The government will impose tough sanctions on corporations that suffer repeated hacking incidents, including a punitive penalty surcharge of up to 3% of sales.
The Ministry of Science and ICT on the 12th presented a plan to strengthen cybersecurity, saying it would make an example of corporations that neglect security management, in a briefing to President Lee Jae-myung on the 2026 work plan. The core is to impose a punitive penalty surcharge on corporations that repeatedly suffer breaches, and to levy fines or enforcement penalties if they fail to promptly disclose incidents or do not implement recurrence prevention measures.
First, it will push to raise the cap on fines for late reporting of cyber incidents from the current 30 million won to 50 million won. It will also revise the system to allow repeated imposition of enforcement penalties on corporations that establish but do not follow recurrence prevention measures.
User protection measures will also be strengthened. Corporations hit by hacking will be required to notify users, and a notification system will be built in the first half of next year to quickly alert users to damages. To prevent an excessive burden of proof from falling on users in damage claims, the burden of proof will be eased, and collective relief measures such as introducing class actions will be reviewed together. In the work briefing, President Lee said, "If (victims) have to file lawsuits one by one, the legal costs could be higher, so we must introduce class actions," urging a swift legislative process.
Government-level preemptive response capabilities will also be raised. Surprise security inspections, which had focused on the three telecom companies, will be expanded to major platform corporations, and development will proceed on an AI-based threat information sharing system (AI-ISAC) and an "AI cyber shield dome" that detects abnormal traffic in advance. If signs of hacking are detected, the government will establish a basis for ex officio investigations to conduct on-site probes directly, and it is discussing with the Ministry of Justice a plan to grant special judicial police powers to the Korea Internet & Security Agency (KISA).
Through these measures, the Ministry of Science and ICT set a goal of shortening the average time to respond to cyber incidents from about three months now to within 10 days by 2028.
Meanwhile, the Ministry of Science and ICT said it plans to impose fines in connection with the KT server hacking case for failing to report to authorities despite recognizing signs of hacking in 2024. However, this action concerns an issue that occurred before the introduction of the "punitive penalty surcharge of up to 3% of sales," and thus is not subject to the new sanction rules.