[Background]

Recently, as cyber-infringement accidents have increased across all sectors, there is a raised necessity to strengthen the information security disclosure system. This system discloses the current status of information security investments and activities of subjects to reinforce the overall national information security foundation.

As a follow-up measure to the Comprehensive Measures for Information Security ('25.10) to strengthen public-private information security capabilities, the government is expanding the scope of entities subject to mandatory disclosure to enhance the effectiveness of the system.

※ (Comprehensive Measures for Information Security) Expansion of mandatory information security disclosure, including status of security personnel and investments.

[Main Points]

o Expansion of the scope of entities subject to mandatory disclosure

All listed companies (KOSPI/KOSDAQ listed corporations), and persons who have obtained or are maintaining Information Security Management System (ISMS) certification.

o Change in the calculation standard for the daily average number of information and communication service users among mandatory subjects

Changed from the current "last 4th quarter of the previous year" to the "annual average of the previous year."

o Deletion of grounds for excluding public, financial, and small enterprises from disclosure obligations

Deletion of exclusion clauses that previously exempted public institutions, financial companies, and small enterprises that were otherwise included in the legal disclosure criteria.