Move to menuMove to category menuMove to main contents
Governance

Information Security

Information Security System

Information Security Policy

SK D&D is establishing data governance as part of its goal to build a robust IT infrastructure solution and become a leading platform business. In line with this objective, the company has implemented an information security policy and system based on applicable laws and regulations. By complying with national information security standards and ethical codes, SK D&D aims to mitigate cybersecurity risks and enhance trust with external stakeholders, thereby effectively managing potential risks.

The information security policy and related regulations are posted on the company’s groupware bulletin board, ensuring that all employees are aware of and have access to them. Additionally, the privacy policy—which outlines how customer information is used, managed, and protected—is made publicly available on the company website for all customers to review.

To further enhance its internal policies and strengthen its information security framework, SK D&D acquired and maintains ISMS (Information Security Management System) certification* as of November 2023, covering its official website and the EPISODE brand website. By voluntarily obtaining this certification, the company has created a safer service environment for customers and will continue to strive for improved trust in its information security practices.

*ISMS (Information Security Management System) Certification: A certification system administered by the Korea Internet & Security Agency (KISA) that verifies organizations have established and operate an appropriate information security management system in accordance with the Act on Promotion of Information and Communications Network Utilization and Information Protection.

Information protection policy

Information Security Governance Organization

SK D&D operates an Information Security Committee as its highest decision-making body to systematically implement information security management activities. Through this committee, the company reviews and decides on key issues related to the establishment of information security policies and control procedures, as well as the operation of corporate confidential information security, at least once a year. The Information Security Committee is composed of IT and information security experts, with the Chairperson appointed as the Chief Information Security Officer (CISO). The CISO is a C-level executive delegated by the CEO with the authority to review and approve policies, responsible for formulating information security strategies and ensuring prompt responses. The CISO reports the committee’s deliberations and decisions directly to the CEO.

To enhance the efficiency of information security operations, SK D&D holds a quarterly Information Security Working Group. Chaired by the Information Security Manager, this group includes practitioners responsible for information security, personal data protection, and personnel/physical security, working collaboratively to strengthen the company-wide information security framework. The DX Planning & Operations Division, which is responsible for information security, implements the annual information security plan, conducts inspections and follow-up management to prevent security incidents, and collaborates with relevant departments such as Compliance and Business units as needed to promote internal information security activities.

Information Security Governance Organization Chart

Information Security Risk Analysis and Evaluation

SK D&D conducts regular information security audits to maintain the required level of protection as stipulated by its information security policies, aiming to proactively prevent security breaches. In 2024, in accordance with ISMS-P certification standards, the company evaluated risks and vulnerabilities not only in enterprise-wide information security but also within its personal information management system. The assessment identified a total of 33 deficiencies—24 related to information security and 9 related to personal data. Mitigation measures have been fully implemented for all identified issues by the respective departments. An effectiveness evaluation of the current operations resulted in a score of 85.7, classified as an "Excellent" security level, reflecting a decrease in deficiencies compared to the previous year while maintaining a high standard of security. Additionally, the personal information management system evaluation yielded a score of 72.7, also rated as "Excellent." SK D&D continues to address deficiencies and carry out ongoing monitoring activities to safeguard customer personal information.

Risk analysis process

2024 Information Security Risk Analysis Results

Inspection AreaTotalCompletedRemainingImprovement Rate
ISMS/ISMS-P3331293.9%

2024 Information Security Level Improvement Performance

Category20232024Remarks
Information Security Level86.485.7(Excellent)-
Personal Information Protection Level-72.7(Excellent)New entry

Information Security Compliance

CategoryUnit202220232024
Number of information security violations/incidents*Cases000
Total fines or penalties related to information securityMillion KRW000
  • *Excludes violations/incidents related to personal information protection

Subsidiaries (DDI, DDPS) Information Security Compliance

CategoryUnit202220232024
DDIDDPSDDIDDPSDDIDDPS
Number of information security violations/incidentsCases000000
Total fines or penalties related to information securityMillion KRW000000

Embedding Information Security Awareness

Information Security Best Practices

SK D&D conducts regular checks on everyday security practices to enhance employees’ awareness of information security. Any identified vulnerabilities or security incidents are promptly communicated to all staff. Quarterly, the company distributes guidelines on everyday security and information protection best practices to foster a strong security culture. Additionally, the results of internal security assessments related to the workplace environment are shared with employees. In the event of spam email influx or vulnerabilities related to Office tools, SK D&D promptly notifies employees to ensure appropriate responses can be taken, thereby preventing significant information security incidents.

10 Rules for information Protection

Information Security Investment and Training

As SK D&D continues to expand its IT/data-driven solutions and platform businesses, the company has been increasing its investment in the information technology sector while also reinforcing its enterprise-wide information security framework. In line with this, SK D&D has consistently allocated annual investments specifically for information security. In 2024, information security expenditures accounted for 7.1% of the company’s total IT investment. SK D&D remains committed to protecting both customer and corporate information through continued investment in information security.

In addition, SK D&D provides annual information security training to ensure that all employees understand the importance of cybersecurity, recognize their responsibilities, and strengthen their security capabilities. In 2024, company-wide online security training was conducted, delivering a total of 338 hours of instruction. Furthermore, in accordance with internal information security policies, all employees are required to sign an annual Information Security Pledge, reaffirming their commitment to complying with relevant laws and internal regulations, and to practicing strong security behaviors.

Information security investment details

CategoryUnit202220232024
Total IT InvestmentMillion KRW13,12014,10813,267
Information Security InvestmentMillion KRW1,101667 944
Information Security Investment as a % of Total IT Investment%8.44.7 7.1

Prevention and Response to Security Incidents

SK D&D conducts annual security training programs—such as simulated phishing campaigns and penetration testing exercises—as part of its ongoing efforts to prevent security incidents and strengthen information protection. The simulated phishing training is carried out company-wide to prevent incidents such as data leaks or business disruptions caused by spam emails or ransomware, and to raise employees' awareness of security risks. Penetration testing is conducted on enterprise-wide systems, applications, and IT infrastructure related to business operations, aiming to prevent security breaches and enhance overall security awareness.

In addition, SK D&D operates an IT help desk channel that allows employees to report IT and security issues as they arise, with prompt feedback and support. To further prevent and respond quickly to information security incidents, the company has implemented a Business Continuity Plan (BCP) and corresponding response procedures. Moreover, SK D&D conducts mock BCP drills and crisis response training at least twice a year to regularly assess and improve the effectiveness of its incident response processes.

2024 Simulated Phishing Training Results

PeriodParticipantsResultImprovement Measures
1st Half173Click Rate: 12% (20 Individuals)Enhanced security awareness through written training on malicious email trends
2nd Half179Click Rate: 26%(46 Individuals)

Personal Information Protection

Personal Information Protection Activities

In accordance with Article 30 of the Personal Information Protection Act, SK D&D has established and publicly disclosed its Personal Information Processing Policy, which details the rights and responsibilities of data subjects as well as the contact information of the company’s data protection officers and personnel. The policy is regularly reviewed and revised in response to changes in laws, regulations, policies, or security technologies. To ensure transparency, all versions of the Personal Information Processing Policy, along with the effective dates and details of amendments, are archived and made accessible on both the company’s official website and the ‘Episode’ website.

SK D&D’s DX Planning and Operations Department, responsible for personal information protection, conducts mandatory training on personal data protection and prevention of data breaches. Each year, the company collects signed consent forms from employees regarding personal information processing, demonstrating its commitment to safeguarding employee data. Furthermore, regular system audits based on SK Group’s security guidelines are conducted to identify and remediate vulnerabilities. Investments in data masking and encryption technologies are made to prevent personal information leaks. Additionally, to prepare for any potential customer data breaches arising from the Episode rental housing business, SK D&D maintains and annually renews personal information protection liability insurance.

Personal Information Protection Compliance*

CategoryUnit202220232024
Number of Information Security Violations/Incidents Related to Personal InformationCases000
Total Fines or Penalties Related to Personal Information ProtectionMillion KRW000
Number of Complaints Related to Customer Personal Data Violations or Data LossCases000
Verified Cases of Customer Data Leakage, Theft, or LossCases000
Number of Customers Affected by Data BreachesPersons000
  • *No complaints, data leaks, thefts, or losses related to personal information protection were reported.