- Established jointly by relevant ministries under the leadership of the Office of National Security; presents urgent improvement tasks for both public and private sectors

- Measures include a thorough IT system inspection, strengthened government investigative authority, and consumer-focused remedies to alleviate public concerns

- New initiatives to reframe security as an investment—not a cost—through an Information Security Grading System and strengthened roles for CEOs and CISOs

On October 22 (Wednesday), the Ministry of Science and ICT (MSIT, Deputy Prime Minister and Minister Bae Kyunghoon), together with relevant ministries, announced the formulation of the "Comprehensive Information Security Measures" to swiftly overcome heightened public anxiety following a series of widespread hacking incidents and to strengthen the nation's overall information security capabilities.

The government recognizes the recent spate of hacking incidents across sectors as a severe crisis and aims to rapidly activate an integrated, government-wide response system.

To this end, the Office of National Security, the MSIT, the Financial Services Commission, the Personal Information Protection Commission, the National Intelligence Service, the Ministry of the Interior and Safety, and other relevant authorities have jointly developed the comprehensive information security measures, encompassing both the public and private sectors. Prioritizing the urgency of the situation, the plan mainly addresses short-term actionable tasks, and a comprehensive "National Cybersecurity Strategy," covering mid- and long-term tasks, will be established within the year.

The key directions of the "Inter-Ministerial Comprehensive Information Security Measures" include:
❶ conducting an extensive security inspection of core IT systems integral to the lives of the public;
❷ establishing a consumer-oriented incident response system and enhancing the effectiveness of recurrence prevention;
❸ strengthening overall public-private information security capacity, fostering an environment aligned with international standards, and nurturing related industries, personnel, and technologies;
❹ reinforcing the nationwide cybersecurity cooperation system.


<1. Thorough Inspection of IT Systems and Establishment of Continuous Vulnerability Detection>

To alleviate widespread public concerns over hacking, a large-scale inspection of over 1,600 IT systems*—including those in public, financial, and telecommunications sectors—will be initiated without delay.
*Targets include 288 public institution infrastructures, 152 central/local government agencies, 261 financial institutions, and 949 companies—including those in the telecommunications and online platform sectors—certified by Korea’s Information Security Management System (ISMS) program.

In the case of telecommunications companies, unannounced audits replicating real-world hacking tactics will be intensified, with key IT assets required to have robust identification and management systems. Additionally, small base stations (femtocells) that fail to meet safety standards will be promptly decommissioned.

The ISMS and ISMS-P certification regimes will pivot to on-site audits, with certifications revoked if critical flaws are detected, and post-certification management strengthened. Regular vulnerability checks, including penetration testing and engagement of white-hat hackers, will also be established.


<2. Building a Consumer-Oriented Incident Response System and Enhancing Recurrence Prevention>

Where hacks are due to corporate security lapses, the burden of proof for damages on consumers will be reduced. User protection manuals will be developed for key sectors such as telecommunications and finance, and a dedicated fund to use penalties from personal data breaches for victim support will be considered.

The government’s investigative authority will be expanded to allow rapid on-site investigations even without prior corporate reporting when evidence of hacking is found. Penalties for delayed reporting, failure to implement recurrence-prevention measures, and repeated leakage of personal or credit information will be increased, with the introduction of compulsory fines and punitive surcharges for violations.

The National Intelligence Service’s investigative tools will be made available for shared use with the private sector, and an AI-based digital forensics lab will be established, dramatically reducing analysis time per incident (from 14 days to 5 days). The recruitment and training of specialized incident investigation personnel will be expanded.


<3-1. Stimulating Investment in Information Security and Providing Enhanced Support for SMEs>

The public sector will take the lead in information security, raising security budget* and personnel requirements to a specified threshold compared to overall IT budgets by Q1 2026 and elevating the status of government Chief Security Officers (CSOs). The scoring for cybersecurity in management evaluations of public institutions will be increased (from 0.25 to 0.5 points).
*Currently, regulations recommend information security investments at 15% or more of the total IT budget.

For the private sector, security will be reframed as an essential investment, not a cost. Mandatory information security disclosure will be expanded to include all listed companies (from the current 666 to about 2,700 firms), and a public grading system assessing each company’s information security capabilities, based on disclosure results, will be introduced.

The legal responsibilities of CEOs for security will be explicitly stipulated in law, and the authority of Chief Information Security Officers (CISOs) and Chief Privacy Officers (CPOs) significantly strengthened by granting them full control over all IT assets, establishing direct reporting lines to the board of directors, and expanding their authority over security personnel, budgeting, and execution. SMEs lacking in-house security resources will benefit from the expansion of regional Information Security Support Centers (from 10 to 16 centers).


<3-2. Aligning Systems and Environments with International Standards>

A shift away from isolated, legacy security environments will be accelerated. The current practice of requiring consumers to install security software for accessing public and financial institution services will be gradually phased out, to be replaced by multi-factor authentication—such as a combination of passwords, one-time passwords (OTP), biometric identification, and mobile ID—and AI-based anomaly detection systems.

Comprehensive physical network separation currently in place will be replaced by data-centric security (from 2026), and requirements for public sector entry by private cloud service providers will be eased.

Starting in 2027, a system will be instituted requiring submission of Software Bill of Materials (SBOM) for public sector IT systems and products. Procurement of IT products with detected vulnerabilities will be restricted. Public disclosure of security assessment results for household and industrial IoT devices will be implemented.


<3-3. Fostering the Security Industry as a National Strategic Industry and Cultivating Cybersecurity Talent and Technology>

To support Korea’s ambition to become a top-three global AI nation, AI agent security platforms and other next-generation security companies (30 annually) will be fostered, and the scope of certified information security services* expanded.
*The designation of certified information security service providers (under the Act on the Promotion of Information Security Industry) is currently limited to security consulting and managed security service providers. The revised scope will encompass new areas such as AI security and software supply chain security.

The white-hat hacker (over 500 per year) talent pipeline will be revamped to better meet business needs, and specialized academic programs at seven undergraduate and nine graduate security-focused schools will be upgraded and expanded as regional cybersecurity talent hubs aligned with the Five Mega-Regions and the Three Special Self-Governing Provinces framework, each tailored to key growth industries such as smart shipbuilding, future automotive parts, artificial intelligence, and biotechnology.

Preparations for the quantum era will include development and deployment of quantum-resistant cryptography and security checklists and guidelines for the safe use of emerging mobility technologies (autonomous vehicles, intelligent robots, drones) in the public sector (by 2026).


<4. Reinforcing Nationwide Cybersecurity Cooperation>

Key ICT infrastructures will be increasingly designated through the inter-ministerial Committee for Protection of Information and Communications Infrastructure (chaired by the Minister of the Office for Government Policy Coordination), with the National Cyber Crisis Management Center activated for root-cause analysis of incidents.

Fragmented incident investigation processes across government ministries will be integrated* to minimize on-site confusion, and collaboration between the National Cyber Crisis Management Center (under the NIS) and relevant government ministries will be enhanced for cyber threat prevention and response.
*Includes the introduction of a one-stop reporting system, optimized team deployment, and strengthened information sharing.

Deputy Prime Minister and Minister Bae Kyunghoon stated at the public briefing, “MSIT and relevant ministries will rigorously monitor the execution of these comprehensive measures in the field and continue to make improvements where necessary. The government will spare no effort in building a robust information security system to support Korea’s leadership in AI.”

For further information, please contact the Public Relations Division (Phone: +82-44-202-4034, E-mail: msitmedia@korea.kr) of the Ministry of Science and ICT.



※ Please refer to the attached files.