DEEP RESEARCH · SECURITY REGULATION
Personal Information Protection Act: 10% Revenue Penalty Scenario and Security Market Economics
A report on how a 10% total-revenue penalty scenario could reshape security budgets, cyber insurance, and beneficiary companies.
0. Bottom line first
My conclusion is that if the penalty ceiling moves from 3% of relevant revenue to 10% of total revenue, security becomes a survival cost rather than optional compliance spending. That can create a J-curve for zero trust, data security, consulting, managed security, and cyber insurance.
Official fact: The source cites Coupang's 33.7mn-record breach, about KRW 41tn of 2024 sales, and a theoretical maximum KRW 4.1tn penalty under a 10% total-revenue scenario.
Interpretation: Actual penalties would depend on the final law, mitigation, burden of proof, and litigation. But management teams budget against tail-risk scenarios, so the repricing pressure on security spending is real.
1. Regulatory shock
The source identifies the current weakness as the use of revenue directly related to the violation. If a company argues that the leaked data generated little revenue, penalties can be reduced. A total-revenue standard weakens that argument.
- The source compares GDPR's ceiling of 4% of global revenue.
- Korea's proposed 10% rule would be among the strictest regimes globally.
- Punitive damages can already reach up to three times damages, but the source says real-world application has been rare.
- Higher administrative penalties could also raise civil litigation and class-action risk.
2. Security budget reset
Official fact: The source states that 87.9% of Korean companies either spend less than KRW 5mn per year on information security or do not set a budget. For the top 500 companies, security spending averages 0.10-0.13% of sales and 6.0-6.4% of IT budgets.
| Item | Current level | Expected target | Rationale |
|---|---|---|---|
| Security as share of IT budget | 6.0-6.4% | 10.0-15.0% | Meet global standards and avoid gross-negligence claims |
| Security as share of revenue | 0.10-0.13% | 0.50-1.00% | AI security, zero trust, and specialist hiring |
| CISO authority | Often concurrent or working-level | Dedicated executive | Independence and board reporting |
Platforms and e-commerce
The source expects the most aggressive increase because large B2C data pools create the biggest penalty exposure.
Telecom carriers
Recent incidents and a KRW 700bn investment plan are cited; legal change could add zero-trust infrastructure spending.
Financial sector
Already near 9% of IT budgets, but network-separation reform and data-centric security could lift the level to 15-20%.
3. Market size and growth
The source gives 2024 Korean information-security industry revenue, including physical security, at about KRW 18.6tn, with pure cyber security at about KRW 7.1tn. Without legal change, natural growth is estimated at 10-12% annually; under the 10% rule, cyber security growth could accelerate to 18-22% CAGR from 2H 2025.
Interpretation: A 2027 cyber-security market above KRW 12tn would not be just software licenses. Cloud security, AI security, OT security, consulting, managed services, legal advice, and cyber insurance would grow together.
4. Key beneficiaries
| Company | Core solutions | 2024E sales | 2024E operating profit | Position | Point |
|---|---|---|---|---|---|
| Genians | NAC, EDR, ZTNA | KRW 49.4bn | KRW 8.7bn | No. 1 NAC, about 60% | Public-sector ZTNA mandate |
| Fasoo | DRM, DSPM | KRW 51.6bn | KRW 8.2bn | No. 1 DRM | Data-law and AI-security beneficiary |
| AhnLab | V3, EDR, consulting | KRW 260.6bn | KRW 27.7bn | No. 1 comprehensive security | Consulting and OT security |
| SK Shieldus | Converged security, MSS | Private, trillion-won scale | Private | No. 1 converged security | SMB outsourcing |
| SOMANSA | DLP, Privacy-i | Private | Private | No. 1 endpoint DLP | Financial-sector penetration |
- Genians: NAC share of 60-70%, endpoint visibility, ZTNA, and 46% annual EDR growth are the core points.
- Fasoo: DRM encryption and DSPM discovery of sensitive cloud data connect directly to mitigation and compliance logic.
- AhnLab: C-level fear of legal exposure can increase consulting and ISMS-P support demand.
- SK Shieldus: SMEs that cannot build in-house security can use MSS to hedge legal risk.
- SOMANSA and SecuLetter: DLP and CDR are niche but essential compliance technologies.
5. Cyber insurance and risk-management ecosystem
The source treats cyber insurance as the second-order effect. Korea's cyber-insurance market is given at about KRW 270bn, with 38% penetration. If penalty exposure approaches KRW 4tn in a Coupang-like case, companies cannot rely only on internal reserves.
6. Technical terms and comparison data
- NAC identifies devices accessing a network and blocks non-compliant endpoints.
- ZTNA verifies user and device identity every time, regardless of internal or external location.
- DRM controls and encrypts documents, drawings, and other digital content across their lifecycle.
- DSPM discovers where data sits across cloud and on-premise environments and identifies sensitive information.
- EDR detects, analyzes, and responds to suspicious endpoint behavior.
- CDR removes potentially malicious macros or scripts from documents and reconstructs safe content.
| Metric | Korea today | Global/US | Korea after reform target |
|---|---|---|---|
| Privacy breach penalty | 3% of related revenue | 4% of global revenue under GDPR | 10% of total revenue |
| Security share of IT budget | 6.4% | 13.2% | 10-15% |
| Security share of revenue | 0.13% | 0.5-1.0% | 0.5-1.0% |
| Dedicated security organization | 32.6% for companies with 10+ employees | Over 80% for large companies | Over 60% |
| Cyber-insurance penetration | 38.4% | Over 70% | Over 75% |
7. Conclusion
Companies need to redefine security as an insurance-like investment rather than a cost. The source's three-layer defense is technical controls, management certification, and financial insurance. For investors, I would prioritize vendors with data visibility and control technology, especially those with public-sector and financial-sector references plus global expansion potential.
Sources
- Naver Blog source: https://m.blog.naver.com/PostView.naver?blogId=star_of_self&logNo=224104307464
- Daum report on proposed 10% revenue penalty: https://v.daum.net/v/20251209153947377
- Daum article on limits of penalty-only policy: https://v.daum.net/v/20251209175739096
- Shin & Kim newsletter on Personal Information Protection Act amendment: https://www.shinkim.com/kor/media/newsletter/2039
- MoneyToday article on punitive damages record: https://www.mt.co.kr/tech/2025/12/02/2025120211480220644
- KLRI repository on punitive damages: https://repository.klri.re.kr/bitstream/2017.oak/5419/1/16039k.pdf
- Chosun English report on the three-nothing security crisis: https://www.chosun.com/english/industry-en/2025/12/06/2M4EMMC7MZEOXIO6MDVJXB6F3E/
- Korea Times report on cybersecurity spending at major Korean firms: https://www.koreatimes.co.kr/business/companies/20250709/major-south-korean-firms-spend-01-of-revenue-on-cybersecurity-data
- Asia News Network report on Coupang security gaps: https://asianews.network/how-ex-employee-exposed-33-7-million-users-south-korean-e-commerce-giant-coupangs-security-gaps-explained/
- Korea Times report on underinvestment warning: https://www.koreatimes.co.kr/economy/policy/20251201/financial-watchdog-chief-warns-korean-firms-underinvest-in-cybersecurity-amid-hacks
- SK Telecom 2Q 2025 results: https://www.sktelecom.com/en/press/press_detail.do?idx=1642
- KDI policy material on the information-security industry survey: https://eiec.kdi.re.kr/policy/materialView.do?num=273123
- Genians IR material: https://genians.co.kr/hubfs/00genian/IR/20250103_IRA(e)_GENIANS.pdf?hsLang=ko
- Genians LS report: https://www.genians.co.kr/hubfs/00genian/IR/20250708_LS_Genians.pdf?hsLang=ko
- The Elec article on Fasoo as a beneficiary: https://www.thelec.kr/news/articleView.html?idxno=40616
- Chosunbiz article on Fasoo DSPM award: https://biz.chosun.com/en/en-it/2025/10/29/6PTJLZBTEJEFNJA6ASOWFDZ5YY/
- The IT Plus article on Fasoo AI privacy certification: https://www.theitplus.kr/news/articleView.html?idxno=1235
- AhnLab Threat Landscape and 2026 Outlook: https://www.ahnlab.com/en/contents/content-center/36029
- AhnLab Cybersec 2025 news: https://www.ahnlab.com/en/overseas/company/news/17802
- Chosunbiz article on AhnLab Q4 profit: https://biz.chosun.com/en/en-it/2025/02/11/VZQEWI5OWZCTJLYCXKYJB5JTL4/
- KED Global article on SK Shieldus IPO withdrawal: https://www.kedglobal.com/ipos/newsView/ked202205060009
- KED Global article on EQT investment: https://www.kedglobal.com/mergers-acquisitions/newsView/ked202211020013
- SOMANSA network DLP material: https://www.somansa.com/wp-content/uploads/2025/07/EN-Mail-i-DLP.pdf
- ISEC 2024 exhibitor page: https://www.isecconference.org/2024/eng/exhibitor_view.html?idx=520&page=
- SecuLetter TechWeek Singapore exhibitor page: https://www.singaporetechnologyweek.com/exhibitors/seculetter-co-ltd
- PR Newswire on SecuLetter and BlueZebra partnership: https://www.prnewswire.com/news-releases/seculetter-signs-partnership-with-thailands-mssp-bluezebra-301150773.html
- IMARC South Korea cyber insurance market report: https://www.imarcgroup.com/south-korea-cyber-insurance-market
- Chosun English article on Coupang insurance gap: https://www.chosun.com/english/market-money-en/2025/12/08/KXCKOF2BYJEFHJQJDYZI6MQZSE/
- Ken Research South Korea cyber insurance market report: https://www.kenresearch.com/south-korea-cyber-insurance-market
- KISIA 2024 domestic information-security industry survey report: https://www.kisia.or.kr/bucket/uploads/2024/11/25/%E2%98%852024%EB%85%84%20%EA%B5%AD%EB%82%B4%20%EC%A0%95%EB%B3%B4%EB%B3%B4%ED%98%B8%EC%82%B0%EC%97%85%20%EC%8B%A4%ED%83%9C%EC%A1%B0%EC%82%AC%20%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf
- IANS security budget research: https://www.iansresearch.com/resources/press-releases/detail/new-research-reveals-security-budgets-only-increased-2-points-in-2024--while-12--of-cisos-faced-reductions