
In 2020, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds and Yuanta Futures (hereinafter referred to as the five subsidiaries) obtained ISO/IEC 27001:2013 certification for information security management system (ISMS) and continues to strengthen the information security monitoring and management with the PDCA (Plan-Do-Check-Act) cycle framework to enhance the depth and breadth of the Group's information security governance and to provide safe and secure financial services to our customers.
Yuanta Securities' “Personal Data Protection Implementation Team"is tasked with formulating personal information protection regulations governing the collection, processing, and use of personal information. Each year, a personal information safety breach contingency drill is held to ensure our ability to respond to any potential personal information issues. We also hold an annual personal information protection management review to certify personal information protection policies are implemented properly. In 2018, Yuanta Bank and Yuanta Life received “BS 10012:2017 Personal Information Management System(PIMS)"certification and Yuanta Securities did the same in January 2019. Yuanta Bank and Yuanta Life continue to maintain the established personal information protection management measures and their certification was renewed in 2019 and 2020. There were no breaches of customer privacy in 2020.
In view of the different industry-specific characteristics of each company, Group subsidiaries have each established individual personal information protection regulations and cyber security management regulations to protect customer rights and interests, so that each department can implement the protection of customer information, to ensure that customer information is secure and to collect, process and use customer information lawfully within the scope of our authorization. Yuanta Financial Holdings established the Yuanta Financial Holdings and Subsidiary Companies Customer Information Confidentiality Measures and hold information security and personal information protection training courses to promote consistent compliance across subsidiaries and divisions and ensure employees fully understand the importance of personal information handling and protection to maintain customer and investor privacy. This year, the 37 relevant training courses held were attended by 12,868 participants for a total of 13,550 training hours.

In order to strengthen information security management, the Company and its five subsidiaries have established an “Information Security Policy", which is approved by their respective board of directors. Each year, the chairman, president, chief auditor, and head of the information security unit jointly issue a statement on the overall implementation of information security and submit it to the board of directors in order to strengthen information security governance and improve the oversight responsibility of governance.
The Company's Board of Directors approved the organizational rules in December 2020 to establish an independent and dedicated“Information Security Department" and Chief Information Security Officer (CISO) responsible for the Company's overall information security governance, planning, oversight and promotion and the implementation of information security management operations, coordinating the promotion and coordination of information security policies and resource allocation, and reporting the information security implementation status to the Board of Directors each year.

