Go to contents

Report on hacking incidents to be required of companies

Posted September. 01, 2011 22:53,   


All listed and financial companies must report a security breach, with the scope of disclosure on major management issues including M&As being expanded to hacking incidents.

The Knowledge Economy Ministry said Thursday that as early as 2014, companies must inform whether they have been hacked and how they can cope with such incidents on either a public disclosure site (dart.fss.or.kr) or the homepage of the Korea Exchange (krx.co.kr).

They also have to release an annual report on how many security staff they hired and how much budget they allocate for security. If this measure is implemented, consumers will have more choices because they can stop transactions with banks with weak security or Web portal sites that pay little attention to information protection.

The disclosure of hacking incidents was first discussed in measures to boost the information security industry released in December last year by security-related government agencies, but no further discussion came because of fears of complaints from companies that they cannot afford to spend money on security.

After a series of hacker attacks, however, the ministry apparently believed that it could no longer postpone action and ordered the Korea Internet and Security Agency to make a draft on an information security disclosure system. Accordingly, the agency prepared the report “A Study of the Introduction of a Disclosure System for Information Security.”

The U.S. Securities and Exchange Commission introduced a similar system in June this year after hackers attacked Citigroup and Sony.

“Korea will begin the system in 2014, three years behind the U.S.,” an information protection professor said. “Korea should introduce the disclosure system on security breaches as soon as possible given the recent series of unprecedented security breaches.”

Eom Chan-wang, the director of the ministry`s electronics industry division, said, “Mandatory disclosure of hacking incidents will make companies feel more responsible and prepare for measures to protect information,” adding, “We`ll try to advance the system as much as possible in cooperation with other agencies such as the Financial Services Commission and the Korea Communications Commission.”

According to research conducted by the Korea Internet and Security Agency in December 2009, only 16 percent of 6,000 companies with more than five employees reported an information security breach to police. Half of the respondents said they did not report it because of their preference to handle a hacking case internally and quietly.