POSCO operates the Information Security Bureau under the DX Strategy Office, which reports directly to the CEO, as the central hub for company-wide information security. The Bureau oversees the development and execution of company-wide information security strategies and performs core functions across all areas of information security ― including preventing information leaks and security incidents, responding to external intrusion threats, establishing information security policies and strategies, and planning and conducting security training. POSCO also maintains a field-level security framework comprising regional information security departments and dedicated information security officers appointed within each department under the responsibility of department heads. Each regional lead information security department works in close collaboration with the Information Security Bureau to carry out region-specific information security activities in alignment with the company-wide information security direction.

POSCO reviews the direction of its company-wide information security strategy and policies by comprehensively considering changes in the internal and external security environment as well as the characteristics of its operations. To formalize this process, POSCO operates the Information Security Committee*, which deliberates on and approves company-wide information security policies. Decisions made by the Committee are reflected in internal regulations and business processes and applied consistently across the entire organization. Building on this governance structure, POSCO maintains a proactive framework to prevent security threats while ensuring a prompt and systematic response process when security incidents occur.

To respond to changes in laws and regulations, technological advancements, and the growing complexity of the business environment, POSCO operates an integrated information security system encompassing administrative, technical, physical, and human factors. POSCO continuously analyzes domestic and international information security laws and global regulatory requirements, enabling it to take a proactive approach to a broad range of security risks.

Since obtaining ISO 27001 certification(the international standard for information security management systems) in 2021, we have maintained a global-level security management system through regular surveillance audits. In 2025, we obtained TISAX(Trusted Information Security Assessment eXchange) certification issued by the ENX Association(European Network Exchange Association). We also provide tailored information security consulting to overseas subsidiaries, operating companies, and business partners, working to raise security standards across the entire value chain.

Through these information security activities, we pursue three core values: minimizing security risks, complying with regulatory requirements and applicable laws, and ensuring the reliability and security of our information assets.

Grounded in our Information Security Principles, POSCO has established Information Security Regulations and Personal Information Security Regulations, supplemented by detailed guidelines for specific areas, including the Document Management Guidelines and Drawing Management Guidelines, to continuously strengthen information security across the organization. Through this framework, we minimize the likelihood of security incidents and ensure the protection and stable management of critical information assets.

In particular, we have established security management standards that span the full lifecycle of critical information, including documents, drawings, and technical data, governing systematic management across storage, transfer, sharing, and disposal. We also define and implement administrative and technical safeguards under our Personal Information Security Regulations to protect the personal information of customers and employees.

To respond to the evolving information security landscape, we annually review and revise relevant regulations and guidelines in line with the latest laws, regulatory frameworks, and industry developments. All documents are made accessible to employees through the standard document management system, and major revisions are announced via the internal portal system (EP), helping employees stay informed and compliant.

POSCO holds seven national core technologies and undergoes annual security management assessments conducted by the Korean government for their protection. We identify key assets such as human resources, documents, facilities, and information systems related to these national core technologies, and apply risk-based protection measures to each asset. In addition, we regularly assess and review the management status of key technology assets to identify security vulnerabilities and continuously implement mitigation measures to prevent technology leakage and maintain a secure management environment.

To enhance the reliability of information security across our steel business, we implement a range of initiatives to strengthen security throughout the value chain including domestic and overseas subsidiaries, and core partner companies with whom information is shared. We conduct annual security assessments, provide tailored consulting, and offer employee training to prevent security risks across the supply chain and strengthen joint response capabilities. These efforts help us advance the maturity of the value chain security ecosystem and reinforce our trust with customers and partners.

POSCO has established a Privacy Policy to protect personal information and discloses it on its official website. POSCO strictly manages the full life cycle of personal information, from collection and use to retention and disposal. As of 2025, POSCO recorded zero personal information breaches and zero information security incidents.

Procedures for Obtaining Consent from Stakeholders for the Company’s Processing, Provision, and Retention of Their Confidential Information 

To process, share, and retain confidential information, including personal information, POSCO obtains a Security Pledge and a Consent Form for the Collection, Use, and Third-Party Provision of Personal Information from stakeholders. POSCO specifies these requirements in its internal Personal Information Protection Regulations to strengthen its management framework. POSCO also requires explicit consent from data subjects through its electronic pledge system. These processes are disclosed in detail in POSCO’s publicly available Privacy Policy, further enhancing transparency in information processing.

Information Security Training

POSCO promotes information security awareness among all employees and integrates security into daily work routines, empowering every member of the organization to take ownership of information protection. All employees are required to complete a mandatory annual information security e-learning course. In addition, specialized role-based training is provided separately to new hires, employees in secretary roles, and personnel handling national core technologies. 

Security Awareness Enhancement and Operation of the Information Security Reporting Center 

To strengthen security awareness and foster a voluntary security culture, POSCO holds an Information Security Day on an annual basis. Through a commemorative message from CEO, the strategic value and importance of security is shared across the organization. We also reinforce training and communication on the latest security policy developments through a council of departmental information security officers.

Our Information Security Regulations require the reporting of security incidents and related events. We operate an internal Information Security Reporting Center where all employees can freely report hacking incidents, signs of information leakage, and security vulnerabilities, as well as submit ideas for strengthening security. Employees who actively contribute to security activities including security reporting are recognized and rewarded, while violations of security rules are addressed in accordance with relevant regulations.

POSCO monitors global cyber threat trends in real time through its Integrated Security Control Center, which operates 24 hours a day, 365 days a year. The Center detects, blocks, and mitigates threats through the integration of various security solutions and control systems, while also establishing a proactive response framework based on the continuous collection and in-depth analysis of domestic and international hacking attempts and anomalous activities.

To further strengthen our defenses against external cyberattacks, we conduct security risk assessments across the planning, design, and operational phases of our systems. We also continue to reinforce our company-wide integrated defense framework to address increasingly complex and evolving cyber threats, including sophisticated AI-enabled attacks and emerging vulnerabilities arising from the broader adoption of AI technologies. In addition, regular penetration testing is carried out on critical websites and business systems to proactively identify and remediate potential security vulnerabilities.

POSCO has established and operates a five-level cyber threat alert system, aligned with the judgment criteria for the Cyber Crisis Warning Levels of the Korea Internet & Security Agency (KISA), to enable responses based on internal cyber threat levels.
Based on this framework, we have established a Cyber Crisis Response Manual that clearly defines response procedures for each type of cyber threat, along with the roles and responsibilities of relevant departments, to ensure immediate response to cyber threats and prevent the spread of damage.