Sangjang Association: "Mandatory Information Security Disclosure Imposes Excessive Burden on Companies"

[Asia Economy Reporter Minwoo Lee] Concerns have been raised that the amendment to the Information Security Industry Act, which mandates information security disclosure obligations for listed companies with sales exceeding 50 billion KRW, imposes an excessive burden.

The Korea Listed Companies Association announced on the 20th that it submitted such opinions to the Ministry of Science and ICT yesterday.

Earlier, on August 11, with the legislative notice of the partial amendment to the Enforcement Decree of the Information Security Industry Act, the following entities became subject to mandatory information security disclosure: period telecommunications service providers, integrated information and communication facility operators, tertiary general hospitals, cloud computing service providers, listed companies on the KOSPI and KOSDAQ markets with sales of 50 billion KRW or more in the previous year (previous fiscal year), and those with an average daily user count of 100,000 or more over the preceding three months as of the end of the previous year.

The Listed Companies Association pointed out that this constitutes an excessively expanded obligation without consideration of urgency or impact. Listed companies with sales exceeding 50 billion KRW account for about 63% of all listed companies, and about one-quarter of these are small and medium-sized enterprises.

Originally, the plan limited the obligation to companies generating sales by providing information and communication services, but the amendment imposes the obligation solely based on sales figures. The association criticized, "The reason for the significant change in selection criteria is unclear, and while the obligations for companies are expanded, there is no clear plan on how the collected information will be managed or utilized."

Criteria for Mandatory Disclosure of Information Security under the Partial Amendment to the Enforcement Decree of the Information Security Industry Act (Provided by Korea Listed Companies Association)

They also emphasized that if this is in the context of mandatory ESG (Environmental, Social, and Governance) disclosures for listed companies, an integrated review of disclosure content, methods, timing, and implementation schedules should be prioritized.

The association stated, "In major countries such as the United States and Japan, information disclosure is encouraged through 'guidance' or 'guidelines,' leaving it to the companies' autonomous judgment. Mandatory disclosure obligations and selection of disclosure targets in individual laws should be minimized and applied only when absolutely necessary." They added, "While corporate sanctions are strengthened under the Personal Information Protection Act in case of data breaches, mandatory disclosure for preventive purposes results in double regulation, which must also be taken into account."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.