In recent years, due to the impact of the pandemic, human lifestyles have changed significantly, and many things can be done online. Information security is a part of the everyday life, and ensuring information security has become an important issue to protect customers’ rights and the stability of financial markets.
Information Security Governance Strategy
TCFHC follows domestic and foreign regulations, guidelines and business requirements on information security, such as the “Financial Holding Company Act”, the “Guidelines for Cross Marketing among Subsidiaries of Financial Holding Company”, “Information Security Protection Criteria for Financial Institutions” , and the “Personal Data Protection Act”, to implement “I nformation Security Policies ” , Install management systems and create task forces in order to enforce information security in the Group. Based on this, TCB established the “ Information Security Management Taskforce ” to build an information security risk management framework and established a Chief Information Security Officer position in accordance with the “Financial Cyber Security Action Plan” promoted by the Financial Supervisory Commission in 2021. TCFHC also established a Chief Information Security Officer position equivalent to the position of Executive Vice President in 2022, to oversee the implementation and coordination of information security policies and allocate resources and enhance the ability to implement and respond to information security issues. To increase the understanding of the Board members on information security and include information security risks in business decision-making substantially, TCB has held information security courses for its directors, supervisors, and senior management. In addition, TCB and BNP TCB Life have also commissioned external information security professionals to participate in information security management meetings, provide consultations and suggestions on information security issues, and report the overall implementation status of information security in the previous year to the Board of Directors annually.
In order to strengthen information security protection and improve information security governance, TCB continues to prepare budgets for various information security protection measures. The total information security budget for 2022 accounted for about 6.9% of the overall information budget to build new systems and optimize the current information security protection system.
Information Security Emergency System
The Company has the “Guidelines for Responding to Computer Information Security Emergencies” and an interdepartmental “Information Security Response Team” in place as well as a reporting system. Regular drills are organized to ensure employees are able to respond and to effectively reduce the impacts of information security incidents. To mitigate financial losses and impacts caused by system intrusion and to quickly resume operations, TCB has purchased "Cyber Liability Insurance" in 2022, hoping to effectively reduce property losses through risk transfer.
Information Security Joint Defense, Information Sharing and Collaboration
The whole group currently has 60 information security personnel. The information security and protection measures and implementation status for each subsidiary are reviewed periodically every 6 months. The information security joint defense meeting of TCFHC Group is held to review the management and implementation of the information security joint defense. The information security classification and information security governance system of the Group is established to continue to strengthen overall information security and data protection.
To enhance information security intelligence sharing among financial institutions, the Company and subsidiaries (TCB, TCS, BNP TCB Life, TCSIT, and TCBF) have all joined the Financial Information Sharing and Analysis Center (F-ISAC). Through sharing information on information security among members, the Company can assist in evaluating and suggesting regulations on information security and continue to improve relevant protection measures.
Obtain International Standard Certification
To manage the confidentiality, integrity, availability, and legality of information security and to prevent improper use, disclosure, alteration, damage, or loss of information and assets that may occur due to human neglect, intentional destruction, or natural disasters, impacting on business operations and harm the rights and interests of the Company and its customers, the relevant subsidiaries have introduced the “ISO 27001 Information Security Management System” and the “ISO 22301 Business Continuity Management System” . It enhances the capabilities to respond to and manage information security incidents, protects the assets of the Company and its customers, and ensures the continuity of business operations without interruption in the event of any adverse incidents.
Information Security Risk Assessment and Management
Major information security incidents aimed to attack financial institutions around the world in 2022 can be divided into DDoS attacks, ATM hacks, randomware attacks, online phishing, financial institution supply chain hacks, fake financial institution apps, social engineering attacks, malware attacks and other known or potential risks. The frequency of these attacks has been rising every year, and most of the sources are international hacker organizations. In 2022, the Group did not violate any information security or other internet security events, and there were no situations where revenue was reduced or fines were imposed due to abnormal IT equipment. However, on April 6, 2022, the Taiwan Stock Exchange imposed a fine on TCS for not adopting multi-factor authentication when logging in to place orders online and inadequate protection of verification methods for certificate application and renewal on the online ordering system. For details of the penalty reasons and subsequent improvement, please refer to Legal Compliance, Anti-Money Laundering and Combat of Terrorism Financing.
Regarding information security risks caused by emerging technologies, each subsidiary implements assessments and checks, perform information security system testing, and obtain information security certification as means to enforce information security management.
Information Security Training and Social Engineering Exercises
In order to make employees more aware of information security and more able to safeguard information, TCFHC continues to organize group-wide information security trainings every year. The completion rate for employees is 100% in 2022. In addition, both “social engineering email attack drills” and “DDoS attack drills” were held to strengthen the ability to respond to email and network attacks. The open rate and the click-to-open rates for links and attachments in the “social engineering email attack drills” had to be under 3%. All the rates were under 3% for the Group in 2022.
