In recent years, rapid advancements in emerging technologies such as blockchain, high-speed computing, and artificial intelligence (AI) have significantly increased human reliance on the Internet, making information security closely intertwined with daily life. Implementing information security has become a critical issue for protecting customer rights and maintaining the stable operation of the financial system.
Information Security Governance Strategy
The Company follows domestic and foreign regulations, guidelines, and business requirements on information security, such as the “Financial Holding Company Act”, the “Guidelines for Cross Marketing among Subsidiaries of Financial Holding Company”, the “Information Security Protection Criteria for Financial Institutions”, and the “Personal Data Protection Act”, to formulate the “Information Security Policy”, install management systems, and create taskforces in order to enforce information security across the Group. Based on this, TCB established the “Information Security Management Committee” to build an information security risk management framework and created a chief information security officer position in 2021. In addition, the Company established a chief information security officer position equivalent to the rank of executive vice president in 2022 to oversee the promotion, coordination, and resource allocation of information security policies, thereby enhancing the execution and response capabilities for information security issues.
To enhance the Board members’ understanding of information security and incorporate information security risks into business decision-making, TCB has held information security courses for its directors, supervisors, and senior management. In addition, TCB and BNP TCB Life have commissioned external information security professionals to participate in information security management meetings, provide consultations and suggestions on information security issues, and report the overall implementation status of information security for the previous year to the Board of Directors annually.
In order to strengthen information security protection and enhance information security governance, the Company and TCB continue to allocate investment budgets and implement various information security systems and protection measures. The Company’s information security budget for 2024 accounted for 36.52% of its overall information budget, while TCB’s accounted for 6.32%. To comply with regulatory requirements, the Company’s audit unit conducts business audits of the financial holding company and its subsidiaries every 6 months. The audit items include the information security management system to ensure the continued effective implementation of the internal control system.
Information Security Risk Assessment and Management
Major information security incidents targeting financial institutions around the world in 2024 can be categorized into DDoS attacks, ransomware attacks, online phishing, financial institution supply chain hacks, fake financial institution apps, social engineering attacks, malware attacks, and other known or potential risks. The frequency of these attacks has been increasing every year, with most originating from international hacker organizations. In 2024, the Group did not experience any information security or other Internet security events, nor were there any situations where revenue was reduced or fines were imposed due to abnormal IT equipment.
Regarding information security risks arising from emerging technologies, each subsidiary implements assessments and checks, performs information security system testing, and obtains information security certifications as means to enforce information security management.
Information Security Emergency Response System
The Company has formulated the “Guidelines for Responding to Computer Information Security Emergencies” and has an interdepartmental “Information Security Response Team” in place, as well as a reporting system. Regular drills are organized to ensure employees are able to respond and to effectively reduce the impacts of information security incidents. In addition, to mitigate financial losses and impacts caused by system intrusions and to quickly resume operations, TCB annually purchases NT$150 million of “Cyber Liability Insurance”, thereby transferring risk to reduce property losses.
Information Security Joint Defense, Information Sharing, and Collaboration
The Group currently has 60 information security personnel. The information security and protection measures and implementation status of each subsidiary are reviewed periodically every 6 months. A Group-wide information security joint defense meeting is held to review the management and implementation of the information security joint defense. The information security classification and governance system of the Group have been established to continuously strengthen overall information security and data protection.
To enhance information security intelligence sharing among financial institutions, the Company and its subsidiaries (TCB, TCS, BNP TCB Life, TCSIT, and TCBF) have all joined the “Financial Information Sharing and Analysis Center (F-ISAC)”. By sharing information on information security among members, the Company can assist in evaluating and suggesting regulations on information security and continue to improve protection measures.
Obtaining International Standard Certifications
To manage the confidentiality, integrity, availability, and legality of information security, and to prevent improper use, disclosure, alteration, damage, or loss of information and assets that may occur due to human neglect, intentional destruction, or natural disasters, impacting business operations and harming the rights and interests of the Company and its customers, the relevant subsidiaries have introduced the “ISO 27001 Information Security Management Systems” and the “ISO 22301 Business Continuity Management Systems”. These systems enhance the capabilities to respond to and manage information security incidents, protects the assets of the Company and its customers, and ensures business operations continue without interruption in the event of adverse incidents.
Information Security Training and Social Engineering Exercises
In order to enhance employees’ information security protection capabilities and awareness, TCFHC continues to organize Group-wide information security training every year. The employee completion rate was 100% in 2024. In addition, both “social engineering email attack drills” and “DDoS attack drills” were held to strengthen the ability to respond to email and network attacks. The open rate and the click-to-open rates for links and attachments in the “social engineering email attack drills” had to be under 3%. All rates were under 3% for the Group in 2024.
