[Asia Economy Reporter Seulgina Jo] In the future, small and medium-sized enterprises (SMEs) with total assets of less than 5 trillion won will be allowed to appoint a department head-level information security officer (CISO) instead of an executive-level one. Restrictions on holding concurrent positions for similar information security-related tasks have also been relaxed.
The Ministry of Science and ICT announced that on the 1st, the partial amendment to the "Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (Information and Communications Network Act)" containing improvements to the CISO system was approved at the Cabinet meeting to prevent and strengthen the response capabilities against corporate cyber incidents.
With this amendment, the uniform status (executive level) of CISOs according to company size will be diversified, and the scope of reporting obligations will be clarified. The relaxation of restrictions on holding concurrent positions is expected to reduce the burden on companies while enhancing the effectiveness of the system.
The amendment first allows SMEs, excluding companies subject to concurrent position restrictions, to designate department head-level information security officers. Companies with total assets of 5 trillion won or more at the end of the previous fiscal year, or those subject to mandatory Information Security Management System (ISMS) with total assets of 500 billion won or more, fall under the concurrent position restriction category. Details will be specified in the enforcement decree later.
This reflects the concerns companies have had about difficulties in hiring personnel and establishing organizations, as the designation of executive-level CISOs was uniformly enforced for all companies of medium size or larger. The Ministry of Science and ICT expects that "this amendment will alleviate the burden."
Additionally, the amendment requires medium-sized companies or larger, which have a greater need for information security, to report their CISOs, while companies exempt from the reporting obligation will have their representatives regarded as CISOs under the enforcement decree to prevent gaps in information security. Previously, restaurants and academies with annual sales of 1 billion won or more that operated simple promotional or informational websites were also subject to CISO reporting obligations, but they are now excluded from the reporting obligation under this amendment.
Furthermore, the amendment clarifies the duties of CISOs for information security and relaxes restrictions on holding concurrent positions to allow them to perform similar information security-related tasks such as Chief Privacy Officer (CPO) duties. Tasks that can be concurrently held include establishing and implementing information security plans, conducting regular information security audits of actual conditions and practices, identifying risks and preparing information security measures, as well as personal information protection beyond mandatory duties.
Along with this, the Korea Internet & Security Agency (KISA) will take on roles related to the CISO system, including verification of false or deficient reports, policy support, and security education.
The government has also revised penalty provisions to strengthen the effectiveness of system operation. Sanctions for false reporting and designation of unqualified persons have been established and will be detailed in the enforcement decree. There have been continuous criticisms that only corrective orders were possible in cases of unqualified designation or violation of concurrent position restrictions, limiting the effectiveness of the system.
Hong Jin-bae, Director of Information Security Network Policy at the Ministry of Science and ICT, said, “Through this legal amendment, the burden on companies has been reduced while strengthening the substance of the system,” adding, “Many companies will be able to enhance their capabilities to prevent and respond to cyber incidents, which will help corporate activities and increase public awareness of cybersecurity.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
