元大金控元大金控 元大金控元大金控 元大金控元大金控

資訊安全 信息安全 Information Security
Information security management framework and mechanism

Yuanta FHC already set forth the “Information Security Policy,” witch should be subject to the authorization of the Board of Directors, in order to build the information security management systems for itself and its subsidiaries, and also serve as the basis for the enactment of related information security management regulations and procedures that may ensure the confidentiality, completeness and availability of its important information. Yuanta FHC’ information security policy is based on the protection of shareholders’ interests. It aims to “protect the information asset security” and “keep business operating to achieve the corporate sustainability.”

In order to upgrade Yuanta FHC’ ability to make decisions on the information security issues, enhance information security supervision, consolidate the promotion and coordination of information security policies and allocate resources, the articles of association were passed by the Yuanta FHC Board meeting in December 2020 to add the independent and dedicated information security unit, “Information Security Dept.,” and CISO, which are appointed to take charge of the information security governance, planning and supervision throughout the company, boost the execution of information security management operations, and report the information security practices to the Board of Directors periodically.

International standards governing information security and personal data

In order to continue improving the governance system with respect to information security, all information operations are required to satisfy domestic and foreign information security laws and regulations. Meanwhile, Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life also implemented the ISO 27001 ISMS standard and passed the certification by BSI. Thereafter, they were required to complete the annual review and the recertification every three years to maintain the validity of the certificate. Further, Yuanta Futures and Yuanta Securities Investment Trust also implemented the ISO 27001 information security management system (ISMS) in December 2020. They passed the certification by BSI, keeping strengthening the information security management and control via the PDCA cycle.

Information security protection and inspection

In consideration of the increasing information security threats and the network threats and changeable risks caused by the technological development, and in response to unpredictable external attacks, the information security management shall fulfill the information governance and compliance, while the risk control shall focus on the information security protection, including internal self-check, external proactive detection, disaster response drill and enhancement of management. Yuanta FHC has actively implemented various automated detection and behavior check systems to control the real-time monitoring and blocking of external threats, access control of internal data, operations and segmentation of equipment, in order to prevent any illegal or malicious activities by the strict separation and filtration mechanism.

Information Security Protection – Service Security Protection critical point chart is stated as following:

Information security continuing operation

In addition to said information security protection policies, Yuanta FHC and its subsidiaries all participate in the Financial Information Sharing and Analysis Center ((F-ISAC)), and integrate the information about threats via the information security defensive system to achieve the consolidated effect of the joint defense. Each of the subsidiaries also assesses the potential risk with the aid from an independent third party, and periodically completes the vulnerability scanning, penetration test, and computer information security inspection or assessment as required.

Further, through periodic review and update of information security management regulations to satisfy the standards required by laws and the latest information security regulations, increasing the competency and awareness toward the crisis by executing information system disaster recovery drill per year periodical to solidify the information security management mechanism.

The important information security business executed in 2020 is outlined as following:
  1. Compliance with information security with international standard:
    • Yuanta FHC, Yuanta Securities, Yuanta Bank and Yuanta Life all passed the annual review of the ISO 27001 ISMS standards and also the certification by BSI for the validity of their certificates. Yuanta FHC certification of ISO27001 ISMS standard is validity from December 2020 to December 2023 currently.
    • Yuanta Futures and Yuanta Securities Investment Trust also implemented the ISO 27001 information security management system (ISMS) in December 2020, and passed the certification by BSI.
  2. Information security protection and inspection: Execute the information security assessment and inspections via and independent third party, with a view to confirm the validity of the existing controls.
  3. Information security training: In 2020, Yuanta FHC and its subsidiaries have completed the 3-hour information security training with respect to the general staff, and 15-hour information security professional training program with respect to dedicated information security personnel penetration, in order to upgrade their ability to maintain information security. Also, the companies organized the email social engineering from time to time each year in order to raise the whole staff’s awareness towards information security.
  4. Yuanta FHC has set up the independent and dedicated information security unit, “Information Security Dept.,” and CISO, on December 28, 2020, that are appointed to take charge of the information security governance, planning and supervision throughout the company, boost the execution of information security management operations, and report the information security practices to the Board of Directors periodically each year.
  5. The report on information security management has been submitted at the 25th meeting of the 8th Board of Directors on March 3, 2021.

Yuanta Financial Holding Company (FHC) has established a personal data protection system and implements it in all of its businesses. In addition to internal rules and regulations such as the “Personal Data Protection Policy” and the “Personal Data Management Regulations” that are reviewed and amended from time to time, an inter-departmental, inter-office Personal Data Protection Team (hereinafter referred to as the “PDPT”) has been set up as a dedicated unit responsible for promoting, coordinating, and supervising all matters related to personal data protection at Yuanta FHC.

PDPT is composed of the President’s designated Vice President and above as the convener and vice convener, and representatives from each department as members of the team. The PDPT meetings are convened to discuss personal data protection matters depending on the execution of its business. PDPT conducts a personal data protection management review at least once a year, and the results of the review are reported to the Board of Directors together with the annual implementation of the legal compliance system.

Yuanta FHC conducts at least one risk assessment of the personal data risks faced by the Company’s business every year and establishes control measures based on the assessment results, which and related analyses are submitted to the PDPT meetings. In the event of a personal data security or leakage incident, in addition to the reporting of operational risk events by each department and office in accordance with the prescribed procedures, the Information and Technology (IT) Department shall follow the regulations related to information security risks when dealing with the risks of information aspect. The Risk Management Department shall provide prevention or improvement suggestions for the causes of personal data security incidents. In addition, personal data protection is also included in the Company’s internal audits and regular annual training courses to enhance employees’ awareness of personal data protection.

In order to provide a mechanism for customers to exercise their statutory rights with respect to their personal data and to comply with privacy protection, Yuanta FHC discloses on its website the “Customer Data Confidentiality Measures” in accordance with the Financial Holding Company Act, the Regulations for the Management of Shared Marketing Across Subsidiaries of Financial Holding Companies, and other relevant laws and regulations, to clearly state that Yuanta FHC will not disclose customers’ personal data to third parties except under the circumstances specified in these measures or with customers’ written consent. In addition, a Privacy Statement is posted on the official website to explain Yuanta FHC’s collection policies, storage and protection measures for personal data, and the rights of customers to inquire, correct, and delete such data. An email address is also provided as a channel for comments, so that customers are aware of their rights and interests and can use the various services provided by the Yuanta FHC website with peace of mind.