주메뉴바로가기본문바로가기
비즈한국 비즈한국

OpenAI's First Information Security Disclosure: "Key Metrics Like Investment and Personnel Remain Undisclosed"

This article was automatically translated by AI. There may be errors compared to the original Korean article.  Read original in Korean →

[비즈한국] OpenAI, the operator of the generative AI service ChatGPT, has disclosed its information security status for the first time this year, as it was included in the mandatory 'Information Security Disclosure' list in South Korea. While the company provided relatively detailed explanations regarding cybersecurity investments, AI-based security systems, and organizational operations, it did not reveal key quantitative indicators such as the scale of IT and information security investments or the number of dedicated personnel. Although it followed the "global standard operation" logic common among global companies, critics suggest that transparency in information security remains an ongoing challenge.

OpenAI has disclosed its information security status for the first time this year as it was included in the mandatory 'Information Security Disclosure' list in South Korea. Jason Kwon, Chief Strategy Officer at OpenAI, is seen speaking at a press conference held during the launch of OpenAI's South Korean subsidiary last year. Photo = OpenAI
OpenAI has disclosed its information security status for the first time this year as it was included in the mandatory 'Information Security Disclosure' list in South Korea. Jason Kwon, Chief Strategy Officer at OpenAI, is seen speaking at a press conference held during the launch of OpenAI's South Korean subsidiary last year. Photo = OpenAI

Detailed Disclosure of Security Activities Fitting an AI Company

In its first domestic information security disclosure on the 30th of last month, OpenAI shared its AI-based security system, operating procedures, and cybersecurity research activities. This included the disclosure of the Safety and Security Committee under its board of directors, a 24/7 Security Operations Center (SOC), and ongoing Red Team assessments conducted with security firm SpecterOps. However, key metrics that would allow users to objectively compare companies remained elusive.

The Korea Internet & Security Agency's (KISA) information security disclosure system is designed to allow users to verify a company's security level by requiring businesses to publish data on security investment, dedicated personnel, and current security activities, as mandated by the 'Act on Promotion of Information Security Industry.' The number of companies subject to mandatory disclosure this year is 693, an increase of 27 from last year. Targeted companies are selected annually based on legal criteria such as business sector, revenue, and number of users.

A KISA official explained, "Companies subject to mandatory disclosure are selected based on standards defined by law, and OpenAI met these criteria and was included this year." According to Mobile Index, ChatGPT's monthly active users (MAU) in South Korea reached approximately 14.3 million as of January this year. OpenAI has also repeatedly emphasized the importance of the Korean market. Jason Kwon, Chief Strategy Officer (CSO) at OpenAI, stated at the launch of the Korean subsidiary last September that "Korea is the country with the most ChatGPT users in the Asia-Pacific region."

OpenAI's information security efforts focus on supporting the AI security ecosystem and strengthening internal control systems. Through its Cybersecurity Grant Program, launched in 2023, the company supports research into AI-based security technology, and this year, it expanded its scope to generative AI-specific fields such as defense against Prompt Injection and Agentic Security. Prompt Injection is an attack technique that tricks AI into performing unintended commands through malicious inputs. The company also increased its bug bounty rewards for researchers reporting security vulnerabilities to a maximum of $100,000 (approximately 150 million won).

Security governance has also been bolstered. The company stated that it established a Safety and Security Committee under its board last year to review the safety and security of major AI models, with the authority to delay releases if necessary. It further explained that it maintains an active response system through its 24/7 security operations center and external red team assessments.

Additionally, the company disclosed that it maintains international security certifications and implements a Zero Trust-based security design, annual penetration testing, and employee security training. Its information security activities also include investments in the cybersecurity startup Adaptive Security, the publication of threat reports analyzing AI misuse cases, and research into detecting and patching open-source software vulnerabilities.

OpenAI Daybreak GPT-5.5-Cyber CyberGym benchmark performance comparison. Photo = OpenAI
OpenAI Daybreak GPT-5.5-Cyber CyberGym benchmark performance comparison. Photo = OpenAI

Conversely, data regarding investment and personnel was replaced with a note stating that "our investments are conducted based on global standards." Information on IT investment, security investment, total employees, IT staff, and dedicated security personnel were left blank, disclosing only the titles of the Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO), their executive status, and whether they hold concurrent positions.

Qualitative Information is Relatively Robust… Important Data "Follows Global Standards"

This method of disclosure with blank key figures is not unique to OpenAI. Global companies that have been providing information security disclosures for years—such as Google, Meta, Amazon Web Services (AWS), TikTok, Alibaba, AliExpress, Tencent, and X (formerly Twitter)—also explain that IT and security investment figures and dedicated staff counts are managed at a "global level," often substituting them with notes or claiming separate calculation is difficult. Instead, it is common practice for them to focus their disclosures on global security policies, certifications, and security activities.

However, not all global companies provide the same level of information. While Netflix explained that it is difficult to calculate figures separately for its domestic subsidiary, it did provide specific global figures, such as 4.8264 trillion won in total IT investment, 258.7 billion won in security investment, 16,000 total employees, 5,534 IT personnel, and 269 dedicated security staff. It also explained that its central security organization handles global security tasks, including those for its Korean services.

Microsoft’s Korean subsidiaries also stated that investment figures are difficult to calculate separately, but they disclosed their parent company’s global metrics, including 228,000 full-time employees, over 34,000 cybersecurity-dedicated engineers, and 81 employees in its Korean branches. They also provided relatively detailed explanations of the CISO role in the Korean branch, the global CISO organizational structure, and the roles of the CPO.

With the rapid spread of generative AI usage in South Korea, starting with OpenAI, there is growing potential for other major AI operators like Anthropic to be included in mandatory information security disclosures. This is expected to further fuel discussions regarding the security transparency of global AI firms. Photo = Bizhankook DB
With the rapid spread of generative AI usage in South Korea, starting with OpenAI, there is growing potential for other major AI operators like Anthropic to be included in mandatory information security disclosures. This is expected to further fuel discussions regarding the security transparency of global AI firms. Photo = Bizhankook DB

OpenAI’s first disclosure is relatively comprehensive among global companies in terms of qualitative information. On the other hand, key metrics that directly allow users to compare security levels—namely investment scale and dedicated staff—remain difficult to verify. Critics have consistently pointed out that the effectiveness of these disclosures is limited when so many global companies omit such information.

Particularly, as OpenAI has a high proportion of domestic users and instances of users inputting sensitive data such as work documents, source code, and personal information into generative AI are increasing, the company is subject to higher public scrutiny regarding security than other general global platforms. Consequently, there are calls for the company to more actively disclose information at a level that users can reference, rather than relying solely on the explanation of "global standards."

Meanwhile, as OpenAI was included in the disclosure list this year for the first time, attention is focused on whether other generative AI operators will face similar requirements. As the generative AI market diversifies beyond OpenAI, the domestic user base for Anthropic's Claude and Google's Gemini is also growing rapidly. Meta, TikTok, and X were included based on domestic user numbers, and Tencent was included based on its cloud computing service provider status. Microsoft complies with both the cloud computing service provider and user number criteria.

According to usage-based analysis by Mindlogic, the usage proportion for GPT models dropped from 85.7% last September to 34.8% this May, while Claude increased from 5.7% to 36% during the same period. Gemini also maintains a 20% usage share. It remains to be seen whether other AI operators will be included in the information security disclosure requirements in the future as they meet legal criteria such as user numbers.

A KISA official stated, "In many cases, it is difficult for global companies to separately calculate investment scale or personnel for their Korean subsidiaries. We are working with the Ministry of Science and ICT to encourage global operators to focus their disclosures on security activities." The official added, "While it is difficult to verify quantitative investment scales of global companies, qualitative information such as security certifications and security activities can be confirmed through the disclosures."

This article was automatically translated by AI. There may be errors compared to the original Korean article.
강은경 기자

기술과 산업을 취재하고 씁니다.

gong@bizhankook.com
저작권자 ⓒ 비즈한국 무단전재 및 재배포 금지