SOOP ESG2023

Governance

To protect users’ personal information, our Data Security Committee and key executives such as the CISO and CPO oversee information protection. The Data Security team, a department dedicated to information protection, is in charge of establishing and operating information security and personal information management strategies and systems and systematically manages risks by reporting directly to SOOP’s Data Security Committee when they arise.

Dedicated Organizations and Key Roles

• Technical Leading(TL) Division, Data Security Team

  • Establish an information security strategy and internal control plan
  • Operate a data security management system
  • Strengthen information protection skills
  • Establish and operate a breach response system
  • Conduct information security training and awareness programs for employees
  • KISA Information Security Disclosure
  • Obtain and maintain privacy-related certifications
  • Report information security issues to management
  • Keep the entire organization up to date on the latest information security issues and trends

• User Communications Department

  • Establish a privacy management plan
  • Conduct internal audits(twice a year)
  • Data Protection Officer

    • Handle complaints or comments about personal information from data subjects and review improvements

    • Oversee the ongoing management of personal information processors

    • Train personal information processors

    • Review and reflect improvements to the personal information processing system

    • Assist in inspections on compliance with personal information processing standards

    • Other matters required for personal information protection

Strategy

SOOP has taken various measures to respond to major risks and opportunities related to data security and privacy, including a privacy/ security management system, a response process in the event of an incident, and enhanced technical capabilities.

Risks and Opportunities

Risks and Opportunities

Impact on Financial Position, Financial Performance, and Cash Flows

SOOP actively discloses its information security status every year. By disclosing information protection investments, budgets, and major activities, SOOP continues to conduct information protection activities that stakeholders can trust. As of December 2023, we have invested KRW 52.26 billion in information technology and KRW 970 million in information Security. The main investment purposes are the introduction of network security equipment and security solutions such as firewalls and harmful site blocking.

SOOP annually formulates internal plans for personal information management and discloses them to all employees ensures that all employees are aware of their responsibilities and obligations related to personal information protection. In addition, disciplinary measures may be taken for violations of personal information-related responsibilities and obligations in accordance with the Information Protection Regulations, and such violations and the level of discipline may also affect employees’ performance evaluations.

Privacy Policy

SOOP complies with the personal information protection regulations, such as the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection. SOOP has established and operates a privacy policy in accordance with relevant laws to best protect the rights and interests of users.

How We Handle Data Breaches

To prepare for personal information leakage, we have established the ‘Leakage Response Guidelines’ and a systematic response procedure for dealing with potential incidents. We have systematized response steps, including notifying individuals/institutions in accordance with relevant laws, identifying the cause of the leakage, taking measures, and reflecting improvements. Additionally, we have designated teams for each step to provide relief to those affected by the incident and minimize damage.

In addition, in order to strengthen our employees’ ability to respond to such incidents, we conduct personal information breach simulation trainings twice a year. These exercises help us review and improve our incident response strategies based on various scenarios. In 2023, we held two simulation trainings, with a 100% participation rate, and an average of 797 employees participated in each training.

Measures to Strengthen Safety and Security

SOOP is committed to enhancing the safety and security of our services. We are effectively defending against DDoS attacks by filtering malicious traffic through the Clean Zone service. We are also working with security companies to monitor and take additional measures to prevent attacks on SOOP’s users and streamers.

Strengthening ITGC with Mandatory External Audit of Internal Accounting Control System

In 2023, the Enforcement Decree of the Act on External Audit of Stock Companies was amended to require an external audit for SOOP’s internal accounting control system. In order to respond to external audits, we have revamped our IT-related control processes. In particular, we have strengthened our ITGC for important accounts related to financial statements, separated operators and approvers for important data change tasks and conducted frequent reviews, and mandated monthly internal audit activities to ensure data integrity.

Information Security Disclosure

Since 2023, SOOP discloses information security status in detail through the KISA Information Security Disclosure Portal, and we were recognized as an Excellent Disclosure in Information Security Investment company in 2023 and 2024. The portal discloses SOOP’s information security-related data, such as governance, investment details, personnel, and activities. As of December 31, 2023, SOOP had 270.3 employees in information technology and 5.1 employees dedicated to information protection, and its information protection activities included providing information security and privacy training to all employees, conducting hacking simulation trainings, and conducting self-inspections and subcontractor audits for personal information protection.

Information Security Campaign

In June 2023, SOOP launched a campaign to promote a culture of personal information protection. The campaign established five security rules, including changing passwords regularly, using secure passwords, and not sharing accounts. These rules were distributed through SOOP’s user communication channels. This helped users recognize the risk of personal information leaks and encouraged them to take more proactive security measures.

Information Security Training

SOOP conducts a number of activities to boost the awareness of personal information controllers and processors of the importance of protection of personal information. In 2023, we conducted an information protection pledge procedure for all employees and held regular personal information protection trainings twice a year. In addition, SOOP also conducted ad-hoc trainings through a selfoperated training course system.

Pre- and Post- Control Measures for Privacy Protection

SOOP complies with personal information protection laws and internal management regulations by checking the sensitivity of personal information collected and used in all services in advance. In addition, SOOP conducts personal information impact assessments at all times and operates a management system that comprehensively manages the rights and usage status of personal information processors.

We conduct an annual inspection of our personal information management to ensure compliance with procedures such as the collection, use, provision, protection, and destruction of personal information, and rights of users with respect to their personal information. We also conduct an annual inspection of the status of personal information protection for personal information subcontractors (all entities entrusted with processing SOOP’s personal information). We also prepare a personal information self-inspection list for each company and request improvements when violations or deficiencies are identified, and if there is no continuous improvement or the level of personal information protection is low, we conduct on-site inspections to ensure that improvements and measures are taken quickly. These follow-up control measures are checked by the CPO and are continuously managed to ensure that any deficiencies are improved.

Management of the Personal Information
Processing Systems

SOOP designates systems that handle personal information related to the services provided to users as ‘Personal Information Processing Systems,’ including business systems and database systems. We have also established systematic authorization standards and operating procedures for all actions related to the Personal Information Processing Systems, such as access, menu, inquiry, modification, and extraction. We also recommend using secure authentication methods to prevent unauthorized access by third parties. Additionally, to address external threats, we have encrypted the information access paths.
Furthermore, we have assigned approval groups for each system menu so that only the data processors who need the access to a specific menu can examine the information. These permissions require an application process and approval by the person in charge of personal information protection, and are granted through an appropriateness review. Logs of all acts performed by personal information controllers, such as granting, accessing, creating, changing, and deleting approvals are kept for a certain period of time, and we periodically review the appropriateness of approvals and revoke the approvals for unnecessary accounts.

Security Management System

SOOP classifies the assets in the information security management system according to the importance of the service and conducts a criticality assessment and risk analysis on a regular and ad-hoc basis. The criticality assessment and risk analysis are conducted according to the predefined items in the information protection management system and self-defined criteria; risk ratings are calculated; priorities and measures for improvement are reviewed; and plans for improvement are developed.

In this process, all assets of SOOP are subjected to periodic risk analysis and improvement on an annual basis to identify vulnerabilities so that users can use the service with confidence in a safe environment. The information security system is strictly controlled so that only relevant personnel or employees who have been authorized in advance through the approval process can access it. SOOP clearly determines and grants only necessary permissions through an appropriateness review according to the scope of work of employees, and all activities such as access history and configuration changes and attempts by unauthorized users are monitored. In addition, SOOP is working with a security system specialist company to detect and respond to abnormal signs or attempts by external hackers 24 hours a day and 365 days a year to prevent security breaches in advance.

Metrics & Targets

SOOP has set and been systematically managing goals related to data security and privacy. In particular, we have had zero data breaches in the past three years, and we are committed to achieving zero data breaches in 2024.