Resolution of the Cabinet Meeting on the Amendment to the Enforcement Decree of the Information and Communications Network Act
[Asia Economy Reporter Seulgina Jo] Starting from the 9th of next month, domestic small and medium-sized enterprises (SMEs) will be allowed to appoint a department head-level manager, rather than an executive, as their Chief Information Security Officer (CISO). The reporting deadline will also be extended threefold to 180 days.
The Ministry of Science and ICT announced that the amendment to the Enforcement Decree of the "Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (Information and Communications Network Act)," which includes improvements to the CISO system aimed at strengthening companies' capabilities to prevent and respond to cyber incidents, passed the Cabinet meeting on the 30th and is scheduled to take effect from December 9.
This amendment follows the revision of the Information and Communications Network Act on June 8. It focuses on easing the burden on companies by allowing the designation and reporting of information security officers (department head-level) or representatives according to company size, instead of uniformly requiring executive-level CISOs, and by adjusting the scope of companies subject to reporting to medium-sized enterprises or larger, which have a greater need for information security.
First, the government clarified the scope of CISO executives and employees. Previously, companies obligated to report their Chief Information Security Officer were uniformly required to appoint an 'executive-level' officer. This has now been segmented based on company size to resolve confusion caused by the vague 'executive-level' standard.
Accordingly, companies subject to reporting obligations are divided into those subject to concurrent position restrictions (large enterprises) and general reporting obligation companies (medium-sized enterprises or larger). For companies with concurrent position restrictions, the CISO must be a 'director,' while general obligation companies may appoint an information security officer at the department head level.
Additionally, the scope of companies required to report a Chief Information Security Officer has been improved to include only medium-sized enterprises or larger with significant information security needs. A provision was added stating that companies exempt from reporting obligations will consider the business owner or representative as the Chief Information Security Officer. The Ministry of Science and ICT explained, "Previously, all medium-sized enterprises or larger were subject to reporting obligations, but with this amendment, the criteria for medium-sized enterprises have been refined to include only those that are telecommunications service providers, personal information processors, mail-order businesses, or subject to information security management system certification obligations."
Furthermore, considering difficulties in securing personnel for newly targeted companies, the reporting deadline has been extended from the current 90 days to 180 days. To enhance the effectiveness of the prohibition on concurrent positions, fines have been newly established: 10 million KRW for the first violation, 20 million KRW for the second, and 30 million KRW for three or more violations. The fines for failure to report a Chief Information Security Officer have been relaxed from 10 million KRW to 7.5 million KRW for the first violation, and from 20 million KRW to 15 million KRW for the second. Additionally, authority for administrative sanctions will be delegated to the Central Radio Management Office.
Minister Hye-sook Lim of the Ministry of Science and ICT stated, “Through this amendment, we expect to ease the burden on companies while enabling CISOs of major companies to focus exclusively on information security tasks within their organizations. This will help prevent cyber incidents and enable rapid recovery and minimization of damage when incidents occur, thereby strengthening the overall information security capabilities of domestic companies.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
