Information Security

Information Security

Over the past few years, impacted by the pandemic, people are leading a life that is greatly dependent on the Internet; As a result, information security and life are closely related. Consolidating the protection over information security has become an important issue in the protection of customer rights and maintenance of a robust and operational financial system. 


Information Security Governance Strategy 

TCFHC follows domestic and foreign regulations, guidelines and business requirements on information security, such as the "Financial Holding Company Act", the "Guidelines for Cross Marketing among Subsidiaries of Financial Holding Company", "Information Security Protection Criteria for Financial Institutions", and the "Personal Data Protection Act", to implement "Information Security Policies", install management systems and create task forces in order to enforce information security in the Group. Based on this, TCB established the "Information Security Management Committee" to build an information security risk management framework and established a Chief Information Security Officer position in accordance with the "Financial Cyber Security Action Plan" promoted by the FSC in 2021. TCFHC also established a Chief Information Security Officer position equivalent to the position of Executive Vice President in 2022, to oversee the implementation and coordination of information security policies and allocate resources and enhance the ability to implement and respond to information security issues. To increase the understanding of the Board members on information security and include information security risks in business decision-making substantially, TCB has held information security courses for its directors, supervisors, and senior management. In addition, TCB and BNP TCB Life have also commissioned external information security professionals to participate in information security management meetings, provide consultations and suggestions on information security issues, and report the overall implementation status of information security in the previous year to the Board of Directors annually. In order to strengthen information security protection and improve information security governance, TCB continues to prepare budgets for various information security protection measures. The total information security budget for 2023 accounted for about 6.19% of the overall information budget to build new systems and optimize the current information security protection system.


Information Security Emergency System

The Company has the "Guidelines for Responding to Computer Information Security Emergencies" and an interdepartmental "Information Security Response Team" in place as well as a reporting system. Regular drills are organized to ensure employees are able to respond and to effectively reduce the impacts of information security incidents. To mitigate financial losses and impacts caused by system intrusion and to quickly resume operations, TCB has purchased "Cyber Liability Insurance" in 2023 with the insured amount of NT$150 million, hoping to effectively reduce property losses through risk transfer.

Information Security Joint Defense, Information Sharing and Collaboration

The Group currently has 60 information security personnel. The information security and protection measures and implementation status for each subsidiary are reviewed periodically every 6 months. The information security joint defense meeting of the Group is held to review the management and implementation of the information security joint defense. The information security classification and information security governance system of the Group are established to continue to strengthen overall information security and data protection. To enhance information security intelligence sharing among financial institutions, the Company and subsidiaries (TCB, TCS, BNP TCB Life, TCSIT, and TCBF) have all joined the "Financial Information Sharing and Analysis Center (F-ISAC)". Through sharing information on information security among members, the Company can assist in evaluating and suggesting regulations on information security and continue to improve relevant protection measures.

Obtain International Standard Certification

To manage the confidentiality, integrity, availability, and legality of information security and to prevent improper use, disclosure, alteration, damage, or loss of information and assets that may occur due to human neglect, intentional destruction, or natural disasters, impacting on business operations and harm the rights and interests of the Company and its customers, the relevant subsidiaries have introduced the "ISO 27001 Information Security Management System" and the "ISO 22301 Business Continuity Management System". It enhances the capabilities to respond to and manage information security incidents, protects the assets of the Company and its customers, and ensures the business operations without interruption in the event of any adverse incidents.


Information Security Risk Assessment and Management

Major information security incidents aimed to attack financial institutions around the world in 2023 can be divided into DDoS attacks, ransomware attacks, online phishing, financial institution supply chain hacks, fake financial institution apps, social engineering attacks, malware attacks and other known or potential risks. The frequency of these attacks has been rising every year, and most of the sources are international hacker organizations. In 2023, the Group did not violate any information security or other Internet security events, and there were no situations where revenue was reduced or fines were imposed due to abnormal IT equipment.

Regarding information security risks caused by emerging technologies, each subsidiary implements assessments and checks, perform information security system testing, and obtain information security certification as means to enforce information security management.


Information Security Training and Social Engineering Exercises

In order to make employees more aware of information security and more able to safeguard information, TCFHC continues to organize group-wide information security trainings every year. The completion rate for employees is 100% in 2023. In addition, both "social engineering email attack drills" and "DDoS attack drills" were held to strengthen the ability to respond to email and network attacks. The open rate and the click-to-open rates for links and attachments in the "social engineering email attack drills" had to be under 3%. All the rates were under 3% for the Group in 2023.


External Certification

External Certification ISO 27001(BSI)