Yuanta FHC already set forth the “Information Security Policy,” witch should be subject to the authorization of the Board of Directors, in order to build the information security management systems for itself and its subsidiaries, and also serve as the basis for the enactment of related information security management regulations and procedures that may ensure the confidentiality, completeness and availability of its important information. Yuanta FHC’ information security policy is based on the protection of shareholders’ interests. It aims to “protect the information asset security” and “keep business operating to achieve the corporate sustainability.”
In order to upgrade Yuanta FHC’ ability to make decisions on the information security issues, enhance information security supervision, consolidate the promotion and coordination of information security policies and allocate resources, the articles of association were passed by the Yuanta FHC Board meeting in December 2020 to add the independent and dedicated information security unit, “Information Security Dept.,” and CISO, which are appointed to take charge of the information security governance, planning and supervision throughout the company, boost the execution of information security management operations, and report the information security practices to the Board of Directors periodically.
In order to continue improving the governance system with respect to information security, all information operations are required to satisfy domestic and foreign information security laws and regulations. Meanwhile, Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life also implemented the ISO 27001 ISMS standard and passed the certification by BSI. Thereafter, they were required to complete the annual review and the recertification every three years to maintain the validity of the certificate. Further, Yuanta Futures and Yuanta Securities Investment Trust also implemented the ISO 27001 information security management system (ISMS) in December 2020. They passed the certification by BSI, keeping strengthening the information security management and control via the PDCA cycle.
In consideration of the increasing information security threats and the network threats and changeable risks caused by the technological development, and in response to unpredictable external attacks, the information security management shall fulfill the information governance and compliance, while the risk control shall focus on the information security protection, including internal self-check, external proactive detection, disaster response drill and enhancement of management. Yuanta FHC has actively implemented various automated detection and behavior check systems to control the real-time monitoring and blocking of external threats, access control of internal data, operations and segmentation of equipment, in order to prevent any illegal or malicious activities by the strict separation and filtration mechanism.
In addition to said information security protection policies, Yuanta FHC and its subsidiaries all participate in the Financial Information Sharing and Analysis Center ((F-ISAC)), and integrate the information about threats via the information security defensive system to achieve the consolidated effect of the joint defense. Each of the subsidiaries also assesses the potential risk with the aid from an independent third party, and periodically completes the vulnerability scanning, penetration test, and computer information security inspection or assessment as required.
Further, through periodic review and update of information security management regulations to satisfy the standards required by laws and the latest information security regulations, increasing the competency and awareness toward the crisis by executing information system disaster recovery drill per year periodical to solidify the information security management mechanism.
- Compliance with information security with international standard:
- Yuanta FHC, Yuanta Securities, Yuanta Bank and Yuanta Life all passed the annual review of the ISO 27001 ISMS standards and also the certification by BSI for the validity of their certificates. Yuanta FHC certification of ISO27001 ISMS standard is validity from December 2020 to December 2023 currently.
- Yuanta Futures and Yuanta Securities Investment Trust also implemented the ISO 27001 information security management system (ISMS) in December 2020, and passed the certification by BSI.
- Information security protection and inspection: Execute the information security assessment and inspections via and independent third party, with a view to confirm the validity of the existing controls.
- Information security training: In 2020, Yuanta FHC and its subsidiaries have completed the 3-hour information security training with respect to the general staff, and 15-hour information security professional training program with respect to dedicated information security personnel penetration, in order to upgrade their ability to maintain information security. Also, the companies organized the email social engineering from time to time each year in order to raise the whole staff’s awareness towards information security.
- Yuanta FHC has set up the independent and dedicated information security unit, “Information Security Dept.,” and CISO, on December 28, 2020, that are appointed to take charge of the information security governance, planning and supervision throughout the company, boost the execution of information security management operations, and report the information security practices to the Board of Directors periodically each year.
- The report on information security management has been submitted at the 25th meeting of the 8th Board of Directors on March 3, 2021.