元大金控元大金控 元大金控元大金控 元大金控元大金控

資訊安全 信息安全 Information Security
Cyber Security Risk Management Framework and Mechanism

The board of directors is the highest decision-making body for information security management of Yuanta Financial Holding Company (FHC). Yuanta FHC has established an “Information Security Policy” as the highest guiding principle for information security management. This policy, submitted to and approved by the board of directors, serves as the basis for establishing information security management systems and defining relevant information security management regulations and procedures for Yuanta FHC and subsidiaries. All employees must comply with these regulations. Furthermore, this policy also applies to third-party outsourced vendors to ensure the security of Yuanta FHC’s information assets. In addition, Yuanta FHC’s Information Security Policy is based on the protection of shareholders’ rights and interests, with the objectives of “protecting the security of information assets” and “maintaining business continuity to achieve sustainable corporate operation,” thereby fulfilling Yuanta FHC’s mission and vision. Yuanta FHC’s Information Security Policy is reviewed at least annually to reflect the latest developments in laws, technology, and business operations, safeguarding the applicability, suitability, and effectiveness of the cyber security management mechanism.

In order to enhance Yuanta FHC’s decision-making ability on information security issues, Yuanta FHC and major subsidiaries have established a chief information security officer to plan as a whole the promotion and coordination of information security policies and the deployment of resources. Yuanta FHC has also set up a dedicated or responsible unit for information security, responsible for information security planning, monitoring, and execution of information security management operations, which reports annually to the board of directors on the overall implementation of information security in the previous year in order to strengthen the supervision of information security. Yuanta FHC’s information security dedicated unit is staffed with nineteen (19) information security professionals, and the report on information security implementation status was reported on February 25, 2026 in the twelfth (12th) meeting of the tenth (10th) board of directors.

To enhance the integrity and effectiveness of information security risk management, the board of directors resolved on June 25, 2025 to amend the “The Risk Management Committee Charter of Yuanta Financial Holdings Co., Ltd.” to include information security in the responsibilities of the Risk Management Committee and to appoint independent directors with expertise in information security as members. In view of the fact that the Risk Management Committee has included information security in its responsibilities, Yuanta FHC plans to rename the “Risk Management Committee” to the “Risk Management and Information Security Committee” to improve the cyber security risk management mechanism.

With the purpose of coordinating the management of information security matters, Yuanta FHC has formed a cross-departmental “Information Security Group,” with a convener and deputy convener appointed by the Chief Executive Officer, which holds regular Information Security Group meetings and information security management review meetings. In 2025, a total of four (4) meetings were held to discuss issues related to the implementation of information security management, internal and external information security supervision requirements, progress of important information security projects, handling of threatening intelligence, audit deficiencies, risk control, and information security risk indicators, in order to improve the overall resilience of information security management.

Specific Management Plans and Input Resources

Specific management programs and resources to be invested in the establishment of comprehensive information security protection to achieve the information security policy and objectives are set out below:

Introduction of international information security management standards and obtainment of certification

In order to continuously improve the information security governance system, in addition to complying with domestic and international information security laws and regulations, Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures have all adopted the ISO 27001:2022 Information Security Management System (ISMS) standard. Subsequently, an independent third-party external organization conducts annual renewals and triennial re-audits. We all have already been certified in 2025, and the certificates remain valid. We also conduct regular internal audits of the information security management system and unceasingly strengthen the monitoring and management of information security with the PDCA (Plan-Do-Check-Act) quality management framework. The validity period of Yuanta FHC’s certificate is from December 2023 to December 2026.
(Note: Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures account for 99.97% of the Group’s total capital.)

In line with the Financial Cyber Security Action Plan of Taiwan’s Financial Supervisory Commission (FSC) and to increase the capacity of business continuity management, Yuanta Bank, Yuanta Life, Yuanta Securities, and Yuanta Funds have adopted the international standard for business continuity management (ISO 22301). Subsequently, annual renewals of the certification have been conducted. All have been certified in 2025, and the certificates will continue to be valid. Based on a risk-oriented approach, we combine business-side and system-side resources to ensure that operational standards can be maintained under any circumstances, to reduce the risk of business interruption, and to make the organization more resilient.

Information security protection mechanism and detection

We have upgraded our network and information system protection capabilities, strengthened information security measures, and established a multi-layered defense-in-depth framework, including network firewalls, software application firewalls, intrusion detection systems, spam filtering, email APT, Internet behavior management, anti-virus systems, anti-phishing websites and counterfeit APP monitoring mechanisms, endpoint detection and threat response mechanisms (EDR), and network detection and response (NDR) to ensure the security of our information systems.

Yuanta FHC and major subsidiaries regularly perform vulnerability scanning, penetration testing, distributed denial-of-service (DDoS) drills, breach and attack simulation (BAS) drills, external network risk assessments, social engineering drills, and computer system information security evaluations on a regular basis through independent third parties in order to safeguard the stability and security of the information system and the completeness and effectiveness of the existing controls.

We continuously introduce new information security risk management technologies to improve the efficiency of various information security incident detection and response procedures through intelligent and automated mechanisms, and to strengthen information security and cyber security protection processes.

Information security intelligence and joint defense monitoring
  1. Strengthening information security intelligence sharing and response
    To strengthen information security intelligence and joint defense, and to stay abreast of emerging information security intelligence and trends, Yuanta FHC and the major subsidiaries have joined the Financial Information Security Sharing and Analysis Center (F-ISAC) and participated in the Financial Security Operations Center (F-SOC). Furthermore, Yuanta Securities has been approved to join the FIRST (Forum of Incident Response and Security Teams), enabling it to access external information security data in real time, conduct cross-domain joint defense, and share information on information security incidents. This allows for a more proactive and effective response to the ever-evolving information security threats, thereby significantly enhancing overall information security defense capabilities.
  2. Strengthening information security monitoring and analysis
    In order to improve the timeliness and effectiveness of network abnormal behavior detection and alerts, and in line with the FSC’s Financial Cyber Security Action Plan, Yuanta FHC and subsidiaries have commissioned a third-party professional organization to build a security operations center (SOC) monitoring mechanism. Through 7x24 real-time monitoring, we provide pre-emptive threat alerts, real-time threat warnings, and post-threat analysis and recommendations. We also connect with information security defense equipment and information security intelligence automation, and enhance the team’s ability to respond to information security incidents, thereby achieving the effectiveness of joint information security monitoring and collaborative operation.
  3. Group-wide SOC Three-Year Integration Plan - Joint Information Security Office and Cloud-On-Premises Assessment
    To effectively integrate the Group’s information security resources and monitoring capabilities, and increase the effectiveness of cross-company threat detection and joint defense, a three-year integration plan for the Group-wide security operations center (SOC) was formulated. This plan includes joint office operations for Group information security, the establishment of a Group-wide information SOC, and the transformation from single-point defense to joint defense, sharing of intelligence and resources, benchmark alignment, Group collaboration, and enhanced protection and monitoring. It also integrates the Group’s information security response system, system architecture, and human resources. The first phase of the plan has been completed, including the setting-up of a joint office for information security with Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures; the construction of a Group-wide information security operations center (SOC); and cloud-on-premises assessments. This aims to deepen information security governance, integrate resources, and strengthen cross-company threat detection and joint defense capabilities, thereby improving the Group’s information security defense capacity and collaborative operational efficiency.
  4. We have also built information security management monitoring dashboards to instantly keep track of changes in information security risk indicators such as Group information asset equipment, computer viruses, hacking, and data leakage, in order to achieve Yuanta Group’s goal of information security monitoring joint defense.

Information security attack and defense exercises and major information security incident exercises

In order to evaluate our defense-in-depth capability and to comply with the FSC’s Financial Cyber Security Action Plan, Yuanta has organized the Group’s red and blue team attack and defense exercises. We have commissioned a professional third party to conduct a target-oriented information security exercise using hacking techniques without affecting our operations to verify the effectiveness of information security protection, monitoring, and defense, to enhance our employees’ ability to deal with new types of attacks, and to carry out remedial or compensatory measures for the weaknesses identified in the exercise. In addition, the feasibility of the recommendations made by the professional third party has been assessed and corresponding measures have been planned, with a view to further strengthening Yuanta FHC’s information security defense and reducing the impact of information security incidents.

Major information security incidents often affect more than just a single organization. In order to strengthen the systematic risk management and joint defense of information security, and in line with the FSC’s Financial Cyber Security Action Plan, Yuanta has commissioned a professional third-party organization to conduct the Group’s notification of major information security incidents and contingency exercises. These exercises simulate hacker attack methods, covering scenarios such as phishing emails, data breaches, and external infiltration. Through these exercises, the Group’s information security protection equipment is tested to demonstrate its detection, defense, and response capabilities in response to attacks, thereby enhancing Yuanta Group’s operational mechanism and capability of horizontal notification, contingency, and support coordination.

Information security education and training

Yuanta FHC and major subsidiaries have completed three (3) hours of information security education and training for general employees in 2025. The course includes sharing of recent major information security incidents, information security regulations, personal data protection, social engineering attacks and defenses, Internet of Things device security, security threats of generative artificial intelligence (AI), and cloud-based risk prevention measures, in order to raise the information security awareness of all employees.

The information security specialists have also completed a 15-hour information security professional training course, which covers emerging technology topics such as information security trends, information security regulations, information security protection technologies, information security control and maintenance, and the trend and risk management of generative AI, thereby enhancing the information security professional competence and skills of the information security specialists.

Data Protection and Access Control

Yuanta FHC and major subsidiaries have established procedures for notifying and handling information security incidents, notifying and handling at the appropriate level according to the level of the incident. The information unit is required to troubleshoot and resolve the incident within the target processing time and analyze the incident after it has been processed to prevent recurrence.

The response to major cyber security incidents requires a high degree of timeliness. Yuanta FHC has established a “Cyber Security Incident Response Team,” convened by Yuanta FHC’s Chief Executive Officer, to promptly grasp and support the response to major cyber security incidents of Yuanta FHC and its subsidiaries, and to reduce the damage caused by the incidents.

In the most recent year and up to the printing date of the Annual Report, there were no significant information security incidents that caused damage to customers’ rights and interests or affected the sound operation of the institution.

In order to ensure the proper management of Yuanta Group’s collection, processing, and utilization of personal data and to strengthen the security and maintenance of personal data, Yuanta Financial Holding Company (FHC) has formulated Personal Data Protection Policy and Personal Data Management Measures in accordance with the Personal Data Protection Act, Regulations Governing the Security Maintenance of Personal Data Files of Non-Public Service Organizations Designated by the Financial Supervisory Commission and relevant laws and regulations of the competent authorities, in order to establish and implement a personal data protection system in each of its business operations. Yuanta Group’s personal data protection management measures are disclosed below:

1. The scope of application of the Personal Data Protection Policy includes Yuanta FHC, our subsidiaries, and various businesses.

(1)Subsidiaries are required to establish a personal data protection management system in accordance with the spirit of the Personal Data Protection Policy that is commensurate with the scale and complexity of their business to ensure that the collection, processing, and utilization of personal data comply with legal requirements.

(2) According to the Personal Data Management Measures, relevant regulations are set for the implementation and operation of the personal data management system and the personal data security management principles, including but not limited to that all personnel involved in the collection, processing, utilization, transmission, retention, and destruction of personal data must comply with the regulations, and that the collection of personal data shall have a specific purpose and comply with relevant laws and regulations. Therefore, Yuanta FHC promises not to collect personal data from a third party that is not provided by the subject concerned, except in accordance with the relevant provisions of the Personal Data Protection Act. Furthermore, the processing and utilization of personal data shall be within the scope of the original notification or the subject’s original consent.

2. The Personal Data Management Measures and Personal Data Management Operating Rules stipulate the principle of minimization of personal data and the requirements for the retention and destruction of personal data.

(1) The collection, processing, and utilization of personal data shall be in accordance with the principle of minimization. It shall be confirmed that only personal data necessary for the execution of the business within the scope of the statement shall be collected, that only the minimum amount of personal data necessary shall be used for processing and utilization, and that no personal data unrelated to the scope of the specific purpose or unnecessary shall be processed.

(2) The retention period of personal data shall be set, and if the specific purpose disappears or the retention period expires, the data shall be destroyed in different ways and security control and management measures shall be implemented.

3. The Personal Data Management Operating Rules stipulates the access control and protection measures for personal data.

(1) Security Measures for Processing, Utilizing, and Transmitting Personal Data: The environment in which personal data documents, files, or media are processed or utilized shall be subject to access control; there shall be an application and approval process for access to personal data documents or files by unauthorized personnel; and the transmission of personal data shall be subject to appropriate encryption measures.

(2) Security Control and Management Measures for Personal Data: Access to centralized personal data storage or filing cabinets shall be controlled by physical access control and management measures and records of access shall be kept; and legally granted access rights may only be accessed for legitimate and business purposes.

4. Setting up a Personal Data Protection Team to effectively implement and consolidate matters relating to personal data protection.

In accordance with the Personal Data Management Measures, a personal data protection team is established, with the chief executive officer designating a supervisor at or above the level of deputy chief executive officer as the convener and deputy convener, and each department and office appoints representatives to serve as team members, and meetings are convened to discuss matters of personal data protection depending on the business execution situation. The personal data protection team conducts a review of personal data protection management at least once a year and the results of the review are reported to the board of directors along with the annual implementation of the legal compliance system.

5. Yuanta FHC conducts an annual personal data risk assessment to effectively manage personal data risks in our business.

Based on the assessment results, control and management measures are formulated, and the assessment results and related analyses are reported to the personal data protection team meeting. In the event of a personal data security or leakage incident, in addition to notifying the operational risk events in accordance with the prescribed procedures, those involving information risk shall be handled in accordance with the regulations related to information security risk, and shall provide recommendations for prevention or improvement of the reasons for the occurrence of the personal data security events. Moreover, personal data protection is also included in the internal audit items and regular annual education and training courses to raise employees’ awareness of personal data protection.

6. Yuanta Group has put in place measures to protect the confidentiality of customers’ data and a mechanism for customers to exercise their legal rights in relation to their personal data in order to protect the privacy and rights of the subjects concerned.

In accordance with the Financial Holding Company Act, the Regulations Governing Joint Marketing among Subsidiaries of Financial Holding Companies, and relevant laws and regulations of the competent authorities, Yuanta FHC has established Customer Data Confidentiality Measures and disclosed it on the official website, stating that Yuanta FHC and its subsidiaries will not disclose the customer’s personal data to a third party, except for the circumstances stipulated in the confidentiality measures or with the written consent of the customer. In addition, a Privacy Statement is posted on the official website to explain the collection policies, storage and protection measures for personal data, and the rights of customers to inquire, correct, and delete such data. An email address is also provided as a channel for submitting opinions, in order to continuously implement the protection of personal data and privacy.