|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
As a large financial institution, we recognize the critical importance of building and maintaining cr
edibility and trust with our customers. A significant portion of our operations relies on our information technology systems, including customer service, billing, the secure processing, storage and transmission of confidential and other information as well as the timely monitoring of a large number of complex transactions. As such, we are particularly committed to protecting ourselves from various cybersecurity threats, especially in light of the proliferation of evolving technologies and an increasing use of the Internet that characterize the environment in which we operate.
As part of our overall risk management system and processes, we maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats, including risks relating to disruption of business operations or financial reporting systems, fraud, theft, harm to employees or customers, violation of privacy laws, reputational risk and other litigation and legal risk, among others. We utilize policies, software, training programs and hardware solutions to protect and monitor our environment, including computer security, document encryption, separation of our internal and external networks and an advanced persistent threat response system. In addition, we prevent unauthorized access to our servers and databases by requiring additional authentications such as
one-timepasswords or biometric authentication. We have installed
X-rayinspection equipment and metal detectors at our data centers to control the physical entry and exit of portable storage devices and computer equipment, and require computers to be formatted before they are taken out of our facilities in order to prevent potential information leaks and security incidents.
We also maintain a robust crisis management system, which provides a framework for responding to cybersecurity incidents based on the severity of the incident. In the case of a cyber incident, the department where the incident occurred immediately reports to the head of the information security department with details of the incident, including the time of discovery, a description of the incident and response measures, following which the head of the Information Security Department takes immediate measures to minimize damage and reports such incident to the Chief Information Security Officer (“CISO”). We then follow a strict set of internal reporting procedures to deploy an emergency response team to promptly address the incident and notify all relevant parties of such incident in order to minimize any further damage from the incident. We also carry limited insurance that provides protection against potential losses arising from cybersecurity incidents and regularly review our policy and levels of coverage based on current risks.
In accordance with the Electronic Financial Transactions Act of Korea, all of our subsidiaries that provide electronic financial services undergo an annual evaluation by the Financial Security Institute (or other information security institution recognized by the Korea Internet and Security Agency) that is designed to assess and discover any vulnerabilities in our information technology systems and includes scenario-based hacking simulations and comprehensive penetration tests. The reports of such evaluation are subsequently sent to our chief executive officer, so that any vulnerabilities that were discovered can be properly addressed and managed. In addition, we receive periodic inspections and audits from financial regulators, which include inspections of our information technology and security systems, and engage external legal counsel from time to time to get advice on best practices for cybersecurity oversight. Furthermore, we utilize external professional consultants to conduct annual cyber crisis or security breach exercises and to provide our employees with information security training on a period basis.
Many of our major subsidiaries, including Woori Bank, Woori Card and Woori Financial Capital, have obtained the Personal Information and Information Security Management System
(“ISMS-P”)certifications of the Korea Internet and Security Agency, which share significant overlaps with the International Organization for Standardizations (“ISO”) certifications. These certifications are valid for three years, and we are subject to an annual audit conducted by the issuing agency to maintain such certifications. In addition, Woori Bank has also obtained the ISO 27001, ISO 27701 and ISO 27017 certifications, while Woori Card has obtained the ISO 27001 and Payment Card Industry Data Security Standard, or
PCI-DSS,
certifications.
We are also committed to overseeing and identifying any risks that may arise through our use of third-party services. When using third-party software, we try to ensure that the entire process from the development to operation of such software is subject to our security policies and systems. Some of the methods we use to minimize our security risk from the use of third-party services include establishing an open-source governance policy, maintaining a management system for security vulnerabilities, mandating the use of software bills of materials and strengthening the security of public cloud systems. From time to time, we enter into outsourcing or partnership agreements with third-party service providers to provide certain services to our customers. In such cases, we ensure that the outsourcing or partnership agreement requires the third-party service provider to maintain strict security standards. We also conduct periodic
on-siteinspections of such service providers and provide them with periodic security training sessions.
Our business strategy, results of operations and financial condition have
not been materially affectedby risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. See “Item 3.D. Risk Factors—Other risks relating to our business—Our operations may be subject to increasing and continually evolving cybersecurity and other technological risks” for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations and financial condition.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
Our business strategy, results of operations and financial condition have
not been materially affectedby risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. See “Item 3.D. Risk Factors—Other risks relating to our business—Our operations may be subject to increasing and continually evolving cybersecurity and other technological risks” for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations and financial condition.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors
Our board of directors’ principal role is one of oversight, recognizing that management is responsible for the
design, implementation and maintenance of an effective cybersecurity program for protecting against, and mitigating, data privacy and cybersecurity risks. Members of our board of directors stay apprised of the rapidly evolving cyber threat landscape as well as cybersecurity risks specific to us and our subsidiaries, and provide guidance to management as appropriate in order to enhance the effectiveness of our overall cybersecurity program. We also have internal procedures through which the CEO reports significant cybersecurity incidents, including those relating to hacking, information leakage and cybersecurity breach, to our board of directors, depending on the severity of the incident.
day-to-day
The Financial Services Commission announced that it would revise the Electronic Financial Supervision Regulations sometime in 2025 to strengthen the board of directors’ oversight of cybersecurity for financial service providers, including by mandating reports from the CISO to the board of directors about any decisions that can materially affect the stability or credibility of electronic financial transactions. As such, we plan to strengthen our governance structure relating to cybersecurity in accordance with such revised regulations.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Financial Services Commission announced that it would revise the Electronic Financial Supervision Regulations sometime in 2025 to strengthen the board of directors’ oversight of cybersecurity for financial service providers, including by mandating reports from the CISO to the board of directors about any decisions that can materially affect the stability or credibility of electronic financial transactions. As such, we plan to strengthen our governance structure relating to cybersecurity in accordance with such revised regulations.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
We also maintain a robust crisis management system, which provides a framework for responding to cybersecurity incidents based on the severity of the incident. In the case of a cyber incident, the department where the incident occurred immediately reports to the head of the information security department with details of the incident, including the time of discovery, a description of the incident and response measures, following which the head of the Information Security Department takes immediate measures to minimize damage and reports such incident to the Chief Information Security Officer (“CISO”). We then follow a strict set of internal reporting procedures to deploy an emergency response team to promptly address the incident and notify all relevant parties of such incident in order to minimize any further damage from the incident. We also carry limited insurance that provides protection against potential losses arising from cybersecurity incidents and regularly review our policy and levels of coverage based on current risks.
In accordance with the Electronic Financial Transactions Act of Korea, all of our subsidiaries that provide electronic financial services undergo an annual evaluation by the Financial Security Institute (or other information security institution recognized by the Korea Internet and Security Agency) that is designed to assess and discover any vulnerabilities in our information technology systems and includes scenario-based hacking simulations and comprehensive penetration tests. The reports of such evaluation are subsequently sent to our chief executive officer, so that any vulnerabilities that were discovered can be properly addressed and managed. In addition, we receive periodic inspections and audits from financial regulators, which include inspections of our information technology and security systems, and engage external legal counsel from time to time to get advice on best practices for cybersecurity oversight. Furthermore, we utilize external professional consultants to conduct annual cyber crisis or security breach exercises and to provide our employees with information security training on a period basis.
|Cybersecurity Risk Role of Management [Text Block]
|
Management
The
monitoring, assessment and management of material cybersecurity risks is conducted by our management. We and each of our subsidiaries that is subject to the Electronic Financial Transactions Act of Korea operate an Information Security Committee that is headed by the CISO. Such committees have the authority to make decisions on various matters that relate to information security and report such matters to their respective chief executive officer in accordance with relevant internal policies. The Information Security Committee of each company convenes
day-to-day
meetings whenever relevant issues arise, and provides annual reports to the chief executive officer on matters related to information security, including information on personnel, budget, organization, training and new initiatives relating to information technology. Such
ad hoc
committee is also responsiblefor conducting annual vulnerability assessments on the electronic financial infrastructure of each company and biannual vulnerability assessments of their public-facing websites, and reporting to the chief executive officer about the results of such assessments and any remedial plans.
All of our CISOs, including those of our subsidiaries, meet the qualification requirements for such personnel as set forth in the
Electronic Financial Transaction Act of Korea. Our CISOs generally have academic degrees in an information security-related field and work experiences in information security-related fields. For example, our
CISO has a Bachelor of Science in computer science and a Master of Science in finance information security, as well as over seven years of IT or information security-related work
experience.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
committee is also responsiblefor conducting annual vulnerability assessments on the electronic financial infrastructure of each company and biannual vulnerability assessments of their public-facing websites, and reporting to the chief executive officer about the results of such assessments and any remedial plans.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
All of our CISOs, including those of our subsidiaries, meet the qualification requirements for such personnel as set forth in the
Electronic Financial Transaction Act of Korea. Our CISOs generally have academic degrees in an information security-related field and work experiences in information security-related fields. For example, our
CISO has a Bachelor of Science in computer science and a Master of Science in finance information security, as well as over seven years of IT or information security-related work
experience.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef