centre resilience, with stronger requirements on physical safety, redundancy and recovery for designated facilities. For financial firms, the FSS used its supervisory channels to press on disaster recovery testing, recovery time objectives for customer-facing services and the realism of failover arrangements between primary and backup sites. Boards and chief information officers were asked to evidence that their disaster recovery design would survive a primary site loss of the scale seen at Pangyo.
Third-party concentration is a sharper question in Korea than the regulatory text alone suggests. A small number of domestic and global providers underpin large parts of the financial ecosystem, and the public-facing services of even traditional banks now depend on platforms operated by the technology majors for parts of authentication, messaging and customer engagement. Supervisory dialogue has moved beyond contractual due diligence towards understanding the operational dependencies that would surface during a stress.
Cyber expectations have been tightened in parallel. The FSS has emphasised the integration of cyber and operational resilience, the strengthening of identity and access management for privileged users, and the readiness of institutions to manage incidents that combine cyber compromise with availability impact. Cross-border cyber incidents affecting Korean firms, including supply chain incidents involving overseas software providers, have reinforced the point that the domestic perimeter is not the only relevant scope.
Incident notification expectations sit across several instruments. Significant electronic financial incidents are notifiable to the FSS, and cyber incidents that meet the relevant thresholds also fall under the broader cyber regime supervised by KISA. The practical readiness question is whether the institution has a single, rehearsed playbook that handles both clocks under pressure, rather than separate compliance processes that risk inconsistency during a real event.
For Korean financial institutions setting their next cycle of priorities, three points stand out. Reconcile disaster recovery design with the actual concentration of facilities, providers and people, so the recovery plan reflects how the business runs rather than how it was originally designed. Treat platform dependencies on the technology majors as critical third-party risks with named owners and tested contingencies. And rehearse incidents that engage the FSS, KISA and consumer communication obligations simultaneously, because the next significant event almost certainly will.

