OPINION: Corporate accountability must be enhanced for Korea's cybersecurity

박춘식 아주대 사이버보안학과 교수 [사진=아주경제DB]

Last year appeared to mark an unusually high number of corporate hacking incidents and personal data leaks. In truth, however, South Koreans’ personal information has long been treated as something closer to public property than a protected asset.

The pattern following each breach is by now familiar. The National Assembly unleashes a wave of criticism at companies, the government announces sweeping countermeasures or tighter regulations, and the media devotes days of coverage to the incident.

Then time passes. Another breach occurs. And once again, the country finds itself having neither prevented the next incident nor addressed the structural causes behind it. Regulation and reprimands alone cannot keep pace with rapidly advancing, increasingly sophisticated hacking, cybercrime and cyberattacks. A different approach is needed.

First, the way cybersecurity is understood must change. In hacking, cybercrime and personal data breaches, attackers enjoy inherent structural advantages over defenders. Incidents cannot simply be legislated away. The realistic objective is not zero breaches, but minimizing both their likelihood and the damage they cause when they occur.

This is precisely why a government-dependent, passive approach—one in which the National Assembly or ministries prescribe detailed standards and pressure companies to comply—cannot keep up in an AI-driven, fast-evolving cyber environment.

Corporate leaders must shift their mindset. Companies should set their own security standards, build internal countermeasures against cyberattacks and data leaks, and strengthen security continuously and systematically as a core management responsibility. The role of the government and the National Assembly should be to establish and rigorously enforce accountability frameworks that make security failures a genuine threat to corporate survival. At the same time, for blind spots such as small and midsize firms, the state should focus on support: fostering the information security industry, investing in technology development and training cybersecurity professionals. In a rapidly changing threat landscape, these measures may be the most effective policy tools available.

Second, major public institutions must lead by example. It is difficult to argue that the security posture of the government, the National Assembly, the judiciary, constitutional bodies and local governments is stronger than that of private companies. The private sector is subject to increasingly stringent requirements, including mandatory ISMS-P certification, compulsory appointment of chief information security officers, security disclosures and administrative penalties. Yet public institutions—which hold far more sensitive personal data and should be held to a higher standard—face none of these obligations. Neither the government nor the National Assembly, the judiciary or constitutional bodies are required to obtain ISMS-P certification, appoint CISOs or disclose their security practices in a comparable

manner. Finally, the establishment of a dedicated cybersecurity authority—provisionally a Cybersecurity Administration—deserves serious consideration. The era of fragmented and ambiguous governance across multiple ministries has reached its limits. The Personal Information Protection Commission lacks the mandate and capacity to prevent or respond to hacking and large-scale data leaks, while the Ministry of Science and ICT is primarily focused on promoting the AI industry, making sustained, proactive cybersecurity policy difficult. What is urgently needed is a lead agency with clear responsibility for cybersecurity across both public institutions and private companies—covering prevention, real-time response and recovery, development of security technologies and industries, and the cultivation of professional cybersecurity talent. Only by moving beyond reactive regulation and symbolic oversight can South Korea begin to close the gap between the scale of its digital economy and the fragility of the systems that underpin it.

* This article, published by Aju Business Daily, was translated by AI and edited by AJP.
Park Choon-sik 기자

- Copyright ⓒ [아주경제 ajunews.com] 무단전재 배포금지 -