Select Language

Contact

Company

Service

Product

Media Center

Contact

Company

Service

Product

Media Center

Select Language

Contact

Company

Service

Product

Media Center

Go to Top

Security Insights

When Disclosure Becomes a Security Scorecard: Responding to the 2027 Information Security Disclosure Expansion

Kim In-soon

Feb 11, 2026

Content

Recent hacking incidents are not only happening to IT companies but are affecting industries such as manufacturing, distribution, finance, public sector, education, and healthcare without exception.
The issue is that the problem doesn't end once an incident occurs. It leads to a chain reaction of decline in trust (customer loss) + trade suspension + stock/reputation impact.

The government has significantly revised the system so that companies are not just saying 'We are doing well in security,' but are required to officially disclose security activities like investment, manpower, inspection, and certification.

On January 9, the Ministry of Science and Technology announced a legislative notice for the [Partial Amendment to the Enforcement Decree of the Act on the Promotion of Information Security Industry], which expands the scope of businesses required to disclose information security practices and changes the criteria for calculating the number of users (Article 8, Paragraph 1).

We have outlined the key changes based on the main amendments to the Enforcement Decree of the Information Security Industry Act.

What is information security disclosure?

Information protection disclosure is when a company transparently reveals its security status to the public.

Like receiving a report card in school, companies must submit reports on how well they manage security.

This includes whether they have a security officer, how much they invest in security, and what security systems are in place.

The reason for making this information public is simple: to ensure that companies providing services like shopping malls, games, and social networks are keeping our valuable information safe. It also encourages companies to pay more attention to security.

In the past, security might have seemed like a 'cost', but now, the moment security is disclosed, a 'trust competition' begins. Disclosure becomes a 'security report card' that investors, customers, and partners can verify, rather than just a regulatory check.

What's the core change?

In the past, only large companies with sales exceeding 300 billion won were required to disclose their information security status. However, now all companies listed on KOSPI or KOSDAQ must disclose, regardless of sales. Whether a small or large company, if it is listed on the stock market, it is applicable.

Secondly, companies required to obtain Information Security Management System (ISMS) certification are also included. ISMS is a system where companies verify their security level, similar to how restaurants receive hygiene ratings. Companies required to obtain this certification must now disclose their information security status.

Thirdly, all exception clauses have been removed. Previously, public institutions, financial companies, small businesses, and electronic financial businesses were specially exempted. However, now there are no exceptions. Everyone will be evaluated by the same standards. This is a measure to make the system fairer.

✅ Existing System

The target criteria focus on ‘sales (listed company) + number of users + specific industry’
And public/financial/small businesses are exceptions

✅ Amendment (scheduled to be implemented in 2027)

For listed companies, the ‘sales criteria’ is removed → expanded to ‘all listed companies’
New inclusion of ISMS ‘mandatory certification enterprises’
Exception regulations for public/financial/small businesses are deleted (= included if conditions are met)

What's changing?

Why are these changes being made? The reason the government is implementing such significant changes is clear. Recent analysis of hacking incidents showed they were happening regardless of company size or industry. The incidents from 2025 revealed that there were quite a few cases even in small and mid-sized companies.

When a hacking incident occurs, the damage is beyond imagination. The company might have to halt operations, and there could be a massive financial loss. Most importantly, the company's trust may decline, causing a stock price slump or customer departure. Therefore, the government redesigned the system with objectively verifiable criteria such as listing status, number of users, and ISMS certification.

Category	Current (Existing)	Revised Plan (Effective 2027)	Changes
Business Field (Target Industry)	Basic Telecommunications Operators, IDC Operators, General Hospitals, Cloud Service Providers	Maintained: Basic Telecommunications Operators, IDC Operators, General Hospitals, Cloud Service Providers	Industry axis remains unchanged
Listing Criteria (Revenue)	Listed corporations on the Stock Exchange and KOSDAQ with revenue over 300 billion won must designate and report a Chief Information Security Officer	All listed corporations (Revenue criteria removed)	Expanded from only large corporations to all listed corporations
User Count Criteria	Telecommunication services with an average daily user count of over 1 million (for the last 3 months of the previous year)	User count over 1 million (annual average)	Calculation method changed (previous last 4 quarters → annual average)
New Inclusion Criteria	None (Photo Criteria)	Companies obligated to have ISMS certification (e.g., universities, general hospitals, companies with over 10 billion won in revenue, etc.)	ISMS obligation linked to disclosure obligation
Exemption (Exclusion) Criteria	Public institutions/financial companies/small enterprises/electronic financial businesses, etc. could be excluded	Exemption criteria removed (Includes public/financial/small enterprises)	Exemptions removed → Included if conditions met

"Does it apply to our company too?" 10-second checklist

If any of the following criteria are met, there is a high possibility of being subject to disclosure obligations starting from 2027.

Are you a ‘listed company’ on KOSPI/KOSDAQ?
→ The amendment targets all listed companies regardless of sales
Do you have more than 1 million users?
→ The amendment changes the calculation basis to 'annual average'
Are you a company with ISMS ‘certification obligations’?
→ New inclusions in the amendment (examples include universities/general hospitals/companies with sales over 10 billion)

Did you think "we are an exception" because you're a public institution/financial company/small business?→ Exception rules are removed in the amendment (included upon condition satisfaction)

Most frequently asked questions by businesses

Q1. Is investment in security/hiring mandatory?

The recent amendment is not a system that forces 'purchase new equipment or hire employees', but rather a disclosure system that requires companies or institutions to disclose the current status of their information security investments and activities. However, companies that have been lacking in security investments and standards may need to purchase solutions and hire personnel.

Q2. What additional burdens will companies face?

The administrative and management burden for information security disclosure will increase. Tasks include collecting relevant internal information security governance data, organizing disclosure items, and inputting/submitting them to the system.

Q3. Are there any benefits for companies?

Companies can enhance their external trust regarding their information security level and improve their corporate image with investors/business partners. It also serves as an opportunity to inspect/maintain their internal information protection management system. Disclosure is regulation, but it can also become 'official documentation' that builds corporate trust.

Q4. When does it come into effect?

It is expected to be implemented from 2027 after the revision process of the enforcement ordinance is completed. Detailed disclosure schedules and preparation methods will be guided separately.

Q5. Where and how do we disclose?

The information security disclosure is submitted in accordance with the specified format on the 'Information Security Disclosure Comprehensive Portal (isds.kisa.or.kr)', covering aspects like investment/personnel/certification/evaluation/inspection/activity etc.
This system is not the general corporate disclosure (DART), but is submitted to the Information Security Disclosure Comprehensive Portal by June 30th each year.

Q6. What happens if we don't disclose?

If disclosure is not made, a fine must be paid. The first violation incurs a fine of 3 million won, the second 6 million won, and from the third onwards up to 10 million won. This is stipulated in Article 41 of the 'Act on the Promotion of Information Security Industry.' However, considering the degree or reason for the violation, the fine can be reduced by up to half, or conversely, increased. But it cannot exceed the legal maximum of 10 million won. The fine is imposed by the Minister of Science and ICT.

Q7. Are there any support measures related to information security disclosure?

The government has announced that it will provide guidelines, training, and consulting support for small and medium-sized enterprises that have no experience in disclosure.

First, guidelines will be distributed to explain in detail how to prepare the disclosure. A consulting service will also be offered to review the disclosure in advance, and tailored training programs for practitioners will be run. For companies doing disclosure for the first time, it might be overwhelming to know where to start, but through these trainings, they can gain practical experience.

Implications and Responses: Transforming Mandatory Disclosures into 'Trust Competitiveness'

The key takeaway from the upcoming expansion of disclosure obligations is that information security has shifted from being an 'internal operational issue' to a 'trust indicator' externally. As it expands to all listed companies and includes those obligated under ISMS while removing exceptions for public, financial, and small enterprises, security will no longer be 'internal effort only' but publicly available information that investors, customers, and partners can objectively compare.

Companies should not merely rush to fill out documents to meet the June 30th annual deadline. Disclosure ultimately acts as a window revealing the maturity of internal security operations, so with thorough preparation, it goes beyond regulatory compliance and extends to securing client trust, improving investor communication, and enhancing brand competitiveness.

In other words, moving forward, the criterion for assessing corporate value will focus on 'how systematically it is managed' rather than the claim of having no incidents. Regular vulnerability assessments, risk management processes, education and training, and incident response systems as part of ongoing operational activities become convincing points in disclosures.

The expansion of information security disclosure obligations, starting in 2027, is a significant change aimed at elevating the security level of our country. While it may initially feel overwhelming, in the long run, it will help improve a company's competitiveness and gain customer trust.

Although 2027 might seem far off, organizing security systems and preparing disclosure materials takes more time than expected. Companies should begin by reviewing their current security status, improving deficiencies, and educating personnel.

Kim In-soon

Start-up College Adjunct Professor at Gachon University

Former desk member of the Electronic Newspaper ICT Convergence Department, active as a cyber security journalist and communication expert for 20 years.