1.

Major changes to post-incident response requirements, sanctions and remedies

A new provision now allows administrative sanctions, up to 3% of the revenue, to be imposed on online service providers (“OSP”), if the OSPs, intentionally or due to gross negligence, caused two or more security incidents within five years. (Amended Network Act, Article 48(8)).

A new system of enforcement penalties now allows enforcement penalties, up to 0.03% of the average daily revenue or, if there is no revenue, KRW 2 million, to be imposed per day, if the business entity, during an investigation of a security incident, fails to comply with corrective orders, fails to submit documents, submits false documents, obstructs an on-site investigation, or interferes with or otherwise evades the investigation. (Amended Network Act, Article 48(7)).

The deadline and scope for reporting security incidents have been further specified. The amendment now requires the “date, time, current status of responses, etc. to a security incident to be reported within 24 hours from the moment the security incident is discovered.” (Amended Network Act, Article 48-3(1)). The amendment also requires OSPs to notify users, without delay, upon the occurrence of certain security incidents, listed in the Presidential Decree of the Network Act. (Amended Network Act, Article 48-3(4)).
 
The amendment requires OSPs to prepare a security incident management and response manual that is suitable to the scale and nature of their services, and submit this manual to the Ministry of Science and ICT (“MSIT”) and the Korea Internet & Security Agency. The MSIT must, on a periodic and non-periodic basis, review the status of preparation and the implementation of this manual, and may order corrective measures. (Amended Network Act, Article 48(9)). Additionally, OSPs, when a security incident occurs, are required to take measures that are necessary to prevent the spread of damages and quickly provide remedies for damages, and are required to report the details and the results of the measures that have been taken to the MSIT. (Amended Network Act, Article 48(10)).

The MSIT is planning to establish a Security Incident Investigation Deliberation Committee to deliberate on matters regarding security incidents, such as the necessity of an investigation, and the necessity of forming a joint private-public investigation team. (Amended Network Act, Articles 48-2(7), 48-2(8)). Additionally, the MSIT’s responsibilities have been amended. While the MSIT was previously responsible for analyzing “the causes of a security incident”, the MSIT is now responsible for analyzing “whether a security incident has occurred and the causes of the security incident”. (Amended Network Act, Article 48(4)). These provisions provide sufficient legal basis to allow the government to quickly conduct an on-site investigation after discovering evidence that a security incident has occurred, even if the business entity has not yet reported the incident to the government.
 

2.

Strengthening of information security governance and internal management framework

Previously, OSPs (other than medium-sized businesses) were permitted to designate any of its employees as the OSP’s Chief Information Security Officer (“CISO”). The amendment now requires OSPs to designate one of its directors or executive-level officers as its CISO. In addition, the CISO’s responsibilities now include (1) managing personnel and allocating the budget that are necessary for information security and (2) reporting the status of information security and notable matters to the board. (Amended Network Act, Articles 45-3(1), 45-3(4)(1)(e)-(g)).

The amendment requires OSPs to establish and operate an “Information Security Committee”, a committee that will deliberate on matters concerning information security. The CISO is to be designated as the head of the committee. (Amended Network Act, Article 45-4).

Major OSPs and Internet data center operators are obligated to endeavor to hire personnel with sufficient expertise in each area of information security and secure sufficient budget. (Amended Network Act, Article 45(5)).
 

3.

Enhancement of government-led management and supervision frameworks, and certification frameworks

The amendment requires the MSIT to conduct annual assessments of business entities regarding the security of information and communication networks, and the reliability of information, including the compliance with obligations under the Network Act. The MSIT may publish the results of the assessments on the MSIT’s website. (Amended Network Act, Article 45(5)). For entities whose information security levels are assessed to be insufficient or in need of improvement, the MSIT can issue recommendations for improvement. Entities who receive the recommendations must submit the results of the measures that are taken to the MSIT.

The amendment defines certain entities, who, due to (1) the amount of information that is being created or processed by the entities and (2) the entities’ social impact, could pose a significant danger to the lives, physical safety, or property of the public, if security incidents occur to those entities. The amendment allows more stringent information security management system certification standards and procedures to be applied to those entities. (Amended Network Act, Article 47-7(2)).

Annual follow-up audits that are conducted to enhance the effectiveness of the information security management system will now include both on-site and document-based inspections. (Amended Network Act, Article 47(8)).