Gov’t to gain wider powers to probe cybersecurity breaches
Vice Prime Minister and Science and ICT Minister Bae Kyung-hoon, second from right, speaks during a media briefing to introduce cross-ministerial cybersecurity initiatives at Government Complex Seoul, Wednesday. Yonhap
The Korean government plans to expand its authority over cybersecurity investigations, enabling faster on-site inspections without requiring prior reports from companies in suspected data breach cases. It will also impose tougher penalties for delayed breach reporting and security negligence.
The Office of National Security, along with related agencies including the Ministry of Science and ICT, the Personal Information Protection Commission, the National Intelligence Service and the Financial Services Commission, rolled out a set of sweeping cross-ministerial cybersecurity plans on Wednesday aimed at countering a surge in cybersecurity incidents nationwide and restoring public trust in digital security.
The comprehensive initiative also includes conducting intensive security inspections on more than 1,600 major information technology systems across government, financial and telecommunications platforms.
“The government will strengthen its legal authority to conduct immediate on-site investigations even without company reports when evidence of cyberattacks is found and will impose heavy punitive fines on firms that experience repeated cybersecurity incidents,” ICT Minister Bae Kyung-hoon said during a media briefing to introduce the new initiatives at Seoul Government Complex, Wednesday.
Under the initiative, the government will carry out random penetration tests on telecom providers through simulated real-world cyberattacks, while taking stricter measures such as immediately removing small cell base stations found to be unstable and revoking firms’ security certifications when serious flaws are found.
The government will set up consumer-focused relief protocols to ease burdens for victims of cyberattacks in major industries, such as telecom and financial services. It is also considering a compensation fund to use fines from data breaches to directly support affected consumers, while implementing higher fines and sanctions for failure to put preventive measures in place and prevent repeated data leaks.
“For issues involving personal or financial data, current regulations allow fines up to 3 percent of a company’s total revenue. So the government is studying international practices, such as the U.K.’s fines reaching up to 10 percent, and will determine the appropriate level and scope for punitive penalties through policy research and review of global standards,” the ICT minister said.
Public institutions will be required to allocate larger budgets for cybersecurity, while listed companies will need to disclose their security investment levels. To boost accountability, CEOs’ responsibility for cybersecurity will be legally reinforced, while chief information security officers will be granted stronger authority in corporate governance.
The government will phase out fragmented security measures, such as requiring consumers to install specific security software, and instead promote multi-factor authentication and artificial intelligence (AI)-based anomaly detection to align with global standards.
The government plans to replace outdated and one-size-fits-all technical rules with smarter safeguards focused on protecting sensitive data. It will make it easier for private cloud service providers to work with the public sector, and will require suppliers of government IT systems to list all software components used in detail by 2027, ensuring that only secure, trustworthy products are used for public projects.