On August 11, 2021, the Ministry of Science and ICT announced a partial amendment (the “Amendment”) to the Enforcement Decree of the Act on the Promotion of Information Security Industry (the “Information Security Industry Act”). 

The Amendment sets forth the scope of, and criteria for, business entities that are subject to the disclosure requirement regarding information security status pursuant to Article 13 of the Information Security Industry Act which is scheduled to take effect on December 9, 2021, and the required disclosure period.  The salient points of the Amendment are briefly summarized as follows: 

Scope and Requirements Regarding the Disclosure Obligation (Article 8 (2) of the Amendment) 

• According to Article 13 (1) of the Information Security Industry Act, a person who provides or mediates to provide information through an information communications network may disclose the information security status (e.g., the status of investment and human resources for information security and certifications regarding information security) to ensure that persons using the Internet do so in a safe manner.  

• Article 13 (2) of the Information Security Industry Act (which is scheduled to take effect on December 9, 2021) stipulates that persons who meet the criteria prescribed by the Presidential Decree, in consideration of the industry, sales revenues and number of service users, may be required to disclose the current status of information security (the “Disclosure Obligation”).  The Amendment specifically sets forth the scope and requirements in respect of the Disclosure Obligation.  

• The Minister of Science and ICT may issue a public announcement designating entities that are exempt from the Disclosure Obligation.  Under the Amendment, the following entities are subject to the Disclosure Obligation: 

1. Facilities-based telecommunications service providers registered in accordance with Article 6 (1) of the Telecommunications Business Act (Article 8 (2) 1 (a));

2. Data center operators under Article 46 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Article 8 (2) 1 (b));

3. Tertiary hospitals under Article 3-4 of the Medical Service Act (Article 8 (2) 1 (c));

4. Providers of cloud computing services (limited to services that provide servers, storage devices, networks, etc.) under Article 2 (3) of the Act on the Development of Cloud Computing and Protection of Its Users (Article 8 (2) 1 (d));

5. Any entity listed on the securities market or KOSDAQ Market with sales of KRW 50 billion or more in the previous year (Article 8 (2) 2); and

6. Any entity that has an average of 100,000 or more users per day during the immediately preceding three months as of the end of the previous year (Article 8 (2) 3).

Introducing a period entities are subject to Disclosure Obligation (Article 8 (5) of the Amendment) 

• The Amendment requires that the entities subject to the Disclosure Obligation satisfy the obligation by entering information security status into the DART (Data Analysis, Retrieval and Transfer System) annually by June 30 of each year. 

The Ministry of Science and ICT is currently gathering opinions from interested parties on the Amendment until September 23, 2021, and subject to any changes thereto, the Amendment will take effect on December 9, 2021, together with the amended Information Security Industry Act (Article 1 of the Addenda). 

The new provision of Article 8 (2) regarding the Disclosure Obligation shall apply from the fiscal year that commences after the enforcement of the said law (Article 2 of the Addenda).