![[Reporter’s Notebook] Why Companies Cannot Report Hacking Incidents Even When They Are Victims](https://cphoto.asiae.co.kr/listimglink/1/2025092318125245394_1758618771.jpg)
Prime Minister Kim Minseok recently held an emergency meeting at the Government Complex Seoul, stating, "The government will be able to launch investigations on its own initiative even if companies do not report hacking incidents. We will respond strongly to any violations of security obligations." This declaration demonstrates the government's determination to respond thoroughly in light of growing public anxiety following recent hacking incidents that have severely impacted the telecommunications and financial sectors. The immediate cause for this stance was the discovery that some companies only realized they had been hacked much later or delayed reporting the incidents.
However, there has been discontent at the ground level regarding Prime Minister Kim's remarks. Security professionals argue that the government is overlooking the fundamental reasons why companies are reluctant to report hacking incidents. Security officers say, "Even if we report, all we receive is criticism, not support." They lament that with the inevitable accusations of concealing incidents, fines, and reputational damage, no one would willingly come forward to report such incidents.
There are additional reasons why companies are hesitant to disclose their losses publicly. In South Korea, when a hacking incident occurs, specific details such as the location of compromised servers, the scale of data leaks, and attack methods are immediately made public through the media. This essentially provides a "manual" for attackers. One security executive noted, "In the United States, even after a joint, long-term investigation by security authorities, key information is rarely disclosed externally. In contrast, in South Korea, all the specific details are revealed within days of a hacking incident." He added, "From a company's perspective, this only makes them more reluctant to report."
Companies emphasize that creating an environment where they feel able to report incidents must come first. They unanimously agree that punitive policies alone cannot foster voluntary reporting. Without support measures, protective mechanisms, or positive incentives following a report, companies will inevitably choose to remain silent.
I do not believe Prime Minister Kim made his strong statement solely to punish companies. Rather, it is more of a warning message for companies to take their security obligations more seriously and conduct preemptive checks. The government's role is crucial in encouraging voluntary reporting by companies. A cooperative attitude is needed to ensure that public-private collaboration systems can operate smoothly to resolve such incidents. Only then can a virtuous cycle be created to prevent further damage. The greatest threat in a cyber crisis may not be hackers themselves, but rather an atmosphere of distrust that prevents even reporting.
Immediately after Prime Minister Kim's emergency meeting, the government convened Chief Information Security Officers (CISOs) from various companies. The CISOs expressed their frustration, saying, "We already have far too few staff on our security teams, and now we are being asked to prepare government response documents and materials for National Assembly hearings, which pushes our actual work to the background." Listening to industry opinions, rather than simply criticizing, should be the starting point for preventing hacking incidents.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
