Company B is an SIer that provides business application suites for megabanks and regional banks, including peripheral core banking systems, branch operations, and customer support. It had to simultaneously comply with the FISC Security Guidelines, Financial Services Agency inspections, and each financial institution’s own security policies. The quality, speed, and evidence management of vulnerability response were all expected to meet top industry standards. By applying CLAVI Mining’s agent technology, the company built a system that autonomously performs vulnerability monitoring, remediation generation, and evidence management 24 hours a day. This case shows a significant improvement in audit evaluation during Financial Services Agency inspections.
Challenges Before Implementation
Company B’s challenge was the inability to balance the strict audits unique to the financial industry with response speed. Each vulnerability response required a multi-step process of prior reporting, approval, implementation, and post-reporting to the information security departments of financial institutions. Even highly urgent vulnerabilities routinely took two to three weeks before production deployment.
In addition, the company faced multiple audit opportunities each year, including Financial Services Agency inspections, FISC Security Guidelines compliance audits, and individual audits by each financial institution. It had to provide complete evidence showing when each vulnerability was identified, what decision was made, and how it was addressed. Manual evidence management continued to leave incomplete areas that remained as audit findings.
Executives stated that the security requirements of financial institution customers were beginning to exceed the company’s human resource capacity. They concluded that unless the operating structure was redesigned ahead of competitors, the company could lose trust across the entire financial industry. This led to the decision to invest in AI agent operations.
Reasons for Selection
Company B selected CLAVI Mining’s agent technology for the following three reasons specific to the financial industry.
First was the mutual monitoring and correction design of the multi-agent system. Because incorrect handling in financial systems can directly lead to major incidents, the architecture in which an execution agent, verification agent, and supervisory agent mutually check one another was the only design that matched the industry’s risk tolerance.
Second was the transparency log for FISC Security Guidelines compliance. The design permanently records all agent decisions and execution histories in a tamper-resistant format, providing a level of accountability sufficient for Financial Services Agency inspections.
Third was the fine-grained design of human intervention points. The system can classify actions in detail according to the size of the financial institution, business type, and vulnerability risk level, such as requiring human review, notifying humans only, or marking an item as a candidate for automatic approval. This made it possible to handle differences in security policies among financial institutions.
Post-Implementation Results
[Vulnerability response lead time] From JVN publication to remediation patch generation and completion of internal verification, the timeline was reduced from the previous 5–10 business days to an average of 40 minutes, a 98% reduction. While reporting and approval cycles with financial institutions were maintained separately, the technical preparation time was dramatically compressed.
[Financial Services Agency inspections and FISC audits] In the audit item evaluating the effectiveness of the vulnerability management process, the company was assessed as being at an industry-leading level. It passed with zero findings.
[Evaluation from 30 customer financial institutions] Feedback from the security departments of each institution improved significantly, with multiple comments expressing expectations for industry-wide expansion. This also directly contributed to acquiring new banking clients.
[Business impact] By positioning industry-leading security operations as a sales message, the company improved its win rate in new SIer selection processes and achieved the performance targets of its medium-term management plan ahead of schedule.
CTO comment: “Trust from financial institutions is determined not by technical capability, but by operational quality. Agent technology became a way to structurally raise that operational quality.”
Insights from This Case
This case from Company B shows that, for SIers serving regulated industries, automating vulnerability management is itself a source of competitiveness. In industries where customers’ security requirements rise year after year, shifting beyond the limits of manual response toward AI agent operations is becoming a condition for survival.
In agent operations for regulated industries, the quality of transparency logs and human intervention point design becomes a decisive factor in audit evaluation. Strictly evaluating these two points during vendor selection creates a major difference after production deployment.
Industry-Wide Expansion and Future Vision
After succeeding with business applications for financial institutions, Company B is expanding agent operations horizontally to business applications for group credit card companies and insurance companies. By standardizing agentic security operations across the entire financial group, simultaneous improvement in operational efficiency and governance quality is becoming a reality.
The company is also planning expansion to overseas subsidiaries in Southeast Asia and Hong Kong, with global deployment that considers compliance with local financial regulations such as MAS and SFC. The competitiveness of SIers serving financial institutions is entering an era in which regulatory response capability during overseas expansion is also a key measure.
Executives have stated that they position this as a foundational technology that will support the next decade of SIers serving the financial industry. Continued investment in this platform has been decided as a core part of the medium-term management plan’s IT investment.
*This article is a dummy case study created as a structural example. Company names and figures are fictional.