Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Government authorities such as the KCC, the MSIT and the MIS periodically publish guidelines for each cybersecurity law, which elaborate on their respective provisions. These guidelines lay out a more detailed explanation of the meaning of each cybersecurity law provision. The government has recently even gone as far as publishing guidelines on the creation of mobile applications, although such guidelines are not necessarily strictly enforceable (however, they provide an important reference guide).

How does the government incentivise organisations to improve their cybersecurity?

In 2014, the MSIT announced that the government will provide tax credits for amounts invested in data privacy-related infrastructure and offer tax relief for amounts invested in research on data privacy. In July 2016, the government also announced that it will focus on the promotion of the data privacy industry through a variety of incentives for relevant players in the industry.

See question 3 regarding the benefits accompanying ISMS and PIMS certificates.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

There are cases in which industry-specific guidelines are created. For example, the Guideline on Comprehensive Countermeasures to Prevent Personal Information Leak Accidents by Banks was published by the Korea Federation of Banks. Another example would be the Guideline for the Protection of Personal Information in the Financial Sector, which was jointly published by the MIS, the FSC and the FSS. ISMS and ISMS-P (see question 3) are also good examples.

Are there generally recommended best practices and procedures for responding to breaches?

According to the Network Act, online service providers must immediately report any incidents of intrusion into the network system (intrusion incidents) to the MSIT or the KISA, analyse the underlying cause of such intrusions and take measures to prevent additional damage. Also, if personal information has been breached in connection with such intrusions, the online service provider must immediately notify the affected individuals. In the case of financial companies, the Financial Security Institute, a governmental institution, is responsible for analysing the cause of intrusions and taking measures to respond to such intrusions.

It is advisable to seek professional advice since inadequate responses to breaches or intrusions may subject an online service provider or any persons or entities who have breached cybersecurity laws, to criminal penalties. Therefore, it is common for professional firms (such as law firms, consulting firms and forensic firms) to become involved in the event of a breach.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Companies that are members of the Financial Security Institute may share information on cyberthreats, since the Financial Security Institute provides forecasts and alerts upon the occurrence of any intrusion. Online service providers often share their cyberthreat experiences with the KISA to seek its expertise. However, there is otherwise no special statutory system through which private entities may share information on cyberthreats.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

When introducing new regulations or amending regulations, the National Assembly or the relevant government organisation provides an opportunity for the citizens or various interest groups to submit their opinions or comments on the newly introduced or amended regulations. The relevant agencies, including the KISA and the Financial Security Institute, often have a meeting with various industry players to listen to current cybersecurity issues in the market.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Although insurance for cybersecurity breaches is available in Korea, such insurance is not common for various reasons, including the difficulty of accurately assessing the amount of damage in cybersecurity-related incidents. However, as recognition of the importance of cybersecurity continues to grow, it is expected that the market for such insurance will also grow.