As the information security disclosure obligation system enters its fourth year, there are calls for improvements to the system. While mandatory and voluntary disclosure corporations disclose investment amounts and personnel status in the information technology and information security sectors, it has been pointed out that the lack of detailed information makes it difficult to gauge the actual security level. Additionally, the fact that most small and medium-sized enterprises are excluded from mandatory disclosure makes it challenging to assess the overall security level in the industry, and concerns have been raised that the refusal of foreign corporations to disclose information undermines fairness.
According to the security industry on the 30th, the deadline for last year's information security disclosure by major domestic corporations is approaching. The information security disclosure system, operated by the Korea Internet & Security Agency (KISA), is aimed at promoting investment in information security and protecting users by disclosing the status of corporations' information security, including investment amounts, dedicated personnel, and related activities. Introduced in 2015, it started as a voluntary disclosure system, but with the growing need to strengthen corporations' information security capabilities, mandatory disclosure has been imposed on some corporations since 2022. Target corporations must disclose the relevant information by June 30 each year.
Currently, the mandatory disclosure targets are based on criteria that consider business areas, sales, and the number of users. By business area, the following are subject to mandatory disclosure: ▲ Telecommunications service providers with line facilities, ▲ Integrated telecommunications facility providers, ▲ Tertiary general hospitals, and ▲ Cloud computing service providers. By scale, corporations listed on the securities market and KOSDAQ that are required to designate and report a Chief Information Security Officer (CISO) and have sales of over 300 billion won are subject to mandatory disclosure. In addition, corporations with an average daily user count of over 1 million in information and communication services also fall under the mandatory criteria.
Voluntary disclosure is also possible. If a corporation provides information through information and communication networks or serves as an intermediary for information provision, they can implement voluntary disclosure according to their stake. If information security status is disclosed voluntarily, they can receive a 30% discount on the certification examination fee for the Information Security Management System (ISMS) within one year from the date of disclosure. Additionally, KISA grants outstanding corporation designations for information security investments and presents commendations from the Minister of Science and ICT to some corporations that faithfully execute disclosures. This is an incentive strategy to encourage corporations to voluntarily disclose their security investment status, even if they are not subject to mandatory disclosure.
However, the industry points out that the information security disclosure obligation system has several loopholes. The disclosure only reveals the investment amounts, personnel numbers, and whether a Chief Information Security Officer (CISO) or Chief Privacy Officer (CPO) has been designated, without providing specific details. There are limitations in understanding the actual security level since it is unclear how the investment amounts and personnel are utilized. The mandatory criteria are also high, as the obligation is limited to corporations with annual sales exceeding 300 billion won.
The refusal of foreign corporations to disclose information is also being pointed out as a problem. Most global IT companies' Korean branches, including Microsoft Korea, IBM Korea, Amazon Web Services, and Oracle Korea, are subject to mandatory disclosure but do not reveal their information security investment amounts and personnel numbers. This is due to the reason that the headquarters is responsible for the overall information security system, making it difficult to provide information specific to Korea.
For example, looking at the disclosure materials submitted by IBM Korea, it stated, "IBM has established and operates an information security system on a global level, so it is difficult for IBM Korea to provide detailed information on domestic information security investment amounts" and substituted this statement for an explanation of the efforts made for information security. The issue is that these explanations are also vague and often differ from the purpose of disclosure, listing company solutions and functions.
The Ministry of Science and ICT recently suggested an 'improvement plan for the information security system in the era of artificial intelligence (AI)' to the Presidential Committee on Policy Planning. This includes promoting private investment in information security, expanding the scope of mandatory disclosure from the current threshold of 300 billion won in sales to all listed companies, and granting personnel management and budget formulation powers to the Chief Information Security Officer (CISO). It also mentioned strengthening the information security certification examination from a document review to an on-site examination and an expansion of the designation of major information and communication infrastructure.
Kwon Heon-young, a professor at Korea University Graduate School of Information Security, stated, "Currently, the information security disclosure obligation system only publishes superficial figures, making the criteria for specific investment items or personnel procurement unclear. Because different corporations in different business sectors are regulated to disclose uniformly, blind spots arise and discrepancies appear between items, leading to various problems." He added, "To enhance awareness and related investment in security, it is necessary for corporations and the government to discuss and develop a disclosure system that fits our country's circumstances."