元大金控元大金控 元大金控元大金控 元大金控元大金控

資訊安全 信息安全 Information Security
1. Cyber Security Risk Management Framework and Mechanism

The board of directors is the highest decision-making body for information security management of Yuanta Financial Holding Company (FHC). Yuanta FHC has set forth an “Information Security Policy” approved by the board of directors as a basis to establish an information security management system for Yuanta FHC and its subsidiaries and to formulate relevant information security management regulations and procedures to ensure the confidentiality, integrity, and availability of important information of Yuanta FHC. In addition, Yuanta FHC’s Information Security Policy is based on the protection of shareholders’ rights and interests, with the objectives of “protecting the security of information assets” and “maintaining business continuity to achieve sustainable corporate operation.”

In order to enhance the decision-making power on information security issues, the Yuanta FHC and its major subsidiaries have established a chief information security officer to coordinate the promotion of information security policies and the deployment of resources, as well as a dedicated information security unit or authority responsible for information security planning, monitoring and implementation of information security management operations. Yuanta FHC has ten (10) information security professionals in the information security specialized unit. The overall information security implementation status is reported to the board of directors annually to strengthen information security monitoring. The report on the Yuanta FHC’s information security practices was reported at the eleventh (11th) meeting of the ninth (9th) board of directors on February 1, 2023.

In order to coordinate the management of information security matters, Yuanta FHC has set up an inter-departmental “Information Security Group,” with the chief executive officer appointing the convener and vice convener, which holds regular information security meetings and management review meetings. Seven (7) meetings were held in 2022 to discuss the implementation of information security management and information security-related matters to enhance the overall information security protection capabilities.

Yuanta FHC regularly convenes a joint meeting of the Yuanta Group’s information security supervisors, with the chief information security officer of Yuanta FHC as the convener. The members of the meeting include the chief information security officers of the subsidiaries and their information security supervisors to share information on the Yuanta Group’s strategies, key issues, matters to be coordinated or discussed among subsidiaries, and experience to enhance inter-group communication and strengthen information security joint defense.

2. Specific Management Plans and Input Resources
  1. Introduction of international information security management standards and obtainment of certification
  2. In order to continuously improve the information security governance system, in addition to complying with domestic and international information security laws and regulations, Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures have all adopted the ISO 27001 Information Security Management System (ISMS) standard, which is renewed annually and re-audited every three years. We have already been certified by the British Standards Institution (BSI) in 2022, and the certificates are valid and continue to strengthen the monitoring and management of information security with the PDCA (Plan-Do-Check-Act) quality management framework. The current certificate of the Yuanta FHC is valid from December 2020 to December 2023.

    Furthermore, in order to improve the capacity of continuous operation management and comply with the Financial Cyber Security Action Plan, Yuanta Bank and Yuanta Life introduced the ISO22301 Security and Resilience: Business Continuity Management Systems in 2022, which was validated by the BSI. Based on a risk-oriented approach, we combine business-side and system-side resources to ensure that operational standards can be maintained under any circumstances, to reduce the risk of business interruption, and to make the organization more resilient.

  3. Information security protection mechanism
  4. We have set up a multi-level and deep defense framework, including network firewall, software application firewall, intrusion detection system, spam filtering, mail APT, Internet behavior management, anti-virus system, information security event management, and endpoint protection to ensure information system security. We have also actively implemented various automated detection and monitoring systems to manage and control both external threats, such as real-time monitoring and blocking, and internal environment, such as data access, operational behavior monitoring, and equipment compartmentalization, to prevent unlawful or malicious behaviors by means of a sophisticated layered isolation and filtering mechanism, in order to respond to cyber security threats and enhance the overall information security defense capability.

    In addition, in order to integrate people, processes and technologies, and to monitor information security threats centrally and in real time, and to keep track of information security status, Yuanta Bank and Yuanta Securities established a security operation center (SOC) monitoring and control mechanism in 2022 to effectively correlate and analyze overall information security threats in real time, enhance response and management capabilities, and ensure transaction security and operation maintenance.

  5. Information security protection testing
  6. To safeguard the stability and security of information systems and the integrity and effectiveness of established controls, Yuanta FHC and its major subsidiaries regularly perform vulnerability scanning, penetration testing, distributed denial of service (DDoS) exercises, social engineering exercises, and information security assessments through independent third-party organizations. Moreover, Yuanta Securities and Yuanta Bank in 2022 have also conducted red and blue army offensive and defensive exercises through professional third-party organizations to strengthen their defensive detection and response capabilities in response to attacks.

  7. Information security intelligence and joint defense
  8. Yuanta FHC and its major subsidiaries assign dedicated personnel to handle the information of the Financial Information Sharing and Analysis Center (F-ISAC) and external information security intelligence, update system configurations and settings based on their recommendations or evaluation results, and report their processing status on a regular basis to keep abreast of emerging information security intelligence and formulate countermeasures, and use relevant information security defense systems to integrate threat intelligence to achieve joint defense effectiveness.

    Yuanta FHC, Yuanta Bank, Yuanta Securities, Yuanta Life, and Yuanta Futures have introduced the Security Information and Event Management (SIEM) platform to detect information security events such as internal abnormal usage behavior and external attacks through the platform in order to strengthen the analysis capability. If the SIEM platform finds potential risks threatening information security, it will analyze and process them according to their abnormal events to achieve the defense energy and response ability to quickly detect and respond to attacks to guarantee the effectiveness of information security protection and monitoring.

  9. Information security education and training
  10. Yuanta FHC and its major subsidiaries have completed three (3) hours of information security education and training for general employees and fifteen (15) hours of information security professional training courses for information security specialists in 2022 to enhance information security capabilities. Furthermore, we also hold email social engineering exercises regularly to raise the information security awareness of all employees.

3. Management of Major Cyber Security Incidents

Yuanta FHC and its major subsidiaries have established procedures for notifying and handling information security incidents, notifying at the appropriate level according to the level of the incident, eliminating and resolving the incident within the target processing time, and analyzing the incident after it is completed in order to prevent recurrence.

Handling of major cyber security incidents requires high timeliness. Yuanta FHC has set up a “Computer Information Security Incident Response Team” with the chief executive officer of Yuanta FHC as the convener to immediately grasp and support Yuanta FHC and its subsidiaries in responding to major information security incidents and to reduce damage from such incidents.

For the most recent year and as of the printing date of the Annual Report, there were no major cyber security incidents.

Yuanta Financial Holding Company (FHC) has established a personal data protection system and implements it in all of its businesses. In addition to internal rules and regulations such as the “Personal Data Protection Policy” and the “Personal Data Management Regulations” that are reviewed and amended from time to time, an inter-departmental, inter-office Personal Data Protection Team (hereinafter referred to as the “PDPT”) has been set up as a dedicated unit responsible for promoting, coordinating, and supervising all matters related to personal data protection at Yuanta FHC.

PDPT is composed of the President’s designated Vice President and above as the convener and vice convener, and representatives from each department as members of the team. The PDPT meetings are convened to discuss personal data protection matters depending on the execution of its business. PDPT conducts a personal data protection management review at least once a year, and the results of the review are reported to the Board of Directors together with the annual implementation of the legal compliance system.

Yuanta FHC conducts at least one risk assessment of the personal data risks faced by the Company’s business every year and establishes control measures based on the assessment results, which and related analyses are submitted to the PDPT meetings. In the event of a personal data security or leakage incident, in addition to the reporting of operational risk events by each department and office in accordance with the prescribed procedures, the Information and Technology (IT) Department shall follow the regulations related to information security risks when dealing with the risks of information aspect. The Risk Management Department shall provide prevention or improvement suggestions for the causes of personal data security incidents. In addition, personal data protection is also included in the Company’s internal audits and regular annual training courses to enhance employees’ awareness of personal data protection.

In order to provide a mechanism for customers to exercise their statutory rights with respect to their personal data and to comply with privacy protection, Yuanta FHC discloses on its website the “Customer Data Confidentiality Measures” in accordance with the Financial Holding Company Act, the Regulations for the Management of Shared Marketing Across Subsidiaries of Financial Holding Companies, and other relevant laws and regulations, to clearly state that Yuanta FHC will not disclose customers’ personal data to third parties except under the circumstances specified in these measures or with customers’ written consent. In addition, a Privacy Statement is posted on the official website to explain Yuanta FHC’s collection policies, storage and protection measures for personal data, and the rights of customers to inquire, correct, and delete such data. An email address is also provided as a channel for comments, so that customers are aware of their rights and interests and can use the various services provided by the Yuanta FHC website with peace of mind.