Information Security - Yuanta Financial Holdings

資訊安全信息安全 Information Security

資訊安全信息安全 Information Security 個資保護个资保护 Personal Data Protection

1. Information Security Management Mechanism

Yuanta FHC has set forth an “Information Security Policy” approved by the board of directors as a basis to establish an information security management system for Yuanta FHC and its subsidiaries and to formulate relevant information security management regulations and procedures to ensure the confidentiality, integrity, and availability of important information of Yuanta FHC. In addition, Yuanta FHC’s Information Security Policy is based on the protection of shareholders’ rights and interests, with the objectives of “protecting the security of information assets” and “maintaining business continuity to achieve sustainable corporate operation.”

In order to enhance Yuanta FHC’s decision-making power on information security issues, strengthen information security supervision, and plan as a whole the promotion and coordination of information security policies and resource allocation, Yuanta FHC’s board of directors approved the organizational procedures in December 2020 to establish an independent and dedicated information security unit “Information Security Department” and the Chief Information Security Officer (CISO), who is responsible for information security governance, planning, supervising, and promoting the implementation of information security management operations throughout Yuanta FHC, and will report the information security handling and implementation status to the board of directors on a regular basis.

Furthermore, in line with the Financial Cyber Security Action Plan, the CISO has been established in November and December 2021 for Yuanta Securities, Yuanta Bank, Yuanta Funds, and Yuanta Futures, respectively, to supervise and promote the implementation of information security management operations and report to the board of directors on an annual basis on the status of information security practices. The subsidiaries have also set up information security authorities responsible for planning, supervising, and implementing information security management operations, and report the overall information security implementation status to their board of directors every year to strengthen information security monitoring.

2. Information Security Organizational Operating Structure

In order to coordinate the management of information security matters, Yuanta FHC has set up an inter-departmental “Information Security Group,” with the president appointing the convener and vice convener, which holds regular information security meetings and management review meetings to discuss the implementation of information security management and information security-related matters in order to enhance the overall information security protection capabilities.

3. Introduction of International Information Security Management Standards and Related Certifications

In order to continue to improve the information security management system, in addition to complying with domestic and international information security laws and regulations, Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures have all introduced the ISO 27001 Information Security Management System (ISMS) and have been certified by the British Standards Institution (BSI). Subsequent annual reviews and re-reviews every three years are conducted to ensure the validity of the certificate, and the PDCA (Plan-Do-Check-Act) cyclical quality management framework is used to continuously strengthen the monitoring and management of information security and to implement international standards.

4. Information Security Protection and Inspection

In view of the rising information security threats, changes in cyber threats and risks brought about by technological development, and in response to mercurial external attack techniques, information security management focuses on information security protection, including internal self-audit, external active detection, disaster response exercises and management enhancement, in addition to implementing information governance and compliance with laws and regulations. Furthermore, Yuanta FHC has also actively introduced various automated detection and behavior monitoring systems to prevent illegal or malicious behaviors, whether it is the immediate monitoring and blocking of external threats, or the control of data access, operation behavior, and equipment partitioning in the internal environment, with a sophisticated layered isolation and filtering mechanism.

5. Information Security Intelligence and Joint Defense Mechanism

In addition to the above information security protection measures, Yuanta FHC and its major subsidiaries assign dedicated personnel to handle the information of the Financial Information Sharing and Analysis Center (F-ISAC) and external information security intelligence, update system configurations and settings based on their recommendations or evaluation results, and report their processing status on a regular basis to keep abreast of emerging information security intelligence and formulate countermeasures, and use relevant information security defense systems to integrate threat intelligence to achieve joint defense effectiveness.

In response to the above mechanism of regular analysis of information security events, Yuanta Bank and Yuanta Securities have introduced the Security Information and Event Management (SIEM) platform to detect information security events such as internal abnormal usage behavior and external attacks through the platform in order to strengthen the analysis capability. The SIEM platform analyzes potential risks that threaten information security according to their abnormal events in order to quickly detect and respond to attacks with defensive energy and response capabilities. Yuanta FHC and its subsidiaries of Yuanta Life, Yuanta Funds, and Yuanta Futures have also planned for the introduction to ensure the effectiveness of information security protection and monitoring.

6. Management of Information Security Events

Yuanta FHC and its major subsidiaries have defined the procedures for reporting and handling information security events, and the corresponding levels of reporting and handling are based on the level of the event. The information unit is required to troubleshoot and resolve the event within the target processing time and to analyze the event after it has been processed to prevent recurrence.

7. Performance Overview of the Overall Information Security Important Business for 2021:

Implementation of international standards for information security:
Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Futures, and Yuanta Funds have each passed the annual renewal review of ISO 27001 Information Security Management System (ISMS) and have been certified by the BSI to confirm the validity of the certificate. The current certificate of Yuanta FHC is valid from December 2020 to December 2023.
Information security protection and inspection:
Yuanta FHC conducts information security assessments and related testing through independent third parties to review the effectiveness of the controls in place.
Information security education and training:
Yuanta FHC and its major subsidiaries have completed three hours of information security education training for general employees and fifteen hours of information security professional training courses for information security specialists in 2021 to enhance information security capabilities. Moreover, we also hold email social engineering exercises from time to time every year to raise the information security awareness of all employees.
The report on Yuanta FHC’s information security practices was reported to the 39th meeting of the eighth session of the board of directors on March 15, 2022.

Yuanta Financial Holding Company (FHC) has established a personal data protection system and implements it in all of its businesses. In addition to internal rules and regulations such as the “Personal Data Protection Policy” and the “Personal Data Management Regulations” that are reviewed and amended from time to time, an inter-departmental, inter-office Personal Data Protection Team (hereinafter referred to as the “PDPT”) has been set up as a dedicated unit responsible for promoting, coordinating, and supervising all matters related to personal data protection at Yuanta FHC.

PDPT is composed of the President’s designated Vice President and above as the convener and vice convener, and representatives from each department as members of the team. The PDPT meetings are convened to discuss personal data protection matters depending on the execution of its business. PDPT conducts a personal data protection management review at least once a year, and the results of the review are reported to the Board of Directors together with the annual implementation of the legal compliance system.

Yuanta FHC conducts at least one risk assessment of the personal data risks faced by the Company’s business every year and establishes control measures based on the assessment results, which and related analyses are submitted to the PDPT meetings. In the event of a personal data security or leakage incident, in addition to the reporting of operational risk events by each department and office in accordance with the prescribed procedures, the Information and Technology (IT) Department shall follow the regulations related to information security risks when dealing with the risks of information aspect. The Risk Management Department shall provide prevention or improvement suggestions for the causes of personal data security incidents. In addition, personal data protection is also included in the Company’s internal audits and regular annual training courses to enhance employees’ awareness of personal data protection.

In order to provide a mechanism for customers to exercise their statutory rights with respect to their personal data and to comply with privacy protection, Yuanta FHC discloses on its website the “Customer Data Confidentiality Measures” in accordance with the Financial Holding Company Act, the Regulations for the Management of Shared Marketing Across Subsidiaries of Financial Holding Companies, and other relevant laws and regulations, to clearly state that Yuanta FHC will not disclose customers’ personal data to third parties except under the circumstances specified in these measures or with customers’ written consent. In addition, a Privacy Statement is posted on the official website to explain Yuanta FHC’s collection policies, storage and protection measures for personal data, and the rights of customers to inquire, correct, and delete such data. An email address is also provided as a channel for comments, so that customers are aware of their rights and interests and can use the various services provided by the Yuanta FHC website with peace of mind.