On September 3, 2019, the Ministry of Science and ICT (“MSIT”), National Intelligence Service, Ministry of National Defense and six other government agencies jointly announced the National Cybersecurity Basic Plan (the “Basic Plan”) to strengthen national cybersecurity.  One of the key tasks included in the Basic Plan is designating certain cloud service infrastructure (e.g., internet data centers) that require protection from electronic intrusions as Critical Information Infrastructure (“CII”) in accordance with the Act on the Protection of Information and Communications Infrastructure (the “Act”).

Background

An investigation team administered by the MSIT and the Korea Association for ICT Promotion (“KAIT”) is currently conducting written and on-site audits of major cloud service providers in connection with the designation of cloud service data centers as CII.  It is expected that the MSIT will select candidate companies to be designated as CII within this calendar year based on the result of the audit. 

Details

CII refers to information and communications infrastructure specially designated by the government under the Act as requiring certain prescribed safeguards in order to better protect national cybersecurity.  Candidates for designation as CII are set forth by the heads of competent central government agencies and approved by the Information and Communications Infrastructure Protection Commission (the “Commission”) under the Prime Minister’s Secretariat.

Service providers whose cloud service infrastructure is designated as CII by the Commission have the following duties under the Act: 

• duty to (i) establish a protection plan (including physical and technical measures) to safely protect the CII and the information it manages; and (ii) submit the protection plan to the competent government agency;
• duty to designate a chief privacy officer (“CPO”) who is responsible for the protection of the CII; 
• duty to perform vulnerability tests and evaluations on a regular basis;
• duty to comply with protective measures imposed by the competent government agency; and
• duty to notify the relevant regulatory authorities, investigation office, or the Korea Internet & Security Agency of any incidents that impacted the integrity of its critical information and communications infrastructure and to promptly take remedial measures. 

Implication

Violations of orders by a competent government agency to take protective measures following a review of the protection plan or its enforcement status are punishable by an administrative fine of up to KRW 10 million. Cloud service providers whose cloud service infrastructure may be designated as CII should closely monitor the regulatory developments.