Sustainability Report Condensed to Just 10 Pages
No Guidance on Information Security Systems or Risk Management
In Contrast to Top Investors Like Samsung Electronics and KT,
Which Publish Annual Reports of Around 100 Pages
Coupang, which has been considered one of the top three domestic companies in terms of investment in information security, has been reluctant to disclose detailed information such as specific operational policies or implementation outcomes related to this area. While leading companies in the information security sector introduce their information security systems in detail and highlight systems for preventing security breaches through annual sustainability reports, Coupang has focused only on promoting its logistics system and employment performance. This lack of attention and robust management compared to its investment in information security is cited as a convincing reason for the massive customer data breach incident involving 33.7 million records.
According to information security disclosures from the Korea Internet & Security Agency (KISA) on December 10, Coupang's investment in information security amounted to approximately 89 billion won last year, ranking first among domestic wholesale and retail businesses. Broadening the scope to all industries, it ranks third after Samsung Electronics in the manufacturing sector (347.8 billion won) and KT in the information and communications sector (125 billion won). KISA's data is used to assess how much each company invests in information security.
Coupang's investment in information security has increased every year, from 53.5 billion won in 2021. However, the company remains passive in publicly sharing specific results or information related to these investments. This stands in contrast to Samsung Electronics and KT, which dedicate significant portions of their roughly 100-page sustainability reports to highlighting their ESG (Environmental, Social, and Governance) activities and describing processes for information security and risk management.
According to these companies' sustainability reports, at Samsung Electronics, the head of the personal information protection team serves as the Chief Privacy Officer (CPO), managing and supervising related matters at various levels. The head of the information security center acts as the Chief Information Security Officer (CISO), serving as the security control tower. The company provides 'Personal Information Protection Guidelines for Employees' and 'Guidelines for Outsourcing Personal Information Processing' to help employees strengthen personal information protection in their daily work, and it mandates annual personal information protection training for all employees. In particular, employees who handle personal information as part of their work must complete specialized personal information protection training tailored to their roles every year.
KT has also established the Information Security Strategy Committee (ISSC) to enable swift decision-making on information security matters and oversees major issues related to the company's information protection. As the importance of protecting information assets has grown, the existing information security division under the Chief Technology Officer (CTO) has been elevated to the Information Security Office, which now reports directly to the Chief Executive Officer (CEO). To enhance employees' security awareness, KT also conducts regular information security training twice a year.
Previously, according to the annual report submitted in February this year to the U.S. Securities and Exchange Commission (SEC) by Coupang Inc., the parent company of Coupang and a New York Stock Exchange-listed company, Coupang operates an information security team of about 200 people under the CISO, overseeing and identifying security incidents related to access to information by third-party vendors, service providers, and customers. However, in Korea, since 2022, the company has replaced its sustainability report with a roughly ten-page 'Impact Report,' which also focuses solely on logistics infrastructure investment, transaction amounts with small businesses, and employment performance.
Kim Seungjoo, a professor at Korea University's Graduate School of Information Security, stated, "For a company's information security sector, the proportion of investment relative to revenue is much more important than the absolute amount." He pointed out, "Considering Coupang's annual revenue exceeded 41 trillion won last year, the investment proportion in information security is only about 0.2%, which is minimal." He added, "Even this amount likely includes personnel costs for operating related staff, and given that the company has hired many highly paid foreign executives as responsible officers, the actual costs are significant. Therefore, it is necessary to examine how much has actually been invested in information security systems and what effects these investments have produced."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
