Major domestic game companies posted record results last year, but they still appeared reluctant to invest in information security. The ratio of information security investment to sales at major game companies did not even reach 1%, and most had the same person serving as both the chief information security officer (CISO) and the chief privacy officer (CPO). With hacking and personal data leaks using artificial intelligence (AI) occurring one after another recently, there are calls for game companies that hold tens of millions of users' data to ramp up related investment.
On the 30th, according to the Korea Internet & Security Agency (KISA), the game company that spent the most on information security investment last year was Nexon Korea at 26.5 billion won. It was followed by ▲ NC (14.6 billion won) ▲ Krafton (13.4 billion won) ▲ Com2uS (8.6 billion won) ▲ Netmarble (5.4 billion won) ▲ Kakao Games (3.7 billion won) ▲ Neowiz (2.6 billion won). The Ministry of Science and ICT and KISA require listed companies with more than 300 billion won in sales and information and communications service providers with more than 1 million average daily users to disclose their information security status annually.
The problem is that information security investment remains low compared with company revenue. Netmarble posted an all-time high of 2.8351 trillion won in sales last year, but its information security investment ratio to sales was the lowest at 0.19%. Nexon Korea and Krafton also achieved record results with sales in the 3 trillion won range last year, but their information security investment ratios were 0.85% and 0.40%, respectively. Com2uS was the only game company to exceed 1% (1.24%).
The size of dedicated information security staff also varied by company. Nexon Korea had the most dedicated staff with 150. It was followed by ▲ NC (81) ▲ Krafton (42) ▲ Netmarble (33) ▲ Com2uS (26) ▲ Kakao Games (19) ▲ Neowiz (12). Dedicated information security staff handle tasks such as establishing security strategy, responding to incidents, operating system security, and managing vulnerabilities. As a share of total employees, Netmarble was highest at 4.29%. Nexon Korea and Kakao Games posted dedicated information security staff ratios in the 3% range at 3.58% and 3.89%, respectively.
At most game companies, the same person serves as both CISO and CPO. Those surveyed kept both the CISO and CPO at the executive level, but all held the two roles concurrently except for the Kakao Games CISO. In particular, Krafton, NC, Netmarble, and Nexon Korea had one person holding both the CISO and CPO positions.
Under current law, it is permissible to hold the CISO and CPO positions concurrently, but because the roles and expertise required by the two positions differ, their independence and accountability are being emphasized. The CPO oversees personal data governance, including processing and protection of personal data, compliance with related laws, and protection of data subjects' rights. By contrast, the CISO is responsible for technical security, including establishing information security strategy, operating security frameworks, responding to incidents, and managing system vulnerabilities.
Recently, as hacking methods that exploit Generative AI have become more sophisticated worldwide and ransomware attacks targeting corporations and personal data leaks have continued in Korea, there are calls to strengthen game companies' security capabilities. Game companies hold large amounts of users' personal data, and if game servers are paralyzed, service operations can be disrupted, directly affecting results, raising the importance of security.
A game industry official said, "As hacking attacks have become far more sophisticated than in the past, the importance of information security is greater than ever," adding, "Because game companies hold large amounts of users' personal data and in-game assets, we plan to continuously expand related staffing and information security investment."