On May 1, 2025, the Ministry of Science and ICT (“MSIT”) released an updated list of companies subject to the Information Protection Disclosure Obligation (the “Obligation”). Companies on this list will be required to submit certain forms by June 30, 2025, as explained below.
Under Article 13(2) of the Act on the Promotion of Information Protection Industry (the “Information Protection Industry Act”), companies meeting specified criteria are required to disclose their information protection investment and staffing status. This includes details such as investment in the information protection sector, personnel allocation for information protection, and certification, evaluation, inspection, and other relevant activities related to information protection.
Accordingly, companies must submit their information protection status through MSIT’s Information Protection Disclosure Comprehensive Portal (available in Korean, Link) by June 30, 2025. Failure to comply with the Obligation may result in an administrative fine of up to KRW 10 million as outlined in Article 41(1)1 of the Information Protection Industry Act.
Starting this year, a new annotation format has been introduced, allowing companies to provide detailed descriptions of information protection matters that cannot be adequately explained through the existing disclosure forms alone. Companies may optionally prepare and submit additional information regarding the following items:
-
Information protection strategies and policies: Identification and details of major information protection risks, strategic plans for information protection, policies and implementation systems, etc.
-
Information protection organization and structure: Status and governance of information protection-related organization, operation of Chief Information Security Officer (“CISO”) and Chief Privacy Officer (“CPO”), retention of information protection specialists, related regulations and guidelines, etc.
-
Information protection infrastructure: Establishment and operation of information protection systems, introduction and operation of protection solutions, security incident response and risk management systems, etc.
-
Information protection certification, evaluation and activities: Acquisition of information protection certifications, security control activities, vulnerability inspection activities, employee education and training, and other related events and campaigns, etc.
