元大金控元大金控 元大金控元大金控 元大金控元大金控

資訊安全 信息安全 Information Security
1. Cyber Security Risk Management Framework and Mechanism

The board of directors is the highest decision-making body for information security management of Yuanta Financial Holding Company (FHC). Yuanta FHC has set forth an “Information Security Policy” approved by the board of directors as a basis to establish an information security management system for Yuanta FHC and subsidiaries and to formulate relevant information security management regulations and procedures. In addition, Yuanta FHC’s Information Security Policy is based on the protection of shareholders’ rights and interests, with the objectives of “protecting the security of information assets” and “maintaining business continuity to achieve sustainable corporate operation.”

In order to enhance Yuanta FHC’s decision-making ability on information security issues, Yuanta FHC and major subsidiaries have established a chief information security officer to plan as a whole the promotion and coordination of information security policies and the deployment of resources. Yuanta FHC has also set up a dedicated or responsible unit for information security, responsible for information security planning, monitoring, and execution of information security management operations, which reports annually to the board of directors on the overall implementation of information security in the previous year in order to strengthen the supervision of information security. Yuanta FHC’s information security dedicated unit is staffed with eleven (11) information security professionals, and the report on information security implementation status was reported on January 31, 2024 at the 23rd meeting of the ninth (9th) board of directors.

With the purpose of coordinating the management of information security matters, Yuanta FHC has formed an inter-departmental “Information Security Group,” with the chief executive officer appointing the convener and vice convener, which holds regular information security meetings and management review meetings. Six (6) meetings were held in 2023 to discuss the implementation of information security management and information security-related matters to enhance the overall information security protection capabilities.

2. Specific Management Plans and Input Resources
  1. Introduction of international information security management standards and obtainment of certification
  2. In order to continuously improve the information security governance system, in addition to complying with domestic and international information security laws and regulations, Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures have all adopted the ISO 27001:2013 Information Security Management System (ISMS) standard, which is renewed annually and re-audited every three years. We all have already been certified in 2023, and the certificates are valid and continue to strengthen the monitoring and management of information security with the PDCA (Plan-Do-Check-Act) quality management framework. Moreover, in conjunction with the official release of the new version of the standard ISO 27001:2022 by the International Organization for Standardization (ISO) on October 25, 2022, Yuanta FHC has also passed the new version of the British Standards Institution (BSI) certification in November 2023, and the validity period of the certificate is from December 2023 to December 2026, respectively.

    In line with the Financial Cyber Security Action Plan of Taiwan’s Financial Supervisory Commission (FSC) and to increase the capacity of business continuity management, Yuanta Bank, Yuanta Life, Yuanta Securities, and Yuanta Funds have adopted the international standard for business continuity management (ISO 22301), and will continue to undergo the annual renewal of the certification. All have been certified in 2023, and the certificates will continue to be valid. Based on a risk-oriented approach, we combine business-side and system-side resources to ensure that operational standards can be maintained under any circumstances, to reduce the risk of business interruption, and to make the organization more resilient.

  3. Information security protection mechanism and detection
  4. We have upgraded our network and information system protection capabilities and established a multi-layered deep defense framework, including network firewalls, software application firewalls, intrusion detection systems, spam filtering, email APT, Internet behavior management, anti-virus systems, anti-phishing websites and counterfeit APP monitoring mechanisms, and endpoint detection and threat response mechanisms (EDR) to ensure the security of our information systems.

    Yuanta FHC and major subsidiaries regularly perform vulnerability scanning, penetration testing, distributed denial-of-service (DDoS) drills, social engineering drills, and computer system information security evaluations on a regular basis through independent third parties in order to safeguard the stability and security of the information system and the completeness and effectiveness of the existing controls.

  5. Information security protection detection and monitoring
  6. With the rapid development of financial technology, information security has become an important risk management issue for organizations. In order to keep abreast of emerging information and security trends, Yuanta FHC and major subsidiaries have joined the Financial Information Security Information Sharing and Analysis Center (F-ISAC) and participated in the Financial Security Operation Center (F-SOC) for cross-domain joint defense and sharing of information security events, so that Yuanta FHC and major subsidiaries can respond to risky threats at an early stage and effectively enhance the overall information security defense capability. We have also introduced Security Information and Event Management (SIEM) to ensure the effectiveness of information security protection and monitoring.

    In order to improve the timeliness and effectiveness of network abnormal behavior detection and alerts, and in line with the FSC’s Financial Cyber Security Action Plan, Yuanta FHC and subsidiaries have commissioned a third-party professional organization to build a security operations center (SOC) monitoring mechanism. Through 7x24 real-time monitoring, we provide pre-emptive threat alerts, real-time threat warnings, and post-threat analysis and recommendations to boost our ability to respond to information security incidents and to achieve the effectiveness of joint defense and coordinated operation of information security monitoring.

  7. Information security education and training
  8. Yuanta FHC and major subsidiaries have completed three (3) hours of information security education and training for general employees and fifteen (15) hours of information security professional training courses for information security specialists in 2023 to strengthen information security capabilities. Furthermore, we also hold email social engineering exercises regularly to raise the information security awareness of all employees.

3. Management of Major Cyber Security Incidents

Yuanta FHC and major subsidiaries have established procedures for notifying and handling information security incidents, notifying and handling at the appropriate level according to the level of the incident. The information unit is required to troubleshoot and resolve the incident within the target processing time and analyze the incident after it has been processed to prevent recurrence..

In the most recent year and up to the printing date of the Annual Report, there were no significant information security incidents that caused damage to customers’ rights and interests or affected the sound operation of the organization.

Yuanta Financial Holding Company (FHC) has established a personal data protection system and implements it in all of its businesses. In addition to internal rules and regulations such as the “Personal Data Protection Policy” and the “Personal Data Management Regulations” that are reviewed and amended from time to time, an inter-departmental, inter-office Personal Data Protection Team (hereinafter referred to as the “PDPT”) has been set up as a dedicated unit responsible for promoting, coordinating, and supervising all matters related to personal data protection at Yuanta FHC.

PDPT is composed of the President’s designated Vice President and above as the convener and vice convener, and representatives from each department as members of the team. The PDPT meetings are convened to discuss personal data protection matters depending on the execution of its business. PDPT conducts a personal data protection management review at least once a year, and the results of the review are reported to the Board of Directors together with the annual implementation of the legal compliance system.

Yuanta FHC conducts at least one risk assessment of the personal data risks faced by the Company’s business every year and establishes control measures based on the assessment results, which and related analyses are submitted to the PDPT meetings. In the event of a personal data security or leakage incident, in addition to the reporting of operational risk events by each department and office in accordance with the prescribed procedures, the Information and Technology (IT) Department shall follow the regulations related to information security risks when dealing with the risks of information aspect. The Risk Management Department shall provide prevention or improvement suggestions for the causes of personal data security incidents. In addition, personal data protection is also included in the Company’s internal audits and regular annual training courses to enhance employees’ awareness of personal data protection.

In order to provide a mechanism for customers to exercise their statutory rights with respect to their personal data and to comply with privacy protection, Yuanta FHC discloses on its website the “Customer Data Confidentiality Measures” in accordance with the Financial Holding Company Act, the Regulations for the Management of Shared Marketing Across Subsidiaries of Financial Holding Companies, and other relevant laws and regulations, to clearly state that Yuanta FHC will not disclose customers’ personal data to third parties except under the circumstances specified in these measures or with customers’ written consent. In addition, a Privacy Statement is posted on the official website to explain Yuanta FHC’s collection policies, storage and protection measures for personal data, and the rights of customers to inquire, correct, and delete such data. An email address is also provided as a channel for comments, so that customers are aware of their rights and interests and can use the various services provided by the Yuanta FHC website with peace of mind.