1.

Risks Arising from Cyberattacks and Data Breaches

A cyberattack or data breach can significantly damage a company’s reputation and credibility. Affected companies may face simultaneous investigations and sanctions by multiple regulators, such as the Ministry of Science and ICT (MSIT) and the Personal Information Protection Commission (PIPC), as well as inquiries from various other stakeholders, including the Prosecutor’s Office, police, and National Assembly. The company and the management could also face civil actions (e.g., collective-action lawsuits), criminal complaints (e.g., for breaches of fiduciary duty), as well as media scrutiny and consumer backlash following data breach notifications.
 
To effectively manage these risks, companies should conduct regular security assessments to prevent intrusions and establish a robust response system and response protocols in advance. In the event of an intrusion incident, companies should promptly analyze the facts, proactively cooperate with investigative authorities, and closely monitor media and consumer feedback. Timely and effective communication with multiple stakeholders from the outset is essential to minimizing potential legal risks and reputational damage.
 

2.

Immediate Responses upon Awareness of a Cyberattack

In the event of a cyberattack, companies are required to report the incident to the MSIT or the Korea Internet & Security Agency (KISA) within 24 hours, pursuant to Article 48-3, Paragraphs (1) and (4) of the Act on Promotion of Information and Communications Network Utilization and Information Protection and Article 58-2, Paragraph (1) of its Enforcement Decree. In addition, if personal data is compromised, companies must also notify the affected individuals and report to the PIPC or KISA within 72 hours, pursuant to Article 34, Paragraph (1) of the Personal Information Protection Act and Article 39, Paragraph (1) of its Enforcement Decree.
 
Additional reporting obligations may apply to companies in certain regulated sectors. For instance, financial institutions, such as banks, securities firms, and insurance companies, must report to the Financial Services Commission or the Financial Supervisory Service if the personal credit information of 10,000 or more individuals is breached, pursuant to Article 39-4 of the Credit Information Use and Protection Act and Article 34-4 of its Enforcement Decree. The defense industry has reporting obligations under Article 11, Paragraph (1) of the Defense Industry Technology Protection Act and Article 16, Paragraph (1) of the Military Secrets Protection Act. Accordingly, companies must assess and ensure compliance with all applicable sector-specific regulations.
 

3.

Measures to Identify a Cyberattack and Prevent Further Damage

In the event of a cyberattack, companies must quickly identify the affected system, implement measures to prevent further damage, and take emergency measures, such as isolating the affected system, locking administrator accounts, and blocking traffic with firewalls. It is also important to conduct a timely initial assessment of the incident to determine the extent of the damage, analyze the intrusion paths, and identify any malicious activity. Moreover, companies should conduct a thorough incident analysis and preserve relevant evidence to prepare for potential investigations and inquiries by relevant authorities. At the same time, companies will need to carefully craft their messaging to the public, government authorities, and other stakeholders to contain the legal, financial and reputational harm to the company.