The board of directors is the highest decision-making body for information security management of Yuanta Financial Holding Company (FHC). Yuanta FHC has set forth an “Information Security Policy” approved by the board of directors as a basis to establish an information security management system for Yuanta FHC and its subsidiaries and to formulate relevant information security management regulations and procedures to ensure the confidentiality, integrity, and availability of important information of Yuanta FHC. In addition, Yuanta FHC’s Information Security Policy is based on the protection of shareholders’ rights and interests, with the objectives of “protecting the security of information assets” and “maintaining business continuity to achieve sustainable corporate operation.”
In order to enhance the decision-making power on information security issues, the Yuanta FHC and its major subsidiaries have established a chief information security officer to coordinate the promotion of information security policies and the deployment of resources, as well as a dedicated information security unit or authority responsible for information security planning, monitoring and implementation of information security management operations. Yuanta FHC has ten (10) information security professionals in the information security specialized unit. The overall information security implementation status is reported to the board of directors annually to strengthen information security monitoring. The report on the Yuanta FHC’s information security practices was reported at the eleventh (11th) meeting of the ninth (9th) board of directors on February 1, 2023.
In order to coordinate the management of information security matters, Yuanta FHC has set up an inter-departmental “Information Security Group,” with the chief executive officer appointing the convener and vice convener, which holds regular information security meetings and management review meetings. Seven (7) meetings were held in 2022 to discuss the implementation of information security management and information security-related matters to enhance the overall information security protection capabilities.
Yuanta FHC regularly convenes a joint meeting of the Yuanta Group’s information security supervisors, with the chief information security officer of Yuanta FHC as the convener. The members of the meeting include the chief information security officers of the subsidiaries and their information security supervisors to share information on the Yuanta Group’s strategies, key issues, matters to be coordinated or discussed among subsidiaries, and experience to enhance inter-group communication and strengthen information security joint defense.
- Introduction of international information security management standards and obtainment of certification
- Information security protection mechanism
- Information security protection testing
- Information security intelligence and joint defense
- Information security education and training
In order to continuously improve the information security governance system, in addition to complying with domestic and international information security laws and regulations, Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures have all adopted the ISO 27001 Information Security Management System (ISMS) standard, which is renewed annually and re-audited every three years. We have already been certified by the British Standards Institution (BSI) in 2022, and the certificates are valid and continue to strengthen the monitoring and management of information security with the PDCA (Plan-Do-Check-Act) quality management framework. The current certificate of the Yuanta FHC is valid from December 2020 to December 2023.
Furthermore, in order to improve the capacity of continuous operation management and comply with the Financial Cyber Security Action Plan, Yuanta Bank and Yuanta Life introduced the ISO22301 Security and Resilience: Business Continuity Management Systems in 2022, which was validated by the BSI. Based on a risk-oriented approach, we combine business-side and system-side resources to ensure that operational standards can be maintained under any circumstances, to reduce the risk of business interruption, and to make the organization more resilient.
We have set up a multi-level and deep defense framework, including network firewall, software application firewall, intrusion detection system, spam filtering, mail APT, Internet behavior management, anti-virus system, information security event management, and endpoint protection to ensure information system security. We have also actively implemented various automated detection and monitoring systems to manage and control both external threats, such as real-time monitoring and blocking, and internal environment, such as data access, operational behavior monitoring, and equipment compartmentalization, to prevent unlawful or malicious behaviors by means of a sophisticated layered isolation and filtering mechanism, in order to respond to cyber security threats and enhance the overall information security defense capability.
In addition, in order to integrate people, processes and technologies, and to monitor information security threats centrally and in real time, and to keep track of information security status, Yuanta Bank and Yuanta Securities established a security operation center (SOC) monitoring and control mechanism in 2022 to effectively correlate and analyze overall information security threats in real time, enhance response and management capabilities, and ensure transaction security and operation maintenance.
To safeguard the stability and security of information systems and the integrity and effectiveness of established controls, Yuanta FHC and its major subsidiaries regularly perform vulnerability scanning, penetration testing, distributed denial of service (DDoS) exercises, social engineering exercises, and information security assessments through independent third-party organizations. Moreover, Yuanta Securities and Yuanta Bank in 2022 have also conducted red and blue army offensive and defensive exercises through professional third-party organizations to strengthen their defensive detection and response capabilities in response to attacks.
Yuanta FHC and its major subsidiaries assign dedicated personnel to handle the information of the Financial Information Sharing and Analysis Center (F-ISAC) and external information security intelligence, update system configurations and settings based on their recommendations or evaluation results, and report their processing status on a regular basis to keep abreast of emerging information security intelligence and formulate countermeasures, and use relevant information security defense systems to integrate threat intelligence to achieve joint defense effectiveness.
Yuanta FHC, Yuanta Bank, Yuanta Securities, Yuanta Life, and Yuanta Futures have introduced the Security Information and Event Management (SIEM) platform to detect information security events such as internal abnormal usage behavior and external attacks through the platform in order to strengthen the analysis capability. If the SIEM platform finds potential risks threatening information security, it will analyze and process them according to their abnormal events to achieve the defense energy and response ability to quickly detect and respond to attacks to guarantee the effectiveness of information security protection and monitoring.
Yuanta FHC and its major subsidiaries have completed three (3) hours of information security education and training for general employees and fifteen (15) hours of information security professional training courses for information security specialists in 2022 to enhance information security capabilities. Furthermore, we also hold email social engineering exercises regularly to raise the information security awareness of all employees.
Yuanta FHC and its major subsidiaries have established procedures for notifying and handling information security incidents, notifying at the appropriate level according to the level of the incident, eliminating and resolving the incident within the target processing time, and analyzing the incident after it is completed in order to prevent recurrence.
Handling of major cyber security incidents requires high timeliness. Yuanta FHC has set up a “Computer Information Security Incident Response Team” with the chief executive officer of Yuanta FHC as the convener to immediately grasp and support Yuanta FHC and its subsidiaries in responding to major information security incidents and to reduce damage from such incidents.
For the most recent year and as of the printing date of the Annual Report, there were no major cyber security incidents.