Information Security - Yuanta Financial Holdings

資訊安全信息安全 Information Security

資訊安全信息安全 Information Security 個資保護个资保护 Personal Data Protection

1. Cyber Security Risk Management Framework and Mechanism

The board of directors is the highest decision-making body for information security management of Yuanta Financial Holding Company (FHC). Yuanta FHC has set forth an “Information Security Policy” approved by the board of directors as a basis to establish an information security management system for Yuanta FHC and subsidiaries and to formulate relevant information security management regulations and procedures. In addition, Yuanta FHC’s Information Security Policy is based on the protection of shareholders’ rights and interests, with the objectives of “protecting the security of information assets” and “maintaining business continuity to achieve sustainable corporate operation.”

In order to enhance Yuanta FHC’s decision-making ability on information security issues, Yuanta FHC and major subsidiaries have established a chief information security officer to plan as a whole the promotion and coordination of information security policies and the deployment of resources. Yuanta FHC has also set up a dedicated or responsible unit for information security, responsible for information security planning, monitoring, and execution of information security management operations, which reports annually to the board of directors on the overall implementation of information security in the previous year in order to strengthen the supervision of information security. Yuanta FHC’s information security dedicated unit is staffed with eleven (11) information security professionals, and the report on information security implementation status was reported on January 31, 2024 at the 23rd meeting of the ninth (9th) board of directors.

With the purpose of coordinating the management of information security matters, Yuanta FHC has formed an inter-departmental “Information Security Group,” with the chief executive officer appointing the convener and vice convener, which holds regular information security meetings and management review meetings. Six (6) meetings were held in 2023 to discuss the implementation of information security management and information security-related matters to enhance the overall information security protection capabilities.

2. Specific Management Plans and Input Resources

Introduction of international information security management standards and obtainment of certification

In order to continuously improve the information security governance system, in addition to complying with domestic and international information security laws and regulations, Yuanta FHC, Yuanta Securities, Yuanta Bank, Yuanta Life, Yuanta Funds, and Yuanta Futures have all adopted the ISO 27001:2013 Information Security Management System (ISMS) standard, which is renewed annually and re-audited every three years. We all have already been certified in 2023, and the certificates are valid and continue to strengthen the monitoring and management of information security with the PDCA (Plan-Do-Check-Act) quality management framework. Moreover, in conjunction with the official release of the new version of the standard ISO 27001:2022 by the International Organization for Standardization (ISO) on October 25, 2022, Yuanta FHC has also passed the new version of the British Standards Institution (BSI) certification in November 2023, and the validity period of the certificate is from December 2023 to December 2026, respectively.

In line with the Financial Cyber Security Action Plan of Taiwan’s Financial Supervisory Commission (FSC) and to increase the capacity of business continuity management, Yuanta Bank, Yuanta Life, Yuanta Securities, and Yuanta Funds have adopted the international standard for business continuity management (ISO 22301), and will continue to undergo the annual renewal of the certification. All have been certified in 2023, and the certificates will continue to be valid. Based on a risk-oriented approach, we combine business-side and system-side resources to ensure that operational standards can be maintained under any circumstances, to reduce the risk of business interruption, and to make the organization more resilient.

Information security protection mechanism and detection

We have upgraded our network and information system protection capabilities and established a multi-layered deep defense framework, including network firewalls, software application firewalls, intrusion detection systems, spam filtering, email APT, Internet behavior management, anti-virus systems, anti-phishing websites and counterfeit APP monitoring mechanisms, and endpoint detection and threat response mechanisms (EDR) to ensure the security of our information systems.

Yuanta FHC and major subsidiaries regularly perform vulnerability scanning, penetration testing, distributed denial-of-service (DDoS) drills, social engineering drills, and computer system information security evaluations on a regular basis through independent third parties in order to safeguard the stability and security of the information system and the completeness and effectiveness of the existing controls.

Information security protection detection and monitoring

With the rapid development of financial technology, information security has become an important risk management issue for organizations. In order to keep abreast of emerging information and security trends, Yuanta FHC and major subsidiaries have joined the Financial Information Security Information Sharing and Analysis Center (F-ISAC) and participated in the Financial Security Operation Center (F-SOC) for cross-domain joint defense and sharing of information security events, so that Yuanta FHC and major subsidiaries can respond to risky threats at an early stage and effectively enhance the overall information security defense capability. We have also introduced Security Information and Event Management (SIEM) to ensure the effectiveness of information security protection and monitoring.

In order to improve the timeliness and effectiveness of network abnormal behavior detection and alerts, and in line with the FSC’s Financial Cyber Security Action Plan, Yuanta FHC and subsidiaries have commissioned a third-party professional organization to build a security operations center (SOC) monitoring mechanism. Through 7x24 real-time monitoring, we provide pre-emptive threat alerts, real-time threat warnings, and post-threat analysis and recommendations to boost our ability to respond to information security incidents and to achieve the effectiveness of joint defense and coordinated operation of information security monitoring.

Information security education and training

Yuanta FHC and major subsidiaries have completed three (3) hours of information security education and training for general employees and fifteen (15) hours of information security professional training courses for information security specialists in 2023 to strengthen information security capabilities. Furthermore, we also hold email social engineering exercises regularly to raise the information security awareness of all employees.

3. Management of Major Cyber Security Incidents

Yuanta FHC and major subsidiaries have established procedures for notifying and handling information security incidents, notifying and handling at the appropriate level according to the level of the incident. The information unit is required to troubleshoot and resolve the incident within the target processing time and analyze the incident after it has been processed to prevent recurrence..

In the most recent year and up to the printing date of the Annual Report, there were no significant information security incidents that caused damage to customers’ rights and interests or affected the sound operation of the organization.

In order to ensure the proper management of Yuanta Group’s collection, processing, and utilization of personal data and to strengthen the security and maintenance of personal data, Yuanta Financial Holding Company (FHC) has formulated Personal Data Protection Policy and Personal Data Management Measures in accordance with the Personal Data Protection Act, Regulations Governing the Security Maintenance of Personal Data Files of Non-Public Service Organizations Designated by the Financial Supervisory Commission and relevant laws and regulations of the competent authorities, in order to establish and implement a personal data protection system in each of its business operations. Yuanta Group’s personal data protection management measures are disclosed below:

1. The scope of application of the Personal Data Protection Policy includes Yuanta FHC, our subsidiaries, and various businesses.

(1)Subsidiaries are required to establish a personal data protection management system in accordance with the spirit of the Personal Data Protection Policy that is commensurate with the scale and complexity of their business to ensure that the collection, processing, and utilization of personal data comply with legal requirements.

(2) According to the Personal Data Management Measures, relevant regulations are set for the implementation and operation of the personal data management system and the personal data security management principles, including but not limited to that all personnel involved in the collection, processing, utilization, transmission, retention, and destruction of personal data must comply with the regulations, and that the collection of personal data shall have a specific purpose and comply with relevant laws and regulations. Therefore, Yuanta FHC promises not to collect personal data from a third party that is not provided by the subject concerned, except in accordance with the relevant provisions of the Personal Data Protection Act. Furthermore, the processing and utilization of personal data shall be within the scope of the original notification or the subject’s original consent.

2. The Personal Data Management Measures and Personal Data Management Operating Rules stipulate the principle of minimization of personal data and the requirements for the retention and destruction of personal data.

(1) The collection, processing, and utilization of personal data shall be in accordance with the principle of minimization. It shall be confirmed that only personal data necessary for the execution of the business within the scope of the statement shall be collected, that only the minimum amount of personal data necessary shall be used for processing and utilization, and that no personal data unrelated to the scope of the specific purpose or unnecessary shall be processed.

(2) The retention period of personal data shall be set, and if the specific purpose disappears or the retention period expires, the data shall be destroyed in different ways and security control and management measures shall be implemented.

3. The Personal Data Management Operating Rules stipulates the access control and protection measures for personal data.

(1) Security Measures for Processing, Utilizing, and Transmitting Personal Data: The environment in which personal data documents, files, or media are processed or utilized shall be subject to access control; there shall be an application and approval process for access to personal data documents or files by unauthorized personnel; and the transmission of personal data shall be subject to appropriate encryption measures.

(2) Security Control and Management Measures for Personal Data: Access to centralized personal data storage or filing cabinets shall be controlled by physical access control and management measures and records of access shall be kept; and legally granted access rights may only be accessed for legitimate and business purposes.

4. Setting up a Personal Data Protection Team to effectively implement and consolidate matters relating to personal data protection.

In accordance with the Personal Data Management Measures, a personal data protection team is established, with the chief executive officer designating a supervisor at or above the level of deputy chief executive officer as the convener and deputy convener, and each department and office appoints representatives to serve as team members, and meetings are convened to discuss matters of personal data protection depending on the business execution situation. The personal data protection team conducts a review of personal data protection management at least once a year and the results of the review are reported to the board of directors along with the annual implementation of the legal compliance system.

5. Yuanta FHC conducts an annual personal data risk assessment to effectively manage personal data risks in our business.

Based on the assessment results, control and management measures are formulated, and the assessment results and related analyses are reported to the personal data protection team meeting. In the event of a personal data security or leakage incident, in addition to notifying the operational risk events in accordance with the prescribed procedures, those involving information risk shall be handled in accordance with the regulations related to information security risk, and shall provide recommendations for prevention or improvement of the reasons for the occurrence of the personal data security events. Moreover, personal data protection is also included in the internal audit items and regular annual education and training courses to raise employees’ awareness of personal data protection.

6. Yuanta Group has put in place measures to protect the confidentiality of customers’ data and a mechanism for customers to exercise their legal rights in relation to their personal data in order to protect the privacy and rights of the subjects concerned.

In accordance with the Financial Holding Company Act, the Regulations Governing Joint Marketing among Subsidiaries of Financial Holding Companies, and relevant laws and regulations of the competent authorities, Yuanta FHC has established Customer Data Confidentiality Measures and disclosed it on the official website, stating that Yuanta FHC and its subsidiaries will not disclose the customer’s personal data to a third party, except for the circumstances stipulated in the confidentiality measures or with the written consent of the customer. In addition, a Privacy Statement is posted on the official website to explain the collection policies, storage and protection measures for personal data, and the rights of customers to inquire, correct, and delete such data. An email address is also provided as a channel for submitting opinions, in order to continuously implement the protection of personal data and privacy.