NextFin News - Seven out of ten South Korean companies that fall victim to cyberattacks choose to remain silent rather than report the incidents to authorities, according to the 2025 Information Protection Survey released on Friday. The data, compiled by the Ministry of Science and ICT and the Information Protection Industry Association, reveals a stark disconnect between the high perceived importance of cybersecurity and the actual willingness of firms to engage with investigative agencies when defenses fail.
The survey, which analyzed 5,500 companies with 10 or more employees throughout 2024, found that while 80.6% of domestic firms acknowledge that information protection is "important," only 31.4% of those experiencing an infringement actually reported the damage. This reporting gap suggests that the vast majority of corporate cybercrime in South Korea remains in the shadows, shielded by fears of reputational damage and social criticism. For many executives, the risk of being branded as "insecure" by the public outweighs the potential benefits of a formal investigation or state-level recovery assistance.
Lim Jung-kyu, a policy officer for the information protection network at the Ministry of Science and ICT, noted that the government intends to strengthen national capabilities to respond to increasingly advanced cyber threats. However, the survey data highlights a structural weakness in the private sector: the "reporting allergy" is compounded by a lack of dedicated resources. Only 54.8% of all surveyed companies actually utilize a specific budget for information protection. Among those that do not, many cited a belief that their business areas were "irrelevant" to cybersecurity or admitted they simply did not know what protective activities were necessary.
The disparity in preparedness is most visible along the fault lines of company size. While 97.8% of large enterprises with 250 or more employees provide regular cybersecurity education, the implementation rate drops significantly among small and medium-sized enterprises (SMEs). This creates a tiered security landscape where smaller firms—often the weakest links in a supply chain—are both more vulnerable and less likely to seek help when a breach occurs. Currently, only 35.3% of companies performing information protection work have a dedicated organization for that purpose.
From a market perspective, this lack of transparency complicates the assessment of systemic risk. When only a third of incidents are reported, the true scale of economic loss from intellectual property theft or ransomware remains an estimate at best. While the Ministry of Science and ICT maintains an optimistic stance on strengthening the "information protection network," the current data suggests that until the perceived cost of reporting—namely the "social criticism" mentioned in the report—is mitigated, the government will continue to operate with a significant blind spot in its national defense strategy.
The public’s anxiety remains high despite corporate reticence. Approximately 72.5% of the general public expressed concern over cyber infringement, and 8.5% of individuals reported having personally experienced a cyberattack. This tension between a worried public and a secretive corporate sector suggests that the next phase of South Korean policy may need to move beyond technical support and toward legal frameworks that incentivize reporting or provide "safe harbor" protections for companies that come forward after a breach.
Explore more exclusive insights at nextfin.ai.
