[Inside Chodong]Hacking Crises Show Why Security Incentives Are Needed

"Once you become a target, you will be breached. How many small and medium-sized enterprises can really be confident about their security?"

The head of a small and medium-sized enterprise whom this reporter recently met sighed as he spoke about the series of hacking incidents that erupted last year. He said that, seeing how even large corporations with huge sales such as telecom operators, platforms, and credit card companies are being breached one after another by hackers, their situation "does not feel like someone else's problem." He added that many companies can only heave a sigh of relief that they have not yet become targets of hacking.

If there is one thing that has changed due to last year's successive hacking incidents at companies such as SK Telecom, KT, and Coupang, it is that domestic companies have been signing up for cyber insurance at a much higher rate. According to data obtained by The Asia Business Daily on February 26 through the office of Assemblywoman Lee Haemin of the National Assembly's Science, ICT, Broadcasting and Communications Committee, the number of cyber insurance contracts, which had long stayed in the 5,000 range, surged noticeably to 7,683 as of the end of last year. When SK Telecom was hit with a personal information leak and the Personal Information Protection Commission imposed a record-high fine of 134.8 billion won, companies' sense of alarm also grew.

Companies that fall victim to hacking face enormous social costs, including public criticism, service disruptions, loss of trust due to personal information leaks, and legal liability. In particular, as the recent amendment to the Personal Information Protection Act introduced a new provision allowing fines of up to 10% of total sales, it is believed that companies have begun to take out cyber insurance policies that they had previously shunned.

However, for micro and small enterprises, taking out cyber insurance still appears to be a heavy burden. Even though hacking incidents keep occurring one after another, the actual compensation that companies must pay to victims when an incident does occur is not that large, so many small and micro enterprises are reluctant to spend substantial amounts on cyber insurance.

The situation is not very different for large corporations. The Personal Information Protection Act makes it mandatory for companies with sales of 1 billion won or more that manage information on at least 10,000 individuals to carry liability insurance, but because the maximum amount that can be legally mandated is only 1 billion won, some even say it is merely a box-ticking exercise. In the case of Coupang, which suffered a large-scale personal information leak last year, it had liability insurance, but the amount of coverage was only around 1 billion won, which sparked controversy.

To prevent hacking incidents from repeating like a squirrel running in a wheel, carrots are just as essential as sticks. In reality, for small and mid-sized companies that suffer from a lack of funds and manpower, security is easily pushed down the priority list. The government needs to provide support measures that offer incentives so that these companies recognize the importance of information security and voluntarily invest in it. A bill on information security tax credits, which would reduce income tax or corporate tax when companies invest in information security systems and equipment, purchase insurance, or hire information security professionals, has been introduced, but it has yet to pass the National Assembly.

What happens "after" a hacking incident is even more important. It is essential to determine the fault of the company involved and impose appropriate responsibility, but if the response ends there, companies will still be inclined to conceal or downplay incidents in order to evade responsibility. Measures that foster an environment in which companies feel the need for information security and take proactive steps can be an effective way to fundamentally strengthen security capabilities across the private sector.

With the rapid development of generative AI such as ChatGPT, security threats are becoming more advanced and sophisticated. This year, many expect to see a rise in attacks that exploit vulnerabilities in cloud environments, phishing based on deepfake voice and video, and attacks targeting AI services themselves. While establishing systems to prevent and respond to increasingly intelligent cyber threats, the government must also devise ways to structurally enhance private-sector security capabilities by providing incentives to companies that invest in information security.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.