IR Link

Cyber Security

#Information Protection System #Privacy Protection Training #ISMS #Cybersecurity

AfreecaTV, the nation’s largest one-person media platform, always makes its best effort to protect the privacy of its users. Pursuant to the Personal Information Protection Act, we have established policies to protect personal information and privacy. We analyze the impact of collecting or using personal information throughout the lifespan of the service, from planning to completion, and carry out preventive and ex-post control measures so that our users can feel assured when providing their personal information to AfreecaTV and using our service.

Personal Information Protection System

As part of our preventive measures, we identify the level of sensitivity of the personal information being collected or used in the services we provide or plan to provide, check whether the laws and regulations on personal information protection are complied with, and determine whether protective measures and management are conducted adequately through a personal information impact assessment. We also operate a comprehensive management system for the authorities and access of people who handle and have access to the personal information of our users.

Our ex-post control measures to protect personal information include an internal inspection on the compliance with set procedures in collecting, using, providing, protecting, and discarding personal information, as well as regarding user rights. We inspect the privacy protection status of consignees (any company that handles personal information provided by AfreecaTV) every year to ensure personal information protection in transaction services and minimize risks related to personal information. To inspect consignees, we have devised a list for personal information self-inspection consisting of 50 items based on the status of information collection at AfreecaTV and pursuant to personal information protection regulations. We established a process that facilitates swift improvements and actions. Consignees got scores, asked to make improvements in the case of a violation or inadequacy, and inspected again if improvements are not made or their protection system is highly inadequate.

The CPO of AfreecaTV reviews the overall process and results of the ex-post control measures and oversees the improvement progress for inadequacies. We make consistent efforts to maintain a high level of data protection and prevent leakage to ensure that user information is kept safe.

Cycle of the personal information impact assessment

Management of the Personal Information Handling System

To handle the personal information of users in a safe manner, AfreecaTV has established a personal information handling system covering the services provided, the database system, and the management system. We also defined standards for granting authorities and operational procedures for activities related to the personal information handling system, such as access, menus, views, editing, and extraction. We use a safe authentication system recommended by the company to block the access of third parties and respond to external threats by encrypting the access route. We also create authority categories and grant authorities to access and view necessary menus only to designated persons who handle personal information.

Approval for these authorities is granted by the persons responsible for personal information protection and information security following an application procedure for access. The log of access to the personal information handling system (e.g., authority given, access, creation, editing, deletion, etc.) by the persons who handle personal information and any activity after access are retained for a certain period, and authorities are reviewed periodically so that authorities can be removed from accounts that are not used.

Plan and Principles of the Internal Management of Personal Information

To systematically manage personal information and take protective and ex-post measures, AfreecaTV develops and updates its Personal Information Protection Management Plan annually.
We release revisions to the plan every year to all employees to remind them of their duties and responsibilities in handling and managing personal information, and we help them to collect and process the personal information of AfreecaTV’s users in a safe manner through our protection measures. To prepare for potential leakage of personal information that may occur despite stringent preventive and ex-post control efforts, we made all the steps – from reporting to the individual/institution in accordance with relevant laws to identifying the cause, taking measures, and making improvements – into a process and designated a team for each step to support the victims and minimize damage.

Cycle of personal information impact assessment

AfreecaTV complies with all laws and international standards on the protection of personal information.
AfreecaTV always discloses transparently the processing of users' personal information.
AfreecaTV respects the right of users to make decisions about their personal information.
AfreecaTV collects the minimum personal information possible to meet our objectives and manages this information responsibly.
AfreecaTV prioritizes the protection of user privacy.

Security Training

To raise awareness of information security within the company, AfreecaTV conducts information protection training for all employees. Specifically, new employees are required to complete security training to ensure compliance with information security regulations. The company periodically holds an E-Clean Day for employees. These events inform employees about security matters, such as phishing and other recent security threats. As remote working due to COVID-19 continues, we have provided training on security rules when working from home using actual cases of security issues.

Information Protection System

To prevent customer information leaks and ensure business stability, AfreecaTV’s Information Protection Committee operates a management system for privacy and security control. This committee oversees the information protection management system and manages all information within the company. It is composed of the CISO (chief information security officer), the CPO (chief privacy officer), and the CTO (chief technology officer). The committee deliberates, reviews, and votes on information protection issues and other related and critical matters, thereby managing information protection risk across the enterprise. In December 2021, we established a team dedicated to information security under the CISO to implement an information security system and protect information assets.

Information security organization system

Information security organization system image

Personal Information Protection Training

AfreecaTV engages in various activities to raise awareness of information security among those who handle or process personal information. All employees are required to sign the Information Security Agreement and receive training on information protection twice a year. There are also non-regular training programs on AfreecaTV‘s training system. We plan to achieve a 100% completion rate for the training provided to those who handle personal information. We take proactive measures to provide training on personal information protection to all employees.

ISMS (Information Security Management System)

We rank assets subject to the information security management system based on the importance of the service in our materiality assessment. We analyze risks regularly and nonregularly. Materiality assessments and risk analyses are conducted for the items defined in the ISMS and internal criteria. Risks receive a grade depending on the results, and this is the basis for prioritizing improvement measures and improvement methods. The weak points of all assets of AfreecaTV are analyzed regularly throughout the year and improvements are made to provide a safe environment and stable services to users.

The information security system is under strict control, and only relevant personnel and those who have been authorized in advance through an approval process can access it. The work scopes of employees are assessed through an appropriateness review for assigning necessary authorities. All activities, such as access, changing settings, and attempts to access by nonauthorized persons are monitored. AfreecaTV works with a security system company to detect and respond to external hacking attacks or abnormal activities 24/7, every day of the year. We strive to prevent security incidents in advance.

Advancement of Information Security Technology

AfreecaTV provides diverse services in the global market, which makes it vulnerable to DDoS (distributed denial of service) attacks due to the nature of the company. A DDoS attack refers to an attack that disables the operation of network resources or a website by attacking a single target system with multiple systems. We are striving to improve our information security technology to protect our services from external attacks.

We block DDoS attack attempts in cooperation with network providers, and also with separate equipment, and implemented a sophisticated security management system through monitoring. We encrypt material information and communication intervals from the stage of service development through our systematic security management system.

Incident (Attack) Response Procedures

Incident (Attack) Response Procedures image
Incident (Attack) Response Procedures table
N Detail
1 Initial response
  • - Record timeline-based incident circumstances
  • - Operate an emergency contact network for each risk level
2 Identification of the cause and verification of
whether action is possible
  • - Identify the cause of the incident (attack)
  • - Determine whether action can be taken internally
  • - If not, report the matter to higher-level staff
3 Action against the incident
  • - Take internal action
  • - Take action through related departments or external contractors
4 Delay of action
  • - If action is delayed, escalate the risk level
  • - Report the matter to the most senior manager in charge
5 Completion of action and notification
  • - Provide notification of the actions taken for each risk level
6 Analysis of the cause and preparation of a report
  • - Collect and analyze data
  • - Determine the details of the incident
  • - Draft an accurate report so that the situation is easily understood
7 Establishment of plans to prevent recurrences
  • - Decide how to prevent the incident from spreading or recurring
8 Completion
  • - Draw up security policies to identify and prevent similar attacks
  • - Change procedures, record information about the incident, draw up long-term security policies, and draft plans to modify technology

Content List



    #Energy Conservation Activities #Green Campaign #Environment-Oriented Content


    #Media responsibility #Clean content #Employees #Strengthening partnership #Social contribution

    Social Contributions

    #Social Contributions through Content #Social Contributions through Participation #1% Charity


    #Board of Directors #Independence #Shareholders

    Risk Management

    #Proactive Risk Management #Self-Regulated Management #Risk Screening

    Ethical Management

    #Code of Conduct #Ethic Compliance #Whistleblower System

    Cyber Security

    #Information Protection System #Privacy Protection Training #ISMS #Cybersecurity
맨위로 이동