Comprehensive Inter-Ministerial Information Security Plan Announced
On-Site Investigations Without Company Reports if Hacking is Suspected
Telecommunications Companies to Undergo Unannounced Inspections Simulating Real Hacking
Consideration of Fine-Based Fund for Victim Support
The government will immediately launch a comprehensive security inspection of over 1,600 IT systems used by the vast majority of the public. If signs of hacking are detected, the government will swiftly conduct on-site investigations even without a company’s report, and will strengthen penalties for violations of security obligations, such as delayed hacking notifications.
The mandatory information security disclosure requirement will be expanded to all 2,700 listed companies. The government is also considering establishing a fund so that revenue from fines can be used for personal information protection, including support for victims.
The Ministry of Science and ICT and related ministries announced the “Comprehensive Inter-Ministerial Information Security Plan” on October 22 through a public briefing, aiming to prevent hacking incidents and strengthen the nation’s overall security capabilities.
The key directions of this plan include: ▲ comprehensive security inspections of core IT systems ▲ establishing a consumer-centered incident response system ▲ enhancing the effectiveness of measures to prevent recurrence ▲ strengthening information security capabilities across both public and private sectors ▲ fostering the information security industry, workforce, and technologies ▲ and reinforcing a nationwide cyber security cooperation framework.
To alleviate public anxiety about hacking, the government will immediately conduct thorough security vulnerability checks on more than 1,600 IT systems widely used by the public, including those in the public, financial, and telecommunications sectors. The inspection targets include 288 public institution infrastructure facilities, 152 central and local government agencies, 261 financial sector systems, and 949 ISMS-certified companies in telecommunications and platform industries.
In particular, for telecommunications companies, the government will conduct rigorous, unannounced inspections simulating actual hacking methods. A system for identifying and managing key IT assets will also be established. Small base stations (femtocells) that do not meet safety standards will be immediately decommissioned. The security certification systems (ISMS, ISMS-P) will shift to an on-site audit focus, and certifications will be revoked if significant flaws are found, enhancing their effectiveness.
When hacking occurs due to a company’s security negligence, the burden of proof on consumers will be reduced, and user protection manuals will be developed for key sectors such as telecommunications and finance. The government will consider creating a fund to use revenue from fines imposed for personal information leaks to support victims and strengthen personal information protection.
Additionally, if evidence of hacking is found, the government’s investigative authority will be expanded to allow on-site investigations without waiting for a company’s report. Penalties for violations of security obligations-such as delayed hacking reports, failure to implement recurrence prevention measures, and repeated information leaks-will be strengthened through increased fines, the introduction of enforcement and punitive fines, and other measures.
The mandatory information security disclosure requirement will be expanded from the current 666 companies to all 2,700 listed companies. Based on disclosure results, the government will rate and publicly release each company’s security capability level. For small and micro-enterprises lacking their own security capabilities, support will be reinforced by increasing the number of information security support centers from 10 to 16.
The government will foster 30 next-generation security companies each year, including those developing AI agent security platforms, and will establish a system to train about 500 white-hat hackers annually according to industry demand. Seven information security-specialized universities and nine convergence security graduate schools will be developed into regional hubs for cultivating security talent tailored to key growth engine industries in each of the five core and three specialized regions.
Next year, the government will establish security checklists and guidelines for the safe use of new mobility technologies in the public sector, such as autonomous vehicles, intelligent robots, and drones. The designation of key national information and communications infrastructure will be expanded through the Information and Communications Infrastructure Protection Committee, chaired by the Office for Government Policy Coordination.
Deputy Prime Minister Bae Kyunghoon stated at the briefing, “We will closely monitor the implementation process to ensure this comprehensive plan is properly executed in the field and will continuously address any shortcomings. The government will make every effort to establish a robust information security system to support our goal of becoming a global leader in AI.”
This plan was developed with participation from the National Security Office, the Ministry of Science and ICT, the Financial Services Commission, the Personal Information Protection Commission, the National Intelligence Service, and the Ministry of the Interior and Safety.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
