"Security Investment to Be Disclosed If Not Made"...Mandatory Information Security Disclosure Now Applies to 693 Companies

It has become increasingly difficult for companies to manage their information security standards in the dark. With the government expanding the scope of mandatory information security disclosures—including investment in information security, dedicated personnel, and certification status—to 693 companies, corporate responsibility for security has intensified.

On May 8, the Ministry of Science and ICT announced the release of a list of 693 companies designated as “2026 Mandatory Information Security Disclosure Entities” under the information security disclosure system.

View original image

The information security disclosure system, mandated by the “Act on the Promotion of the Information Security Industry,” requires companies to publicly disclose the scale of their investments in information security, the number of dedicated personnel, and the status of their information security activities. Through this system, the public can verify the level of information security maintained by each company.

This year, the number of companies subject to mandatory disclosure increased by 27 compared to last year's 666. By business sector, the list includes 35 facilities-based Internet service providers (ISPs), 11 internet data center (IDC) operators, and 33 tertiary general hospitals. In addition, 526 listed companies with annual sales of at least KRW 300 billion and 28 information and communications service providers with a daily average of over 1 million users in the past three months are included.

Notably, the number of companies subject to disclosure based on sales increased by 13 compared to the previous year, while those based on user numbers rose by 10. The government attributes the expansion of disclosure obligations to the growth of digital services and the increasing size of companies.

Companies subject to disclosure obligations must submit their information security status through the comprehensive information security disclosure portal by June 30. Failure to comply with these disclosure requirements may result in a fine of up to KRW 10 million.

Companies that are not mandated to disclose but voluntarily participate will be eligible for a 30% discount on the certification review fee for the Information Security Management System (ISMS) or Information Security and Personal Information Management System (ISMS-P).

To support companies in fulfilling their disclosure obligations, the Ministry of Science and ICT is conducting hands-on training sessions until May 22. From July, the ministry also plans to implement a verification procedure to assess the reliability and accuracy of the submitted disclosure data.

Hot Picks Today

"Rather Than Endure a 1.5 Million KRW Stipend, I'd Rather Earn 500 Million in the U.S." Top Talent from SNU and KAIST Are Leaving [Scientists Are Disappearing] ①

• "This Strike Must Fail": Criticism Emerges Within Samsung as DS-MX Conflict Surfaces
• Individual Investors Absorb Foreign Sell-Off... Concerns Over Becoming "Cannon Fodder" Emerge
• Experts Shocked by Record Numbers: "Just the Tip of the Iceberg" — The Identity Behind the 90% Dominating Teens [Chuiyakgukga]⑨
• "No Cure Available, Spread Accelerates... Already 105 Dead, American Infected"

Lim Jeonggyu, Director General for Information Security and Network Policy at the Ministry of Science and ICT, stated, “The information security disclosure system is a crucial framework that enhances transparency in companies’ information security standards, allowing the public to verify their current status. We will continue to encourage autonomous investment in information security by companies and strive to raise the overall level of national information security.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.