KOR Open menu
Close menu
Company
Investor Relations
Sustainability
News & Media
News & Media

Sustainability

Employees’
Human Rights
Employee Values
Safety & Health
Management
Win-win Management
Social Contribution
Information Security

Information Security

SK Square promotes the establishment and dissemination of information security principles, the operation of an information security organization, and information security training in order to protect the company’s information as well as that of customers.

Information Security Policy

SK Square has established and shared the Information Security Regulations to protect the business and customer information collected during the business process. The Information Security Regulations apply to all employees and include the principles for internal information management and cyber security compliance, and stipulate information security management system operating standards for systematic management of information assets.

Information Security Regulations

  • Information security management system operating standards for systematic management of information assets, etc.
Information Security Regulations

ISO27001
(Information Security Management System Certification)

Download
Information Security Regulations
  • Information security management system operating standards for systematic management of information assets, etc.
Information Security Regulations
ISO27001
(Information Security Management System Certification)
Download

Status of Information Security Policy Establishment for Major Subsidiaries

Proportion of subsidiaries with established information security policies
Unit %
2024 1001)
Category Unit 2024
Proportion of subsidiaries with established information security policies % 1001)

1) Seven major consolidated subsidiaries as the basis for assessment (11STREET, ONE store, SK planet, Dreamus Company, TMAP Mobility, FSK L&S, Incross)

Information Security Organization

SK Square has appointed an executive-level Chief Information Security Officer (CISO), who oversees and manages duties related to the company's information security, including the establishment of information security policy, management of the dedicated information security organization and operation of the Information Security Committee, information security vulnerability assessments, risk evaluations and preventive measures, continuous monitoring of security threats, and response to security incidents and recovery.

[CEO] [Information Security Committee Head of Information Security (executive) Head of HR (executive) Head of Legal Affairs (executive) Head of Ethical Management Information Security/IT Managers] [Information Security (dedicated organization) CISO (executive)] [
  • IT Manager(PL)
  • Information Security Manager(PL)
  • Physical Security Manager(PL)
]

Key Roles

Category Key Roles
Information Security Committee Discuss and approve information security policies, review risk assessment results, and authorize security investments
Chief Information Security Officer (CISO) Oversee vulnerability assessments and risk evaluations, manage security audits, and oversee response to security incidents and recovery
Dedicated organization
(IT, Information Security, Physical Security)		 Continuous monitoring and threat detection, vulnerability analysis, security awareness training, and response to security incidents
Category Key Roles
Information Security Committee Discuss and approve information security policies, review risk assessment results, and authorize security investments
Chief Information Security Officer (CISO) Oversee vulnerability assessments and risk evaluations, manage security audits, and oversee response to security incidents and recovery
Dedicated organization
(IT, Information Security, Physical Security)		 Continuous monitoring and threat detection, vulnerability analysis, security awareness training, and response to security incidents

Information
Security
Incident
Response
System

SK Square has built and operates a robust information security risk management system to protect information from external threats and prevent internal data leaks. To proactively respond to the rapidly changing security threat landscapes, SK Square has implemented multi-layered security solutions, including endpoint security, monitoring security, network security, data security, and system security, supported by a 24/7 real-time monitoring system. To systematically prevent and respond to information security incidents, SK Square utilizes various solutions to detect and address threats at an early stage. Through a phased response system, the company has established swift and efficient processes for incident recognition and response. In the event of an incident, the Information Security Department assesses the impact and severity level of the incident and established response plans based on its severity to take prompt action. By operating this comprehensive information security risk management system, SK Square ensures the safe protection of critical information assets for both customers and the company while contributing to the establishment of a sustainable business environment.

Phased Information Security Incident Response System

Prevention
Action Plan
Threat detection
  • 24/7 real-time monitoring system operation
  • Operation of multi-layered security solutions (endpoint, network, data security, etc.)
  • Regular vulnerability scans and assessments
Prevention measures
  • Dissemination of security policies and guidelines
  • Regular training and education for employees
Incident response
Action Plan
Incident recognition
  • Monitoring and checking security events and alerts
  • Immediate reporting of incidents to relevant departments and officer
Incident response
  • Isolation of affected systems and implementation of measures to prevent further damage
  • Identification of the cause and scope of impact of the incident
  • Development and execution of response plans based on severity levels
Follow-up management
  • Preparation of incident analysis reports and reporting to management
  • Establishment and implementation of recurrence prevention measures
  • Improvement of security systems and policies
Stage Action Plan
prevention Threat detection
  • 24/7 real-time monitoring system operation
  • Operation of multi-layered security solutions (endpoint, network, data security, etc.)
  • Regular vulnerability scans and assessments
Prevention measures
  • Dissemination of security policies and guidelines
  • Regular training and education for employees
Incident response Incident recognition
  • Monitoring and checking security events and alerts
  • Immediate reporting of incidents to relevant departments and officer
Incident response
  • Isolation of affected systems and implementation of measures to prevent further damage
  • Identification of the cause and scope of impact of the incident
  • Development and execution of response plans based on severity levels
Follow-up management
  • Preparation of incident analysis reports and reporting to management
  • Establishment and implementation of recurrence prevention measures
  • Improvement of security systems and policies

Status of Information Leakage Damage

Number of data leaks or breaches
Unit Case
2022 0
2023 0
2024 0
Category Unit 2022 2023 2024
Number of data leaks
or breaches		 Case 0 0 0

Roadmap for Improving Information Security Incident Response System

2023~2024 Stabilize information security system Establish information security system Obtain information security certification 2025~2026 Improve information security system Raising Employees’ Information Security Awareness Continuing to achieve zero information leakage incidents 2027~ Secure a global-level of information security management system

Information Security Management System

SK Square places information security as a core priority across its business operations and continues to enhance corporate trust by strengthening data protection for customers and other key stakeholders. The company has adopted a framework based on the Information Security Management System (ISMS) and has obtained ISO 27001 certification, the international standard for information security. The certification scope encompasses the entirety of SK Square's core business activities, including investment operations and portfolio management, achieving 100% certification revenue coverage. Furthermore, security compliance is evaluated through annual post-certification audits and triennial renewal audits, based on 14 key management areas and 144 detailed control items. Through this process, SK Square maintains an operational framework that meets global security standards. SK Square also recommends that its major portfolio companies obtain information security management system certifications. Currently, portfolio companies representing more than 87.5% of consolidated revenue hold either ISO 27001 or ISMS-P certifications. Additionally, the company undergoes annual group-level security assessments organized by the SUPEX Council. In 2024, SK Square received a "Satisfactory" rating in the security management evaluation.

SK Square Information Security Management System Certification

SK Square
Certification Type ISO 27001
Certification Scope Information security and management systems related to investment activities and portfolio management
Certification Scope (Coverage) 100%
Category Certification Type Certification Scope Certification Scope (Coverage)
SK Square ISO 27001 Information security and management systems related to investment activities and portfolio management 100%

Subsidiaries Information Security Management System Certification

Certification Type1) Certification Scope
11STREET
ISO 27001 11STREET Service Operations
ISMS-P
Certification Scope (Coverage)2)
87.5%
(on a consolidated revenue basis)
ONE store
ISMS-P App Market Service Operations
Certification Scope (Coverage)2)
87.5%
(on a consolidated revenue basis)
SKPlanet
ISMS External Services such as T Coloring and T Academy
ISMS-P Ok Cashbag, Syrup
Certification Scope (Coverage)2)
87.5%
(on a consolidated revenue basis)
Dreamus Company
ISMS-P FLO and iRIVER Service Operations
Certification Scope (Coverage)2)
87.5%
(on a consolidated revenue basis)
T map Mobility
ISMS Chauffeur Services, Payment Services, Public Transportation, etc.
ISMS-P Full Service Operations of TMAP Mobility
Certification Scope (Coverage)2)
87.5%
(on a consolidated revenue basis)
Incross
ISMS Online Advertising Service Operations (Dawin, j-cast, cm)
Certification Scope (Coverage)2)
87.5%
(on a consolidated revenue basis)
Category Certification Type1) Certification Scope Certification Scope (Coverage)2)
11STREET ISO 27001 11STREET Service Operations 87.5%
(on a consolidated revenue basis)
ISMS-P
ONE store ISMS-P App Market Service Operations
SKPlanet ISMS External Services such as T Coloring and T Academy
ISMS-P Ok Cashbag, Syrup
Dreamus Company ISMS-P FLO and iRIVER Service Operations
T map Mobility ISMS Chauffeur Services, Payment Services, Public Transportation, etc.
ISMS-P Full Service Operations of TMAP Mobility
Incross ISMS Online Advertising Service Operations (Dawin, j-cast, cm)

1) ISMS-P is a certification system in which the Korea Internet & Security Agency proves that a series of measures and activities related to information security and privacy protection comply with certification standards, including ISO 27001 certification items

2) Excluding FSK L&S, which provides logistics BPO services

External independent audit

SK Square conducts regular external independent audits of its information security policies and overall cybersecurity to ensure systematic management of information protection and security. As part of the ISO 27001 certification renewal process for its Information Security Management System, external professional organizations review the adequacy of the company's information security policies and management systems. In addition, the company regularly conducts vulnerability analysis and assessments in collaboration with external experts to proactively respond to security threats. SK Square will continue to advance its information protection and security management systems through close collaboration with external experts.

Expert verification Verification frequency Verification & Audit Coverage
Information Security Management System (ISMS)
Verification of the adequacy of management systems including information security policies through the ISO 27001 certification renewal process Annually 100%
(including major business activities such as investment operations)
Cybersecurity
Verification of information security level through vulnerability analysis and assessment processes in collaboration with external experts Annually 100%
(including major business activities such as investment operations)
Category Expert verification Verification frequency Verification & Audit Coverage
Information Security Management System (ISMS) Verification of the adequacy of management systems including information security policies through the ISO 27001 certification renewal process Annually 100%
(including major business activities such as investment operations)
Cybersecurity Verification of information security level through vulnerability analysis and assessment processes in collaboration with external experts

Information Security Monitoring

SK Square carries out information security monitoring activities to check compliance with the information security policy and processes and whether information security activities are implemented.

Information Security Monitoring Activities

[Diagnosis & Audits]
Diagnosing security policy and process implementation (annually)
Security diagnosis for information system (annually)
Audits of information security policies and systems by the group audit organization (annually)
[Training & inspection]
Breach response training such as DDOS simulation training (annually)
Detection of events such as malicious mail and malicious code inflow (as needed)
Mail security, file import / export, print security check (monthly)
PC security check (as needed)

Status of Information Security Incident Response Training and Monitoring

Company’s own information security training sessions
Unit Session
2022 1
2023 1
2024 1
Company’s own information security monitoring / checks
Number of detected events Number of actions taken for issues
Unit Event Action
2022 752 7
2023 585 9
2024 4,275* 11
Category Unit 2022 2023 2024
Company’s own information security training sessions Session 1 1 1
Company’s own information security monitoring / checks Number of detected events Event 752 585 4,275*
Number of actions taken for issues Action 7 9 11

* The number of detected events increased due to the expanded scope of monitored solutions compared to 2022 and 2023.

Personal Information Management

The nature of the company's business does not necessitate directly collecting personal information from customers. If necessary, SK Square manages the information in an organized manner based on its privacy policy and detailed guidelines. When collecting personal information, relevant individuals are clearly informed of the purpose and asked to provide their consent. The collected personal information is destroyed once the purpose has been achieved to minimize the risk of unnecessary retention. The SK Square privacy policy can be found at the bottom of the company's website (www.sksquare.com). In addition, we conduct security assessments, which also cover aspects associated with personal information protection, of our subsidiaries to proactively identify and respond to privacy risks.

Personal Information Management System

Collection and Use of Personal Information
  • Specification of collected items, purposes, processing methods, and retention periods (Privacy Policy Article 1, Paragraph 1)
  • Restriction on use beyond purposes
  • Consent requirement for changes in purposes of use (Personal Information Protection Act Article 18)
  • Compliance with legally stipulated or consented retention periods
  • Legal guardian consent requirement for children under the age of 14
Management of Personal Information
(Deletion, Correction, Supplementation, Change Requests, etc.)
  • Guarantee of right to request access to personal information (Privacy Policy Article 9, Paragraph 3)
  • Guarantee of data subject’s right to self-determination (Privacy Policy Article 10, Paragraph 2)
Access Control for Personal Information
  • Management of work-related information via virtual desktops with access control for non-employees
  • Restriction of data access via document passwords and server access controls
Mechanism for Raising Concerns Related to Personal Information
  • Operation of inquiry channels for personal information protection-related issues, complaints, and remedies through the personal information protection officer and relevant departments
  • Specification of the personal information protection officer and contact information, including phone number and e-mail (Privacy Policy Article 9, Paragraph 1)
Provision of Personal Information to Third Parties
  • Prohibition on provision of personal information to third parties without the data subject’s opt-in or legal basis (Privacy Policy Article 2, Paragraph 1)
Deletion of Personal Information
  • Specification of a two-year retention period in Privacy Policy Article 1, Paragraph 1
  • Specification of deletion procedures and methods for personal information after retention period expiration (Privacy Policy Article 4, Paragraphs 1 and 3)
Category Description
Collection and Use of Personal Information
  • Specification of collected items, purposes, processing methods, and retention periods (Privacy Policy Article 1, Paragraph 1)
  • Restriction on use beyond purposes
  • Consent requirement for changes in purposes of use (Personal Information Protection Act Article 18)
  • Compliance with legally stipulated or consented retention periods
  • Legal guardian consent requirement for children under the age of 14
Management of Personal Information
(Deletion, Correction, Supplementation, Change Requests, etc.)
  • Guarantee of right to request access to personal information (Privacy Policy Article 9, Paragraph 3)
  • Guarantee of data subject’s right to self-determination (Privacy Policy Article 10, Paragraph 2)
Access Control for Personal Information
  • Management of work-related information via virtual desktops with access control for non-employees
  • Restriction of data access via document passwords and server access controls
Mechanism for Raising Concerns Related to Personal Information
  • Operation of inquiry channels for personal information protection-related issues, complaints, and remedies through the personal information protection officer and relevant departments
  • Specification of the personal information protection officer and contact information, including phone number and e-mail (Privacy Policy Article 9, Paragraph 1)
Provision of Personal Information to Third Parties
  • Prohibition on provision of personal information to third parties without the data subject’s opt-in or legal basis (Privacy Policy Article 2, Paragraph 1)
Deletion of Personal Information
  • Specification of a two-year retention period in Privacy Policy Article 1, Paragraph 1
  • Specification of deletion procedures and methods for personal information after retention period expiration (Privacy Policy Article 4, Paragraphs 1 and 3)

Security Diagnosis for Subsidiaries

SK Square conducts personal information security and IT security reviews annually to ensure strict security preparedness in its subsidiaries and manage security risks. This process allows us to identify vulnerabilities, recommend improvements, and monitor progress. In 2023, we tightened the criteria for these diagnoses in line with recent legal amendments and conducted security assessments for eight subsidiaries: 11STREET, ONE store, Dreamus, SK planet, TMAP Mobility, incross, Content Wavve, and FSK L&S. Starting in 2024, we will implement in-depth diagnostics to examine the security management systems at the group level.

Awareness Improvement

SK Square regularly provides information security and personal data protection training to all permanent employees and contract workers at least once a year. Training is tailored by job function and work environment to help employees strengthen their practical security capabilities. To enhance the effectiveness of the training, SK Square continuously improves its training programs by incorporating feedback from participants, and the company conducted intensive training for approximately three weeks from April to May 2025. In addition, all permanent employees and contract workers are required to sign an annual information security pledge to strengthen accountability and encourage compliance with security regulations. Recently, the company has also begun requiring business partners who handle information security-related tasks to complete information security training, with regular monitoring of compliance. Going forward, SK Square will continue to strengthen security awareness through training and pledge programs for both employees and business partners, and remain committed to building a robust and secure information protection environment.

Information Security Training Target and Frequency

Information Security Training
Training Frequency At least once a year
Training Target Permanent /
Contract Workers /
Business Partners
Malicious Email Simulation Training
Training Frequency As needed
Training Target Permanent /
Contract employees
Breach response training, such as DDOS simulation training
Training Frequency Annually
Training Target Permanent /
Contract employees
Category Training Frequency Training Target
Information Security Training At least once a year Permanent / Contract Workers / Business Partners
Malicious Email Simulation Training As needed Permanent / Contract employees
Breach response training, such as DDOS simulation training Annually Permanent / Contract employees

Performance of Information Security Training

Information Security Training Participation Rate
Permanent / Contract
Unit %
2023 93
2024 92
2025 100
Business Partners
Unit %
2023 -
2024 -
2025 100
Category Unit 2023 2024 2025
Information Security Training Participation Rate Permanent / Contract % 93 92 100
Business Partners - - 100

Business Partner Information Security Management

SK Square operates a systematic management framework to strengthen the security of information handled by its business partners. All business partners collaborating with the company are required to sign information security pledges. Furthermore, the company has specified information security compliance requirements in its Supplier ESG Code of Conduct, requires partner signatures acknowledging these requirements, and conducts regular inspections to verify Code of Conduct adherence. In addition, business partners working on-site are mandated to complete information security training. Through this management framework, SK Square continuously strengthens business partner information security and data protection capabilities and proactively manages information security risks.

Business Partner Information Security Management Status

Description Imple​menta​tion Perfor​mance Monitoring
Information Security Pledge
Information security pledge signature from business partners 100% Signature verification at contract execution
ESG Code of Conduct Compliance
Specification and signature acknowledgment of information security compliance requirements within the Code of Conduct 100% Regular inspections
Information Security Training
Mandatory training completion for on-site business partners 100% Training completion monitoring
Category Description Implementation Performance Monitoring
Information Security Pledge Information security pledge signature from business partners 100% Signature verification at contract execution
ESG Code of Conduct Compliance Specification and signature acknowledgment of information security compliance requirements within the Code of Conduct 100% Regular inspections
Information Security Training Mandatory training completion for on-site business partners 100% Training completion monitoring