Corporate Governance 2026

SOUTH KOREA Law and Practice Contributed by: Bo Hee Park, Minhyun Cho, Ian Kim and Jun Hee Kwon, Jipyong LLC

From a governance perspective, director exposure is most likely to arise where the board fails to ensure that appropriate risk management and compliance frameworks are in place to address AI-related risks, such as data bias, model risk, privacy breaches and reputational harm. The form of enforcement varies depending on the underlying breach. The FSC and the Financial Super - visory Service oversee disclosure and market con - duct issues, while the Personal Information Protection Commission is responsible for data protection mat - ters. The Korea Fair Trade Commission may address unfair practices, and the Ministry of Science and ICT oversees AI-specific obligations. Criminal matters may be pursued by prosecutors. Civil liability may be enforced by the company, shareholders, including through derivative actions, or affected third parties. 8.4 Key Disclosure Requirements for AI Use At present, Korea does not have a generally appli - cable rule requiring companies to include a separate AI section in annual reports, sustainability reports or prospectuses. There is also no uniform line-item disclosure requirement obliging issuers to describe AI strategy, governance, incidents or controls solely because AI is used in the business.

In practice, Korean disclosure remains materiality driven. If AI use is material to the company’s busi - ness model, regulatory profile, privacy or cybersecu - rity exposure, operational resilience or incident history, it should be addressed within the existing disclosure framework for business reports or offering documents. The same applies where omission of AI-related risks could render the disclosure misleading. There are, however, AI-specific transparency obliga - tions outside the capital markets disclosure regime. Under the AI Basic Act, certain AI-generated outputs must be identified as such, and high-impact and generative AI are subject to transparency and safety- related obligations. Under the Personal Information Protection Act, controllers using automated deci - sion-making must disclose relevant standards and procedures and respond to data subject requests as required by law. These obligations are not equivalent to prospectus-style disclosure duties, but they form part of the broader Korean disclosure environment for AI use.

662 CHAMBERS.COM

Powered by