Information Security - Yuanta Financial Holdings

資訊安全信息安全 Information Security

資訊安全信息安全 Information Security 個資保護个资保护 Personal Data Protection

Cyber Security Risk Management Framework and Mechanism

The board of directors is the highest decision-making body for information security management of Yuanta Financial Holding Company (FHC). Yuanta FHC has set forth an “Information Security Policy”which has been submitted to the audit committee and approved by the board of directors as a basis to establish an information security management system for Yuanta FHC and subsidiaries and to formulate relevant information security management regulations and procedures. In addition, Yuanta FHC’s Information Security Policy is based on the protection of shareholders’ rights and interests, with the objectives of “protecting the security of information assets” and “maintaining business continuity to achieve sustainable corporate operation.”

In order to enhance Yuanta FHC’s decision-making ability on information security issues, Yuanta FHC and major subsidiaries have established a chief information security officer to plan as a whole the promotion and coordination of information security policies and the deployment of resources. Yuanta FHC has also set up a dedicated or responsible unit for information security, responsible for information security planning, monitoring, and execution of information security management operations, which reports annually to the board of directors on the overall implementation of information security in the previous year in order to strengthen the supervision of information security. Yuanta FHC’s information security dedicated unit is staffed with fourteen (14) information security professionals, and the report on information security implementation status was reported on January 20, 2025 at the 35th meeting of the ninth (9th) board of directors.

With the purpose of coordinating the management of information security matters, Yuanta FHC has formed an inter-departmental “Information Security Group,” with the chief executive officer appointing the convener and vice convener, which holds regular information security meetings and management review meetings. Six (6) meetings were held in 2024 to discuss the implementation of information security management and information security-related matters to enhance the overall information security protection capabilities.

Specific Management Plans and Input Resources

Specific management programs and resources to be invested in the establishment of comprehensive information security protection to achieve the information security policy and objectives are set out below:

Introduction of international information security management standards and obtainment of certification

In order to continuously improve the information security governance system, in addition to complying with domestic and international information security laws and regulations, Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures have all adopted the ISO 27001:2022 Information Security Management System (ISMS) standard.Subsequently, an independent third-party external organization conducts annual renewals and triennial re-audits. We all have already been certified in 2024, and the certificates are valid and continue to strengthen the monitoring and management of information security with the PDCA (Plan-Do-Check-Act) quality management framework. The validity period of Yuanta FHC’s certificate is from December 2023 to December 2026.
(Note: Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures account for 99.97% of the Group’s total capital.)

In line with the Financial Cyber Security Action Plan of Taiwan’s Financial Supervisory Commission (FSC) and to increase the capacity of business continuity management, Yuanta Bank, Yuanta Life, Yuanta Securities, and Yuanta Funds have adopted the international standard for business continuity management (ISO 22301).Subsequently, an independent third-party external organization conducts annual renewals of the certification.All have been certified in 2024, and the certificates will continue to be valid. Based on a risk-oriented approach, we combine business-side and system-side resources to ensure that operational standards can be maintained under any circumstances, to reduce the risk of business interruption, and to make the organization more resilient.

Information security protection mechanism and detection

We have upgraded our network and information system protection capabilities and established a multi-layered defense-in-depth framework, including network firewalls, software application firewalls, intrusion detection systems, spam filtering, email APT, Internet behavior management, anti-virus systems, anti-phishing websites and counterfeit APP monitoring mechanisms, endpoint detection and threat response mechanisms (EDR), and network detection and response (NDR) to ensure the security of our information systems.

Yuanta FHC and major subsidiaries regularly perform vulnerability scanning, penetration testing, distributed denial-of-service (DDoS) drills, social engineering drills, and computer system information security evaluations on a regular basis through independent third parties in order to safeguard the stability and security of the information system and the completeness and effectiveness of the existing controls.

Information security protection detection and monitoring

With the rapid development of financial technology, information security has become an important risk management issue for organizations. In order to keep abreast of emerging information and security trends, Yuanta FHC and major subsidiaries have joined the Financial Information Security Information Sharing and Analysis Center (F-ISAC) and participated in the Financial Security Operation Center (F-SOC) for cross-domain joint defense and sharing of information security events to effectively enhance the overall information security defense capability. We have also introduced Security Information and Event Management (SIEM) to ensure the effectiveness of information security protection and monitoring.

In order to improve the timeliness and effectiveness of network abnormal behavior detection and alerts, and in line with the FSC’s Financial Cyber Security Action Plan, Yuanta FHC and subsidiaries have commissioned a third-party professional organization to build a security operations center (SOC) monitoring mechanism. Through 7x24 real-time monitoring, we provide pre-emptive threat alerts, real-time threat warnings, and post-threat analysis and recommendations to boost our ability to respond to information security incidents and to achieve the effectiveness of joint defense and coordinated operation of information security monitoring. We have also built information security management monitoring dashboards to instantly keep track of changes in information security risk indicators such as computer viruses, hacking, and data leakage, in order to achieve Yuanta Group’s goal of information security monitoring joint defense.

Information security attack and defense exercises and major information security incident exercises

In order to evaluate our defense-in-depth capability and to comply with the FSC’s Financial Cyber Security Action Plan, Yuanta has organized the Group’s red and blue team attack and defense exercises. We have commissioned a professional third party to conduct a target-oriented information security exercise using hacking techniques without affecting our operations to verify the effectiveness of information security protection, monitoring, and defense, to enhance our employees’ ability to deal with new types of attacks, and to carry out remedial or compensatory measures for the weaknesses identified in the exercise. We also implemented remedial or compensatory measures for weaknesses identified during the exercise. In addition, the feasibility of the recommendations made by the professional third party has been assessed and corresponding measures have been planned, with a view to further strengthening Yuanta FHC’s information security defense and reducing the impact of information security incidents.

Information security education and training

Yuanta FHC and major subsidiaries have completed three (3) hours of information security education and training for general employees and fifteen (15) hours of information security professional training courses for information security specialists in 2024 to strengthen information security capabilities. Furthermore, we also hold email social engineering exercises regularly to raise the information security awareness of all employees.

Data Protection and Access Control

Yuanta FHC and major subsidiaries have established management mechanisms related to data protection and access control to ensure that the right people access the right resources in the right way at the right time:

Data Protection Mechanism:

Internal data shall be classified (e.g., confidential, sensitive, general, and public) and labeled with a rating to ensure protection based on the importance of the data. Confidential and sensitive data are encrypted for storage and transmission (e.g., using TLS/SSL, AES encryption, etc.), and data leakage detection and prevention (DLP) and intrusion detection and prevention systems (IDS/IPS), etc. are established to detect and prevent unauthorized intrusions. Furthermore, based on the attributes and importance of the application system, local and off-site backup operations for the system are established, and backup drills and stress tests are performed regularly, and records are kept, to ensure the effectiveness of the backup procedures.

Access Control Mechanism：

For access control and identity verification, the principles of least privilege, formal authorization, identifiability, and auditability are adopted. Permissions are assigned based on job duties and role requirements to prevent unauthorized access, and user permissions are reviewed regularly to remove unnecessary permissions.

For network access, the networks used by information services, users, and information systems are separated. For open networks and networks that cross organizational boundaries, users’ ability to connect to the network is restricted based on access control policies and operational application requirements to ensure the security of computer connections and information transmission.

Management of Major Cyber Security Incidents

Yuanta FHC and major subsidiaries have established procedures for notifying and handling information security incidents, notifying and handling at the appropriate level according to the level of the incident.

The information unit is required to troubleshoot and resolve the incident within the target processing time and analyze the incident after it has been processed to prevent recurrence.

In the most recent year and up to the printing date of the Annual Report, there were no significant information security incidents that caused damage to customers’ rights and interests or affected the sound operation of the organization.

In order to ensure the proper management of Yuanta Group’s collection, processing, and utilization of personal data and to strengthen the security and maintenance of personal data, Yuanta Financial Holding Company (FHC) has formulated Personal Data Protection Policy and Personal Data Management Measures in accordance with the Personal Data Protection Act, Regulations Governing the Security Maintenance of Personal Data Files of Non-Public Service Organizations Designated by the Financial Supervisory Commission and relevant laws and regulations of the competent authorities, in order to establish and implement a personal data protection system in each of its business operations. Yuanta Group’s personal data protection management measures are disclosed below:

1. The scope of application of the Personal Data Protection Policy includes Yuanta FHC, our subsidiaries, and various businesses.

(1)Subsidiaries are required to establish a personal data protection management system in accordance with the spirit of the Personal Data Protection Policy that is commensurate with the scale and complexity of their business to ensure that the collection, processing, and utilization of personal data comply with legal requirements.

(2) According to the Personal Data Management Measures, relevant regulations are set for the implementation and operation of the personal data management system and the personal data security management principles, including but not limited to that all personnel involved in the collection, processing, utilization, transmission, retention, and destruction of personal data must comply with the regulations, and that the collection of personal data shall have a specific purpose and comply with relevant laws and regulations. Therefore, Yuanta FHC promises not to collect personal data from a third party that is not provided by the subject concerned, except in accordance with the relevant provisions of the Personal Data Protection Act. Furthermore, the processing and utilization of personal data shall be within the scope of the original notification or the subject’s original consent.

2. The Personal Data Management Measures and Personal Data Management Operating Rules stipulate the principle of minimization of personal data and the requirements for the retention and destruction of personal data.

(1) The collection, processing, and utilization of personal data shall be in accordance with the principle of minimization. It shall be confirmed that only personal data necessary for the execution of the business within the scope of the statement shall be collected, that only the minimum amount of personal data necessary shall be used for processing and utilization, and that no personal data unrelated to the scope of the specific purpose or unnecessary shall be processed.

(2) The retention period of personal data shall be set, and if the specific purpose disappears or the retention period expires, the data shall be destroyed in different ways and security control and management measures shall be implemented.

3. The Personal Data Management Operating Rules stipulates the access control and protection measures for personal data.

(1) Security Measures for Processing, Utilizing, and Transmitting Personal Data: The environment in which personal data documents, files, or media are processed or utilized shall be subject to access control; there shall be an application and approval process for access to personal data documents or files by unauthorized personnel; and the transmission of personal data shall be subject to appropriate encryption measures.

(2) Security Control and Management Measures for Personal Data: Access to centralized personal data storage or filing cabinets shall be controlled by physical access control and management measures and records of access shall be kept; and legally granted access rights may only be accessed for legitimate and business purposes.

4. Setting up a Personal Data Protection Team to effectively implement and consolidate matters relating to personal data protection.

In accordance with the Personal Data Management Measures, a personal data protection team is established, with the chief executive officer designating a supervisor at or above the level of deputy chief executive officer as the convener and deputy convener, and each department and office appoints representatives to serve as team members, and meetings are convened to discuss matters of personal data protection depending on the business execution situation. The personal data protection team conducts a review of personal data protection management at least once a year and the results of the review are reported to the board of directors along with the annual implementation of the legal compliance system.

5. Yuanta FHC conducts an annual personal data risk assessment to effectively manage personal data risks in our business.

Based on the assessment results, control and management measures are formulated, and the assessment results and related analyses are reported to the personal data protection team meeting. In the event of a personal data security or leakage incident, in addition to notifying the operational risk events in accordance with the prescribed procedures, those involving information risk shall be handled in accordance with the regulations related to information security risk, and shall provide recommendations for prevention or improvement of the reasons for the occurrence of the personal data security events. Moreover, personal data protection is also included in the internal audit items and regular annual education and training courses to raise employees’ awareness of personal data protection.

6. Yuanta Group has put in place measures to protect the confidentiality of customers’ data and a mechanism for customers to exercise their legal rights in relation to their personal data in order to protect the privacy and rights of the subjects concerned.

In accordance with the Financial Holding Company Act, the Regulations Governing Joint Marketing among Subsidiaries of Financial Holding Companies, and relevant laws and regulations of the competent authorities, Yuanta FHC has established Customer Data Confidentiality Measures and disclosed it on the official website, stating that Yuanta FHC and its subsidiaries will not disclose the customer’s personal data to a third party, except for the circumstances stipulated in the confidentiality measures or with the written consent of the customer. In addition, a Privacy Statement is posted on the official website to explain the collection policies, storage and protection measures for personal data, and the rights of customers to inquire, correct, and delete such data. An email address is also provided as a channel for submitting opinions, in order to continuously implement the protection of personal data and privacy.