Korea Internet & Security Agency (KISA) closed last year's information security disclosure registration, and a fairness dispute is emerging as only domestic corporations are subject to quantitative disclosure standards. Domestic corporations disclosed details such as information security investment and dedicated personnel, while most foreign corporations fulfilled their disclosure obligations with qualitative explanations, leaving key items blank. The government will expand the scope of information security disclosure to all domestic listed companies starting next year, but foreign corporations are still excluded from quantitative evaluation.
According to the security industry on the 3rd, registration for last year's information security disclosure run by Korea Internet & Security Agency (KISA) closed on the 30th of last month. The information security disclosure system requires corporations to disclose information security investment, dedicated personnel and related activities. It was introduced to guarantee users' right to know and to encourage corporations to invest in information security. It began in 2015 as voluntary disclosure, and as the need to strengthen corporations' information security capabilities grew, mandatory disclosure has been implemented since 2022 for some corporations.
Currently, the mandatory disclosure targets are set based on business sector, revenue and number of users. Target entities include period telecommunications carriers that own line facilities, internet data center (IDC) operators, tertiary general hospitals, and cloud computing service providers, as well as listed companies on the main board and KOSDAQ that must designate and file a chief information security officer (CISO) and have revenue of 300 billion won or more. Corporations whose average daily number of users of information and communications services is 1 million or more are also subject to mandatory disclosure.
However, contrary to the intent of the system, the industry is raising the issue of fairness with foreign corporations. The Korean subsidiaries of global corporations such as Google, Tencent, Meta, TikTok, Microsoft (MS), IBM and Amazon Web Services (AWS) are subject to mandatory information security disclosure but are not disclosing their information security investment and the size of their dedicated personnel. This is because, when the system was introduced, the government exceptionally allowed qualitative disclosure, judging that it would be difficult to produce quantitative figures under domestic standards in consideration of the characteristics of foreign corporations with headquarters overseas.
In fact, disclosures submitted by these corporations said they run their overall information security framework at the global headquarters level and that it is difficult to provide information only for the Korean subsidiary, and they substituted disclosure by describing their information security activities. The problem, critics say, is that such explanations also lack specificity and amount to listing their own security solutions and features, undermining the effectiveness of the disclosure.
As a result, the industry complains that the current system applies strict standards only to domestic corporations. Although the government has expanded the scope of information security disclosure to all domestic listed companies starting next year, foreign corporations remain excluded from quantitative evaluation, which is also drawing criticism. After a series of cyber incidents last year, information security disclosure standards were tightened, increasing the burden on domestic corporations, but the same standards are not applied to global corporations.
Experts noted that hacking damage occurs to domestic users regardless of a corporation's nationality, and that global corporations doing business in Korea should also carry out information security disclosure and social responsibility under the same standards as domestic corporations. In particular, as cyber threats become more advanced with the spread of artificial intelligence (AI) and consumers' interest in corporations' security investment and capabilities grows, the current system that excludes foreign corporations from quantitative disclosure is criticized as a "half measure."
Yeom Heung-yeol, an emeritus professor in the department of information security at Soonchunhyang University, said, "Foreign corporations that currently do substantial business in Korea offer services no different from domestic corporations in the same industry, but are in effect left out of information security disclosure," and added, "However, since foreign corporations may find it difficult to calculate domestic revenue or investment separately, it is necessary to consider setting disclosure targets based on domestic impact such as number of users."
He added, "Just as the Personal Information Protection Act applies to corporations doing business in Korea regardless of nationality, the information security disclosure system should also be gradually expanded to foreign corporations to eliminate discrimination between domestic and foreign corporations," and "In the initial stage, participation can be encouraged by providing incentives to disclosing corporations, and in the long term, the system should be improved to apply the same standards."