South Korea's Ministry of Science and ICT held a field meeting on April 9 with the Personal Information Protection Commission and privacy and information security solution companies.

The meeting, chaired by PIPC head Song Kyung-hee (송경희), included 15 companies. It was held to share policy directions so that demand for security investment can lead to growth in domestic industries. Ahead of the meeting, Song and others visited the security monitoring centre of security firm PioLink, the venue for the meeting, to review the status of remote security monitoring across various fields.

At the meeting, officials introduced key provisions and policy directions for a revised Personal Information Protection Act that takes effect on Sept. 11 and a revised Act on Promotion of Information and Communications Network Utilization and Information Protection that takes effect on Oct. 1.

The revised Personal Information Protection Act focuses on introducing punitive penalties and incentives for preventive investment, adding a system to notify the possibility of leaks, strengthening responsibilities of representatives and personal information protection officers, and making ISMS-P certification mandatory for major public and private personal information processors.

The revised network act includes establishing grounds for conducting an investigation before reporting when hacking is suspected, increasing administrative fines for delayed or intentional failure to report, imposing enforcement fines for failing to comply with recommendations to prevent recurrence, introducing penalties for companies with repeated incidents, and strengthening the authority and role of chief information security officers.

Participants agreed that the legal revisions are measures to respond to a rapidly changing digital environment. They also asked for greater predictability for security investment and clearer policies, expanded technical and financial support such as vouchers for small and medium-sized businesses, and measures to ease on-the-ground burdens related to certification and regulatory compliance.

Song said the government is shifting its policy paradigm from focusing on post-incident responses to focusing on prevention, following the promulgation of the revised Personal Information Protection Act. She said it will create conditions for expanding companies' voluntary security investment to form a virtuous-cycle ecosystem between companies and the privacy and information security industry.

Ryu Je-myeong (류제명), second vice minister at the science ministry, said it will continue to communicate closely with the security industry so that institutional improvements can be linked to the growth of South Korea's information security industry and stronger security levels in society.