Yuanta FHC has set forth an “Information Security Policy” approved by the board of directors as a basis to establish an information security management system for Yuanta FHC and its subsidiaries and to formulate relevant information security management regulations and procedures to ensure the confidentiality, integrity, and availability of important information of Yuanta FHC. In addition, Yuanta FHC’s Information Security Policy is based on the protection of shareholders’ rights and interests, with the objectives of “protecting the security of information assets” and “maintaining business continuity to achieve sustainable corporate operation.”
In order to enhance Yuanta FHC’s decision-making power on information security issues, strengthen information security supervision, and plan as a whole the promotion and coordination of information security policies and resource allocation, Yuanta FHC’s board of directors approved the organizational procedures in December 2020 to establish an independent and dedicated information security unit “Information Security Department” and the Chief Information Security Officer (CISO), who is responsible for information security governance, planning, supervising, and promoting the implementation of information security management operations throughout Yuanta FHC, and will report the information security handling and implementation status to the board of directors on a regular basis.
Furthermore, in line with the Financial Cyber Security Action Plan, the CISO has been established in November and December 2021 for Yuanta Securities, Yuanta Bank, Yuanta Funds, and Yuanta Futures, respectively, to supervise and promote the implementation of information security management operations and report to the board of directors on an annual basis on the status of information security practices. The subsidiaries have also set up information security authorities responsible for planning, supervising, and implementing information security management operations, and report the overall information security implementation status to their board of directors every year to strengthen information security monitoring.
In order to coordinate the management of information security matters, Yuanta FHC has set up an inter-departmental “Information Security Group,” with the president appointing the convener and vice convener, which holds regular information security meetings and management review meetings to discuss the implementation of information security management and information security-related matters in order to enhance the overall information security protection capabilities.
In order to continue to improve the information security management system, in addition to complying with domestic and international information security laws and regulations, Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures have all introduced the ISO 27001 Information Security Management System (ISMS) and have been certified by the British Standards Institution (BSI). Subsequent annual reviews and re-reviews every three years are conducted to ensure the validity of the certificate, and the PDCA (Plan-Do-Check-Act) cyclical quality management framework is used to continuously strengthen the monitoring and management of information security and to implement international standards.
In view of the rising information security threats, changes in cyber threats and risks brought about by technological development, and in response to mercurial external attack techniques, information security management focuses on information security protection, including internal self-audit, external active detection, disaster response exercises and management enhancement, in addition to implementing information governance and compliance with laws and regulations. Furthermore, Yuanta FHC has also actively introduced various automated detection and behavior monitoring systems to prevent illegal or malicious behaviors, whether it is the immediate monitoring and blocking of external threats, or the control of data access, operation behavior, and equipment partitioning in the internal environment, with a sophisticated layered isolation and filtering mechanism.
In addition to the above information security protection measures, Yuanta FHC and its major subsidiaries assign dedicated personnel to handle the information of the Financial Information Sharing and Analysis Center (F-ISAC) and external information security intelligence, update system configurations and settings based on their recommendations or evaluation results, and report their processing status on a regular basis to keep abreast of emerging information security intelligence and formulate countermeasures, and use relevant information security defense systems to integrate threat intelligence to achieve joint defense effectiveness.
In response to the above mechanism of regular analysis of information security events, Yuanta Bank and Yuanta Securities have introduced the Security Information and Event Management (SIEM) platform to detect information security events such as internal abnormal usage behavior and external attacks through the platform in order to strengthen the analysis capability. The SIEM platform analyzes potential risks that threaten information security according to their abnormal events in order to quickly detect and respond to attacks with defensive energy and response capabilities. Yuanta FHC and its subsidiaries of Yuanta Life, Yuanta Funds, and Yuanta Futures have also planned for the introduction to ensure the effectiveness of information security protection and monitoring.
Yuanta FHC and its major subsidiaries have defined the procedures for reporting and handling information security events, and the corresponding levels of reporting and handling are based on the level of the event. The information unit is required to troubleshoot and resolve the event within the target processing time and to analyze the event after it has been processed to prevent recurrence.
- Implementation of international standards for information security:
Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Futures, and Yuanta Funds have each passed the annual renewal review of ISO 27001 Information Security Management System (ISMS) and have been certified by the BSI to confirm the validity of the certificate. The current certificate of Yuanta FHC is valid from December 2020 to December 2023.
- Information security protection and inspection:
Yuanta FHC conducts information security assessments and related testing through independent third parties to review the effectiveness of the controls in place.
- Information security education and training:
Yuanta FHC and its major subsidiaries have completed three hours of information security education training for general employees and fifteen hours of information security professional training courses for information security specialists in 2021 to enhance information security capabilities. Moreover, we also hold email social engineering exercises from time to time every year to raise the information security awareness of all employees.
- The report on Yuanta FHC’s information security practices was reported to the 39th meeting of the eighth session of the board of directors on March 15, 2022.