Growing Calls to Reconsider the "Personal Information Damage Liability Insurance Amendment" Amid Rising Hacking Incidents

This year, a series of hacking incidents at companies such as SK Telecom, KT, and Lotte Card has led to growing calls for a reconsideration of the “Personal Information Damage Liability Insurance Amendment” announced by the Personal Information Protection Commission in March. Critics argue that this mandatory insurance should not be limited to large corporations, but should also be extended to small and medium-sized enterprises, government ministries, and public institutions.

Introduced in 2019, the Personal Information Damage Liability Insurance is a system that requires companies to either purchase insurance or set aside reserves to compensate consumers in the event of a personal information leak. The current requirements for mandatory subscription are 1 billion KRW in annual sales and 10,000 data subjects. However, controversy has arisen since the Personal Information Protection Commission announced a revised enforcement ordinance in March, raising the thresholds to 150 billion KRW in annual sales and 1 million data subjects. If implemented, the number of companies required to subscribe would be reduced from 380,000 large and small businesses to only about 200 large corporations.

An image depicting a company suffering from a hacking attack, as described by ChatGPT. ChatGPT

Large corporations invest more in security than small and medium-sized enterprises. Nevertheless, hacking incidents continue to occur. This year alone, GS Retail (January), SK Telecom (April), YES24 (June), and Lotte Card (August) have all suffered breaches. Given that even large corporations are vulnerable, there are growing concerns that small and medium-sized enterprises, which have even weaker security, could face a surge in incidents going forward. If the revised ordinance announced by the Personal Information Protection Commission takes effect, small and medium-sized enterprises may become lax in subscribing to personal information damage liability insurance, making it even more difficult to compensate consumers in the event of a hacking incident.

In July, a hacking incident occurred at Wellix FI Capital, an affiliate of Welcome Financial Group, whose annual sales last year were below 150 billion KRW. In April, customer personal information was leaked due to hacking at a corporate insurance agency (GA), showing that such incidents are not limited to large corporations. According to statistics from the Korea Internet & Security Agency, small and medium-sized enterprises accounted for 94% of ransomware attacks reported last year.

To address these issues, some argue that the revised ordinance by the Personal Information Protection Commission should be reconsidered, and that mandatory insurance subscription should be significantly expanded to include government ministries and public institutions. Kim Hyunjung, a member of the National Assembly’s Political Affairs Committee from the Democratic Party of Korea, stated, “It is anachronistic for government ministries and public institutions to be excluded from mandatory insurance. Given the sharp increase in personal information leaks at public institutions over the past three years, the scope of mandatory subscription in the public sector should be gradually expanded.” The Personal Information Protection Commission is currently reported to be reviewing the amendment.

Along with expanding the scope of mandatory insurance, there are also calls to promote the use of private cyber insurance. However, due to low willingness among companies and insufficient promotion by insurers, subscription rates remain low. According to the General Insurance Association of Korea, as of the end of last year, the number of cyber insurance contracts held by 16 non-life insurance companies stood at 22,599, an increase of only 35 from the previous year. In a 2023 survey by the Ministry of Science and ICT, only 16.1% of domestic companies were aware of cyber insurance, and only 7.4% had actually subscribed.

Assemblywoman Kim said, “Mandatory insurance and private insurance differ greatly in premiums and coverage. The current mandatory insurance has lost its function to provide relief due to poor management, while private insurance is operated mainly for large corporations. For the insurance market to achieve high-quality growth, the function of mandatory insurance must be properly strengthened, and private insurance should play a structural role in encouraging companies to invest voluntarily in security.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.