|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats, including risks related to disruption of business operations and financial reporting systems and customer information protection, as part of our overall enterprise risk management system and processes. Our enterprise risk management program considers cybersecurity risks alongside other company risks, and our enterprise risk professionals consult with company subject matter experts to gather information necessary to identify cybersecurity risks, and evaluate their nature and severity, as well as identify mitigations and assess the impact of those mitigations on residual risk. Our cybersecurity risk management practices include development, implementation and improvement of policies and procedures to safeguard our network infrastructure and customer information and ensure availability of critical data and systems.
We understand the importance of protecting our network infrastructure and preserving trust and protecting personal information from cybersecurity threats including distributed denial-of-service (“DDoS”) attacks and advanced persistent threat (“APT”) attacks. To assist us, we have a cybersecurity governance framework in place, which is designed to protect network infrastructure and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Our cybersecurity program consists of controls designed to identify, protect against, detect, respond to and recover from, cybersecurity incidents. The program is built upon a foundation of advanced security technology and overseen by an experienced and trained team of experts with substantial knowledge of cybersecurity best practices.
We actively engage in various activities to protect our network infrastructure from cybersecurity threats and to ensure that our customers can use the Internet safely. We believe we are the first Korean telecommunications company to deploy security measures to all overseas interconnection network sections utilized by us in order to preemptively block abnormal traffic from both domestic and international sources. Our technical measures also include:
When we adopt a new information system or change an existing system, we carry out a security approval process to review technical and administrative protection measures and make improvements if any issues are found. We conduct technical security review during the designing stage of our system development. We utilize policies, software, training programs and hardware solutions to protect and monitor our environment, including multifactor authentication on all critical systems, firewalls, intrusion
detection and prevention systems, vulnerability and penetration testing and identity management systems. Our platform includes a host of encryption, antivirus, multi-factor authentication, firewall and patch-management technologies designed to protect and maintain the systems and computers across our business. We also conduct mock hackings of our websites and application services. To strengthen customer information protection, we engage in inspection of suppliers and other third parties that possess customer information as well as perform mock drills to prepare against infringement or leakage of personal information. We subscribe to liability insurance to ensure compensation for our customers in the unlikely event of any damage caused by information leakage.
Our cybersecurity team regularly tests our controls through penetration testing, vulnerability scanning and attack simulation. We conduct risk assessments periodically to identify threats and vulnerabilities, and then determine the likelihood and impact for each risk using a qualitative risk assessment methodology. Risks are identified from various sources, including vulnerability scans, penetration tests, vendors risk assessments, product and services audits, internal compliance assessments and threat-hunting operations. We monitor our infrastructure and applications to identify evolving cyber threats, scan for vulnerabilities and mitigate risks.
We also maintain a robust cybersecurity incident response plan, which provides a framework for handling cybersecurity incidents based on the severity of the incident and facilitates cross-functional coordination across the company. Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess the severity of, escalate, contain, investigate and remediate, the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. In order to efficiently respond to company-wide crises, such as large-scale network infrastructure failures and personal information leaks, we regularly update our crisis response action manual and conduct annual mock drills.
We value collaboration with external evaluators, consultants, auditors and other third parties to strengthen and continually improve our cybersecurity risk management processes. In connection with our cybersecurity risk management processes, we engage external consultants from security companies to assist in the design and implementation of our cybersecurity risk assessment and management processes. In particular, they provide the expertise necessary to (i) identify and analyze new cybersecurity threats, (ii) identify and improve vulnerabilities through mock hacking and (iii) analyze and respond to new threats in real time through integrated security control.
Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers. Our cybersecurity risk management program includes due diligence on service providers’ information security programs. We review our service providers’ cybersecurity practices before we enter into business transactions with them, and we seek to contractually obligate them to operate their environments in accordance with strict cybersecurity standards.
In the past, we have experienced cyber-attacks of varying degrees from time to time, including theft of personal information of our subscribers by third parties that have led to lawsuits and administrative actions against us alleging that the leak was related to our mismanagement of subscribers’ personal information. Although our business, financial condition and results of operations have not been materially affected by such incidents, we cannot provide any assurance that we will not be materially affected in the future by risks from cybersecurity threats. See “Item 3.D. Risk Factors — Cybersecurity breaches may expose us to significant legal and financial exposure, damage to our reputation and a loss of confidence of our customers” for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business, financial condition and results of operations.
Governance
Management
The cybersecurity risk management processes described above are managed by the Chief Information Security Officer, who reports to our Chief Executive Officer. Our current Chief Information Security Officer, who has been with KT Corporation since 2004, has served in this role since May 2024. He holds a master’s degree in a field related to information technology and has approximately 30 years of experience in the information security field. Our Chief Information Security Officer is supported by the company at the highest levels and regularly collaborates with information security managers from each division.
Our Chief Information Security Officer heads the Information Security Department under the IT Division and serves as the chairperson of the Information Security Committee, which discusses the latest trends in cybersecurity, risks identified, security measures implemented, coordination of security protocols among various business divisions, and effectiveness of such security protocols. The Information Security Committee annually reviews and approves our cybersecurity risk management processes. In addition, starting in 2022, we have been strengthening our risk detection and response capabilities by consolidating the enterprise risk management of the KT Group through collaborative measures such as implementing a bi-weekly working council with regional headquarters, business divisions and member companies of the KT Group.
Board of Directors
Our Board of Directors is committed to mitigating data privacy and cybersecurity risks and reco
gnizes the importance of these issues as part of our risk management framework. While the Board of Directors maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks, it has delegated certain responsibilities to the Audit Committee of the Board of Directors. This committee-level focus on data privacy and cybersecurity allows the board to further enhance its understanding of these issues. The Audit Committee assists the Board of Directors in its oversight of our data privacy and cybersecurity needs by staying apprised of our data privacy and information security programs, strategy, policies, standards, architecture, processes and material risks, and overseeing responses to security and data incidents.
Our Board of Directors and the Audit Committee’s principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. The Chief Information Security Officer, as the chairperson of the
Information Security Committee, provides updates to the Compliance Subcommittee operated by the Audit Committee on a periodic basis and, as necessary, to the Board of Directors. These regular reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Chief Information Security Officer also promptly informs and updates the Compliance Subcommittee operated by the Audit Committee about any information security incidents that may pose significant risk to the KT Group. Members of the Board of Directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We actively engage in various activities to protect our network infrastructure from cybersecurity threats and to ensure that our customers can use the Internet safely. We believe we are the first Korean telecommunications company to deploy security measures to all overseas interconnection network sections utilized by us in order to preemptively block abnormal traffic from both domestic and international sources. Our technical measures also include:
We value collaboration with external evaluators, consultants, auditors and other third parties to strengthen and continually improve our cybersecurity risk management processes. In connection with our cybersecurity risk management processes, we engage external consultants from security companies to assist in the design and implementation of our cybersecurity risk assessment and management processes. In particular, they provide the expertise necessary to (i) identify and analyze new cybersecurity threats, (ii) identify and improve vulnerabilities through mock hacking and (iii) analyze and respond to new threats in real time through integrated security control.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
In the past, we have experienced cyber-attacks of varying degrees from time to time, including theft of personal information of our subscribers by third parties that have led to lawsuits and administrative actions against us alleging that the leak was related to our mismanagement of subscribers’ personal information. Although our business, financial condition and results of operations have not been materially affected by such incidents, we cannot provide any assurance that we will not be materially affected in the future by risks from cybersecurity threats. See “Item 3.D. Risk Factors — Cybersecurity breaches may expose us to significant legal and financial exposure, damage to our reputation and a loss of confidence of our customers” for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business, financial condition and results of operations.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board of Directors is committed to mitigating data privacy and cybersecurity risks and reco
gnizes the importance of these issues as part of our risk management framework. While the Board of Directors maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks, it has delegated certain responsibilities to the Audit Committee of the Board of Directors. This committee-level focus on data privacy and cybersecurity allows the board to further enhance its understanding of these issues. The Audit Committee assists the Board of Directors in its oversight of our data privacy and cybersecurity needs by staying apprised of our data privacy and information security programs, strategy, policies, standards, architecture, processes and material risks, and overseeing responses to security and data incidents.
Our Board of Directors and the Audit Committee’s principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. The Chief Information Security Officer, as the chairperson of the
Information Security Committee, provides updates to the Compliance Subcommittee operated by the Audit Committee on a periodic basis and, as necessary, to the Board of Directors. These regular reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Chief Information Security Officer also promptly informs and updates the Compliance Subcommittee operated by the Audit Committee about any information security incidents that may pose significant risk to the KT Group. Members of the Board of Directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Board of Directors is committed to mitigating data privacy and cybersecurity risks and reco
gnizes the importance of these issues as part of our risk management framework. While the Board of Directors maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks, it has delegated certain responsibilities to the Audit Committee of the Board of Directors. This committee-level focus on data privacy and cybersecurity allows the board to further enhance its understanding of these issues. The Audit Committee assists the Board of Directors in its oversight of our data privacy and cybersecurity needs by staying apprised of our data privacy and information security programs, strategy, policies, standards, architecture, processes and material risks, and overseeing responses to security and data incidents.
Our Board of Directors and the Audit Committee’s principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. The Chief Information Security Officer, as the chairperson of the
Information Security Committee, provides updates to the Compliance Subcommittee operated by the Audit Committee on a periodic basis and, as necessary, to the Board of Directors. These regular reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Chief Information Security Officer also promptly informs and updates the Compliance Subcommittee operated by the Audit Committee about any information security incidents that may pose significant risk to the KT Group. Members of the Board of Directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Board of Directors and the Audit Committee’s principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. The Chief Information Security Officer, as the chairperson of the
Information Security Committee, provides updates to the Compliance Subcommittee operated by the Audit Committee on a periodic basis and, as necessary, to the Board of Directors. These regular reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Chief Information Security Officer also promptly informs and updates the Compliance Subcommittee operated by the Audit Committee about any information security incidents that may pose significant risk to the KT Group. Members of the Board of Directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers. Our cybersecurity risk management program includes due diligence on service providers’ information security programs. We review our service providers’ cybersecurity practices before we enter into business transactions with them, and we seek to contractually obligate them to operate their environments in accordance with strict cybersecurity standards.
In the past, we have experienced cyber-attacks of varying degrees from time to time, including theft of personal information of our subscribers by third parties that have led to lawsuits and administrative actions against us alleging that the leak was related to our mismanagement of subscribers’ personal information. Although our business, financial condition and results of operations have not been materially affected by such incidents, we cannot provide any assurance that we will not be materially affected in the future by risks from cybersecurity threats. See “Item 3.D. Risk Factors — Cybersecurity breaches may expose us to significant legal and financial exposure, damage to our reputation and a loss of confidence of our customers” for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business, financial condition and results of operations.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our Board of Directors is committed to mitigating data privacy and cybersecurity risks and reco
gnizes the importance of these issues as part of our risk management framework. While the Board of Directors maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks, it has delegated certain responsibilities to the Audit Committee of the Board of Directors. This committee-level focus on data privacy and cybersecurity allows the board to further enhance its understanding of these issues. The Audit Committee assists the Board of Directors in its oversight of our data privacy and cybersecurity needs by staying apprised of our data privacy and information security programs, strategy, policies, standards, architecture, processes and material risks, and overseeing responses to security and data incidents.
Our Board of Directors and the Audit Committee’s principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. The Chief Information Security Officer, as the chairperson of the
Information Security Committee, provides updates to the Compliance Subcommittee operated by the Audit Committee on a periodic basis and, as necessary, to the Board of Directors. These regular reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Chief Information Security Officer also promptly informs and updates the Compliance Subcommittee operated by the Audit Committee about any information security incidents that may pose significant risk to the KT Group. Members of the Board of Directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
In the past, we have experienced cyber-attacks of varying degrees from time to time, including theft of personal information of our subscribers by third parties that have led to lawsuits and administrative actions against us alleging that the leak was related to our mismanagement of subscribers’ personal information. Although our business, financial condition and results of operations have not been materially affected by such incidents, we cannot provide any assurance that we will not be materially affected in the future by risks from cybersecurity threats. See “Item 3.D. Risk Factors — Cybersecurity breaches may expose us to significant legal and financial exposure, damage to our reputation and a loss of confidence of our customers” for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business, financial condition and results of operations.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The cybersecurity risk management processes described above are managed by the Chief Information Security Officer, who reports to our Chief Executive Officer. Our current Chief Information Security Officer, who has been with KT Corporation since 2004, has served in this role since May 2024. He holds a master’s degree in a field related to information technology and has approximately 30 years of experience in the information security field. Our Chief Information Security Officer is supported by the company at the highest levels and regularly collaborates with information security managers from each division.
Our Chief Information Security Officer heads the Information Security Department under the IT Division and serves as the chairperson of the Information Security Committee, which discusses the latest trends in cybersecurity, risks identified, security measures implemented, coordination of security protocols among various business divisions, and effectiveness of such security protocols. The Information Security Committee annually reviews and approves our cybersecurity risk management processes. In addition, starting in 2022, we have been strengthening our risk detection and response capabilities by consolidating the enterprise risk management of the KT Group through collaborative measures such as implementing a bi-weekly working council with regional headquarters, business divisions and member companies of the KT Group.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef