While information security disclosures will be fully implemented starting in 2027, preparation must begin now. Disclosure is not solely the responsibility of the security team. It is a company-wide task that requires the cooperation of management, the legal team, and the PR/IR team.

Firstly, we need to map our company's security assets. It's necessary to clearly identify what our most critical systems are, where and how customer data is stored, and the potential impact on the company if breached. If you don't know where the vault is or how many entrance doors there are, you can't defend it. The starting point of disclosure is accurately understanding "what we need to protect."

Secondly, security data should be managed like financial data. If the budget is scattered across the finance team, manpower with HR, training with the education team, and incident response with the security team, the narrative changes with each disclosure. In 2026, the task is to create a ‘security ledger (single framework).’ We need to consolidate and regularly update information such as "how many security personnel we have this year, the budget amount, the number of trainings, vulnerability assessment coverage, and response time in case of incidents" in one place. 

Investments in security should be detailed, recorded, and managed. The Ministry of Science and ICT has announced the subdivision of investment activities, asking for clear details on "how and on what" the money was spent, not just "how much was spent." Investments in personnel, equipment, services, and education should be separately managed, and explanations for year-over-year changes should be provided.

Thirdly, disclosure statements should be transformed into ‘evidence-based statements.’ A statement like “we are safe” is risky. Instead, use a flow of activity–standard–evidence–improvement such as “we regularly inspect, take actions based on certain standards, and integrate the results into improvements.” Such a structure not only persuades investors but also responds to regulations.
Now, it's not just about having ‘done security,’ but about documenting ‘how it was done.’ 

Instead of saying "we are doing well in security," leave specific evidence such as "47 vulnerabilities found in Q3; 42 resolved," "conducted 4 penetration tests annually; reports filed," and "security training for employees quarterly; 94% attendance." Disclosure is not packaging but data. 

Fourthly, it is not the sole work of the security team. Disclosure is an official company announcement. A collaborative structure is needed where management decides budgets, the legal team interprets regulations, the PR/IR team drafts disclosure documents, and the IT/security team provides technical data. Just as firefighters aren't the only ones who handle fire responses, security should also be seen as a company-wide task.

Conducting a mock disclosure by 2026 is a realistic method. By drafting a trial run and having finance, legal, IR, and security verify it together, the risk of doing a ‘first-time disclosure’ in 2027 is significantly reduced. This is because disclosure is not an announcement but a ‘verified record.’