On March 12, 2026, the National Assembly passed amendments to the Information and Communications Network Act aimed at fundamentally restructuring corporate information security frameworks and strengthening incident response capabilities.

Historically, information security has been treated largely as a technical and operational matter within organizations, with a primary focus on reactive, post-incident reporting. The amendments elevate information security to a core element of corporate governance and management responsibility. The amendments will take effect six months after promulgation (with certain provisions becoming effective after one year), and companies are expected to take proactive steps to prepare for the enhanced regulatory environment.

Key Amendments

Strengthening Internal Controls and Governance

  • Elevation of the CISO Role and Board-Level Oversight: Information and communications service providers (excluding certain mid-sized enterprises) are required to designate a Chief Information Security Officer (CISO) at the executive level. The statutory scope of the CISO’s responsibilities has been expanded to include oversight of information security personnel, budgeting, and mandatory reporting to the board of directors.
  • Mandatory Establishment of Information Security Committees: Companies meeting certain size thresholds (as prescribed by presidential decree) must establish and operate an Information Security Committee, chaired by the CISO, to deliberate on key security matters.

Enhanced Government Oversight and Certification Framework

  • Annual Security Assessments and Public Disclosure: The Ministry of Science and ICT will annually assess compliance with information security obligations and overall security posture of major service providers. Assessment results may be publicly disclosed, and recommendations for corrective action may be issued.
  • Differentiated ISMS Certification Requirements: Stricter certification standards and procedures will apply to high-risk entities whose security breaches may pose significant risks to public safety or property.

Incident Response and Investigation Framework

  • Expanded Reporting and Notification Obligations: Companies must report security incidents to the relevant authorities within 24 hours of becoming aware of such incidents. A new obligation requires prompt notification to affected users without undue delay.
  • Enhanced Investigative Authority and Enforcement: Authorities may investigate not only the causes of incidents but also whether an incident has occurred. Failure to cooperate, including obstruction of investigations or refusal to submit required materials, may result in administrative monetary penalties.

Introduction of Punitive Sanctions and Strengthened Spam Regulations

  • Administrative Fines for Repeated Security Incidents: In cases of repeated incidents (two or more within five years) caused by willful misconduct or gross negligence, administrative fines of up to 3% of annual revenue may be imposed.
  • Strengthened Regulation of Unlawful Spam: Businesses are required to outsource the transmission of commercial messages only to certified senders. Violations of spam regulations may result in administrative fines of up to 6% of relevant revenue.

Practical Implications and Response Strategies

  • Redesign of Information Security Governance Structure: As executive accountability is strengthened, companies should refine their internal decision-making framework by granting the CISO substantive authority over budget and personnel, and by institutionalizing regular reporting to the board of directors.
  • Updating Incident Response Manuals: Organizations should revise their “Security Incident Management and Response Manual” to reflect the amended law’s requirements, including reporting within 24 hours and prompt notification to affected users, and should enhance simulation exercises to ensure preparedness for real-world scenarios.
  • Compliance Record Management: Since security investments and operational efforts may be considered mitigating factors in the imposition of administrative fines, it is important to systematically document and manage ongoing information security activities.
  • Monitoring Subordinate Legislation: As detailed standards for calculating administrative fines and the scope of enhanced ISMS requirements will be determined in forthcoming enforcement decrees and administrative rules, proactive review from the legislative notice stage is essential.

Additional Legislative Proposals and Follow-up Developments

Separate from the passage of the recent amendment, the National Assembly and the government are pursuing further legislative and institutional reforms to enhance the effectiveness of incident response, including the following measures:

  • Surcharges for Delayed Reporting (Proposed by Rep. Sohee Kim) A proposal is under discussion to impose additional administrative fines where a security incident is not reported promptly. Under this approach, a surcharge calculated based on the number of days of delay—from the date the incident was recognized to the date of reporting—would be added to the base fine.
  • Mandatory Notification to Investigative Authorities (Proposed by Rep. Yongman Kim) This proposal would require the Ministry of Science and ICT and the Korea Internet & Security Agency (KISA), upon becoming aware of a security incident, to notify the competent investigative authorities and other relevant administrative agencies without delay.

← BACK TO INSIGHTS
SSHIN, HWANG, YEO & LEE
English
Contracts
Review
Brochure
Download
BlogBlog
LinkedinLinkedin
KakaotalkKakaotalk