• Font Size:
  • S
  • M
  • L

Article Content

Title:

Directions on Information and Communication Security Management and Control of New Technologies for Associations of Securities and Futures Market  CH

Amended Date: 2024.12.27 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Amended Article Legislative History Chinese 
   Chapter I – General Rules
Article 1    (Purpose)
    These directions on information and communication security control and management relating to the issues of risks of new technologies are established to assist securities and futures enterprises in securely and effectively managing and applying new technologies.
 Info 
   Chapter II – Secured Operation of Cloud Computing Services
Article 2    (Definition relating to cloud services)
  1. Cloud services: Subject to shared use of computing resources enabled by online technologies, to provide users with flexible, extendable and self-service services, such as the following types of cloud services:
    1. Infrastructure as a Service or IaaS: A cloud service provider provides information technology infrastructure to cloud service users via the Internet.
    2. Platform as a Service or PaaS: A cloud service provider provides platform tools to cloud service users.
    3. Software as a Service or SaaS: A cloud service provider provides application services to cloud service users via the Internet.
  2. Cloud service providers: Refer to enterprises providing cloud services, and enterprises providing application software services, tools or solutions to clients on a cloud platform.
  3. Risk-based approach (RBA): An organization shall identify, evaluate and understand the risks in its use of cloud services, and take appropriate control measures to effectively reduce these risks. According to this approach, the organization shall take strengthened measures in higher risk situations and may take relatively simple measures in lower risk situations to effectively allocate resources, and reduce the identified risks in its use of cloud services by appropriate and effective method.
  4. Exchangeability: Systems or data can be transferred from the originally contracted cloud service provider to another cloud service provider or transferred back to the organization.
  5. Industry-specific directions for operations outsourcing: For securities firms, it means the Directions for Operations Outsourcing by Securities Firms; for futures commission merchants, it means the Directions for Operations Outsourcing by Futures Commission Merchants; for investment trust enterprises and investment consulting enterprises, it means the Directions for Operations Outsourcing by Securities Investment Trust Enterprises and Securities Investment Consulting Enterprises.
  6. Materiality: Refer to the definition in the industry-specific directions for operations outsourcing.
Article 3    (Scope of application for directions on cloud services)
  1. The scope of application for these directions covers outsourcing of operations involving the business activities stated in the business license or customer information by an organization which involves use of cloud services, in which case the suggestions on management and control under these directions should be complied with.
  2. An organization whose use of cloud services is not covered by the scope in the preceding paragraph may refer to the control and management requirements under the directions and adopt necessary cloud services information security control and management.
  3. For operations outsourcing that involves cloud services by the Taiwanese subsidiary or branch of a foreign corporate group, if the outsourcing is handled by its foreign parent company or head office, the management and control measures established by the foreign parent company or head office may be referred to, provided that the requirements shall not be less than those under these directions. The Taiwanese subsidiary or branch of a foreign corporate group shall be required to create an appropriate internal control system and risk management mechanism for its business in Taiwan in full control of the control and management of part of its operation in Taiwan involving cloud service outsourcing.
Article 4    (Risk management of cloud services)
  1. An organization using cloud services shall establish the governing system for use of cloud services, and make plans for and acknowledge the following:
    1. To establish the cloud service management policy subject to review at last once annually.
    2. Roles, duties and responsibilities specific to the responsible entity and relevant entity in the use of cloud services. The responsible entity shall take the role of cloud finance, costs or resource management.
    3. To adopt the risk-based approach to evaluate potential risks and management risks in cloud services. It is advised evaluations shall include:
      1. Mode and scenario of use of cloud services;
      2. Business and data relating to cloud services;
      3. The organization’s requirements on feasibility and exchangeability of cloud services.
      4. The organization’s management capability and experience of cloud services.
    4. For use of cloud services and control and management of related risks, proper diversity of risks shall be maintained. When multiple clouds or other diversity strategies are used, however, increased risks in higher complexity of operation shall also be considered.
    5. If an operation project is outsourced offshore, the requirements of data protection legislation of the jurisdiction where the cloud service provider processes and stores client data shall not be less than those in the R.O.C. In case of high risks, an organization shall take appropriate risk control and management measures.
    6. An organization shall create an adequate monitoring mechanism for risks in use of cloud services, e.g. monitoring cloud resources load, security protection and service availability, to facilitate continued business operation.
  2. The board of directors shall acknowledge and supervise the risks in the organization’s use of cloud services, and ensure to have sufficient resources, expertise and authority for control and management of cloud service risks.
  3. Relevant personnel of the organization shall be ensured to have necessary professional knowledge and skills. Staff trainings shall be provided regularly during the use of cloud services, and validity of the trainings shall be verified. The trainings may cover information security, risk awareness, cloud knowledge and skills, etc. to enhance staff’s capability of introduction, use and management of cloud services. Risk-based approach shall be used as the basis of decision-making and supervision.
Article 5    (Selection and due diligence of cloud service providers)
  1. An organization shall perform due diligence and regular review procedures for cloud service providers based on the cloud service mode in use for evaluations of service quality, backup mechanism, data destruction mechanism, resources logic partition mechanism, log retention mechanism, information and communication security protection capability, management of information and communication security reporting responsibility, business continuity operation and disaster recovery capability, professional knowledge and resources of contracted business, financial health, internal control and compliance of law of a cloud service provider to see if needs can be met. In the event of a deficiency in meeting the needs, other compensatory measures should be considered.
  2. An organization shall maintain the full ownership of the data processed by the contracted cloud service provider. A cloud service provider shall make sure not to be authorized to access client information, except for performance of requested services, and not to use this information for any purpose beyond the scope of request.
  3. To ensure the system can be relocated or the data can be migrated out of cloud services at the end of the services, an organization shall evaluate and determine if the cloud service provider can satisfy the following needs for cloud interoperability and portability:
    1. A cloud service provider may provide documents describing interoperability and portability of application programs and information processing for the organization’s reference.
    2. A cloud service provider is advised to use the virtualized platform, virtual machine file format, and data and file format commonly seen in the industry to ensure interoperability.
    3. If the cloud services provided by a cloud service provider involve accessing via application interfaces, it is advisable to use an open or public application programming interface (API) to ensure better portability of application components.
Article 6    (Cloud service audit)
  1. With regard to cloud service outsourcing operation, an organization shall have the ultimate responsibility for supervision of cloud service provider by performing periodic audits on cloud service provider. It is advised to have plans, according to risk-based approach, for audit frequency, what should be audited, time and method of audit. Where necessary, a third-party professional may be appointed to assist in the supervision. The industry-specific directions for operations outsourcing shall also be complied with.
  2. An organization shall ensure it, competent authority, industry association and its appointed person may access information or reports on the operation of the cloud service provider, including audit reports on client information and relevant systems, and perform audits.
  3. For cloud outsourcing operations involving materiality, it is advised the key audits on cloud services shall include:
    1. Physical security control and management mechanism of the server room enabling cloud services.
    2. Important systems and control links relating to operation by cloud service provider.
    3. Contents of reports provided by cloud service provider during due diligence.
    4. Data deletion and disaster recovery process on the cloud platform.
    5. The cloud service provider’s business continuity control measures.
    6. Appropriateness of implementation of cloud service operation, and compliance with the relevant international information security standards and privacy protection standards.
  4. Improvements by cloud service provider based on the audit results shall be followed up on a continuous basis to ensure it takes proper and timely alternatives.
Article 7    (Cloud service supply chain management)
  1. For supply chain management of cloud service outsourcing operation, the Reference Directions for Information and Communication Systems and Service Supply Chain Risk Management shall be referred to.
  2. If a cloud service provider is appointed to operate a natural person’s business information system involving materiality, the contract or agreement shall include the terms on migration of outsourced services to another cloud service provider or transfer back to the organization, the original cloud service provider’s obligations on system migration and data processing, and the cloud service provider’s compensation liability for service interruption.
  3. If the terms of the contract or agreement do not meet the requirements in the first and second paragraphs of this article, adequate evaluations shall be performed and alternatives shall be planned based on risks to ensure performance of ultimate obligations to supervise the cloud service provider.
Article 8    (Control and management of information security of cloud services)
    When using cloud services, an organization shall, in accordance with risk-based approach, implement appropriate control and management measures, such as availability of only necessary port, protocols and services, virus protection, security breach evaluation system, and monitoring of file integrity.
  1. Encryption and key management
    1. For transmission and storage of client data to cloud service provider, there should be effective protection measures in place such as encryption or codification of client data, and an adequate encryption key management mechanism shall be created.
  2. Identification and access control
    1. The authority of the cloud service access should be managed based on the minimization principle, with appropriate security control and management measures, such as communication management through multi-factor authentication, audit trails, IP filtering, firewall, and Transport Layer Security (TLS) packet.
    2. In case of direct access to cloud services via the Internet, access control measures such as identification of identity, equipment and source IP shall be strengthened.
    3. Privilege accounts, e.g. accounts with authority to change configuration setup of cloud services, shall be subject to multi-factor authentication.
  3. Audi trails and monitoring
    1. Information about audit trails and monitoring of cloud service platform operation shall be retained.
    2. There shall be threat and vulnerability detecting and management procedure that continues to watch for threats and vulnerabilities relating to cloud services, and regularly evaluates impact of these threats and vulnerabilities on use of cloud services and effectiveness of network security defense measures.
    3. It is advisable to create rules that link monitoring and analysis of scenarios for cloud security events to enable early detection of potential information security risks.
    4. It is advisable to implement central management of audit trails and monitoring information.
    5. Cloud platform audit trails shall not include unencrypted operation or important client data.
    6. Where an organization’s cloud services also incorporate interface with on-premise information environment, it is advisable to consider boundary protection between cloud and on-premise services and create methods such as logs and monitoring and control analysis.
  4. Security of infrastructure
    1. To ensure use of images from reliable sources for management integrity of images and to retain records of changes to images.
    2. To ensure use of proper measures for management of virtual machines and containers in use.
    3. To ensure a cloud service provider shall provide the information about isolation of virtual machines depending on the needs, and should immediately notify the organization when the isolation fails.
    4. To implement advanced threat defense strategies such as protection against data breach and cross-service attacks and continued protection against threats for protection of access to the cloud environment.
  5. Configuration security
    6. To implement the cloud service configuration management mechanism to properly control the records of changes to cloud service configuration.
  6. Data security
    1. Where registration, processing, exporting or storage of organization data (including client data) are involved, an organization shall ensure the cloud service provider has relevant mechanism in place to ensure security and integrity of data migration upon maintenance and replacement of equipment (e.g. disk replacement), and all organization data on the obsolete equipment shall be deleted or destroyed, and the records of these deletions or destructions shall be retained.
    2. For cloud services involving cross-border transmission of personal data, an organization shall have the encryption transmission system in place, and make sure to comply with the Personal Data Protection Act of the Republic of China for a cloud service provider’s collection, processing, use, international transmission and control and management of personal data. The data subject’s authorization should be obtained prior to transmission and no transmission may violate the competent authority’s restrictions on international transmission. The full audit records should be kept.
    3. Client data processed by contracted cloud service provider and the place of storage shall be subject to the following requirements:
      1. An organization shall have the authority to designate the place where data is processed and stored.
      2. The requirements of local data protection law in an offshore location shall not be less than those in the R.O.C.
      3. As a principle, the client data of a natural person’s business information system involving materiality shall be stored within the territory of the R.O.C. Where the data is stored outside of the R.O.C., unless otherwise approved by the competent authority, important client data shall have copies retained in the R.O.C.
    4. It is advisable to control and manage access to cloud services based on the purpose of use of cloud services.
  7. For outsourced cloud operation involving materiality, an organization shall be advised to take the following information security control and management measures:
    1. Adopt the standardized Internet protocol. For transmission of sensitive information, it is advisable to adopt the encryption Internet protocol such as Hypertext Transfer Protocol Secure (HTTPS) and Secret File Transfer Protocol (SFTP).
    2. Regularly evaluate the infrastructure security management mechanism for cloud services to ensure use of cloud services complies with the organization’s information security policies and other related requirements.
    3. Use the encryption keys managed by the organization for enhanced control over keys.
    4. Encryption tools and keys are stored in a separate and secure online environment and access is subject to restriction.
    5. Avoid use of operation data in the tests and validation of cloud services.
    6. Monitor and regularly review use of data saved on cloud to prevent breach of customer’s privacy and operation secrets.
Article 9    (Management of continuity and exit of cloud services)
  1. An organization shall prepare an operation continuity management plan by conducting operation impact analysis on the information system enabling cloud services, evaluating resilience and ability of recovery of cloud services, and considering the venue where the assets, resources and data involving cloud services are located, and recovery ability of the cloud service provider.
  2. With regard to outsourced cloud operation involving materiality, when planning the test or exercise program for business continuity of cloud services, an organization shall, according to risk-based approach, determine the frequency and method of tests or exercise. It is advisable to consider preparation and establishment of operation continuity test or exercise program for cloud services in collaboration with cloud service provider, and where circumstances allow, ask the cloud service provider to participate in joint tests or exercise.
  3. An organization shall create the cloud data backup mechanism, and keep a list of backup copies. The media where backup data is stored or backup files shall be properly protected to ensure availability of information and prevention of unauthorized access.
  4. An organization shall establish the information security event reporting and management mechanism for use of cloud services.
  5. An organization shall, prior to adoption of cloud services, formulate the transfer strategies and plans for termination of use of cloud service, to ensure the services can be successfully transferred to another cloud service provider or migrated back to the organization for self-operation upon termination or end of a contract of operation.
  6. An organization shall ensure, upon termination of the outsourcing contract or termination of use of cloud services, deletion or destruction of all archived data kept by the cloud service provider (such as images of a virtual machine, storage space, cache space, backup media, client information or sensitive information) and shall ask the cloud service provider to provide the proof of a full deletion of data.
 
   Chapter III – Security Control of Social Media
Article 10    (Definition of social media)
    An online application combining technologies, social interactions and content creation, allowing creation or exchanges of contents generated by its users. On this highly interactive platform, individual users or groups of individual users can share, co-create, discuss and change the content generated by the users.
Article 11    (Scope of application of directions on social media)
    For purpose of these directions, the social media do not include the social media or platform used for internal communications within an organization.
Article 12    (Social media use policy)
  1. An organization shall prepare the social media use policy that should be reviewed at least once a year to govern its employees’ use of social media, covering:
    1. defining what social media and functions may be used, and the rules of use;
    2. defining what business related information may be shared on the social media;
    3. defining the distinction between social media for personal use and for business use, and important information; and
    4. defining what a specific role is authorized to speak on social media, and avoiding unauthorized statements about business affairs.
  2. An organization shall assess the degree of risks in the social media employees are allowed to use based on the types of social media, including, unauthorized data disclosure, social engineering, attacks by malware, and take adequate security control and management measures against high risks, such as educational trainings or promotion of awareness, content filtering and monitoring, and preventive measures including detection of malware.
Article 13    (Official social media profile operated by organization)
  1. An organization shall understand the privacy policy of the social media operator before launching its official profile, and regularly examine changes in its privacy policy and evaluate its risks.
  2. When an organization provides a link on its official website that will take a user to the social media pages outside the organization, there should be a prompt window informing the user that by clicking the link they will be taken to a website not owned by the organization.
  3. The social media profile operated by the organization shall identify the organization’s name, contact method and license number so that visitors will know it is an official social media profile operated by the organization.
  4. When operating the social medial profile, an organization shall create the account access control system, and establish the screening and monitoring policy on the published contents. Its monitoring should at least cover efforts to prevent disclosure of client’s privacy and the organization’s secrets, posts published by unauthorized user or fake profile owner, and prevent attacks or disparaging remarks against other enterprises in the same trade.
Article 14    (Establish irregularity reporting and complaint processing method)
  1. An organization shall establish the social media irregularity reporting procedures. The management body of its official social media profile is advised to monitor the discussions on the social media profile on a random basis, and make necessary reporting or take necessary measures in the event of improper comments or irregularities.
  2. The social media profile operated by an organization shall identify the contact method for clients to file a complaint and the liaison who handles complaints.
 
   Chapter IV –Security Control and Management of Mobile Devices
Article 15    (Definition of mobile devices)
  1. Mobile device: A portable device with the functions of computing, processing and storing data, and online connection, including but not limited to smart phones, laptop computers, tablets and PDAs.
  2. Bring Your Own Device (BYOD): A non-organizational portable mobile device used for handling organizational affairs that directly connects to the organization’s network equipment or services, with the functions of computing, processing and storing data, and online connection.
Article 16    (Scope of application of directions on mobile devices)
    For purposes of these directions, a mobile device is limited to a mobile device used for handling sensitive affairs defined within the organization that can directly connect to the organization’s network equipment and services.
Article 17    (Control and management of mobile device and equipment for business use)
  1. An organization shall establish the regulations for application for, use, renewal, return and loss of a mobile device.
  2. When there is a change in the staff of the organization, a mobile device should be reset or the settings should be cleared to ensure the mobile device has a secure environment.
  3. An organization shall conduct risk assessments on mobile devices and resources accessible to the mobile devices, and implement appropriate security control and management measures based on the results of the risk assessments, such as screen lock, restrictions on accessing sensitive information, installation of antivirus software programs, installation of mobile device management software, etc.
  4. An organization is advised to take the following security control and management measures on mobile devices storing sensitive information:
    1. It is required a mobile device has an identity verification mechanism.
    2. It is required an authorized party changes the settings of the environment of the operating system of a mobile device.
    3. It is required to conduct regular examinations of the operating system and antivirus software programs of the mobile device and to prevent the owner from making unauthorized changes to the settings, such as jailbreaking or rooting.
    4. It is required a mobile device has a method for data deletion when the device is lost, e.g. deleting data remotely, or automatic deletion of data after a certain number of failed identification verifications have taken place.
    5. It is required a mobile device imposes restrictions on or turns off unnecessary wireless connection, such as NFC, infrared, Wi-Fi or Bluetooth.
    6. It is required a mobile device adopts an encryption or data redaction method for protection of transmission of sensitive information.
    7. It is required a mobile device prevents storing of sensitive information on the mobile device, or encrypts sensitive information for protection.
  5. A mobile device used to handle an organization’s business should avoid installation of an unofficial mobile application or should install only the installable mobile applications that have passed testing as listed by the organization.
Article 18    (Management of BYOD)
  1. Anorganization shall periodically review and restrict the purpose and period of use of the BYOD and type of data used on the BYOD.
  2. An organization shall sign the agreement of use of Bring Your Own Device (BYOD) with the owner of the BYOD, including the terms and conditions on use restrictions and the liabilities of the parties etc.
  3. An organization is advised to prohibit unauthorized connections of the BYOD to the Internet via its internal information and communication equipment.
Article 19    (Security control and management of a mobile app)
  1. An organization shall take appropriate measures to deidentify information when sending sensitive information to a user via text message or other messaging method via its mobile app.
  2. An organization shall create the detection system to identify fake mobile apps to protect the rights and interests of its clients.
  3. When activating a mobile app, an organization shall alert users of its app of potential risks if it detects the user's mobile device may be compromised (such as rooting, jailbreaking and USB debugging).
Article 20    (Control and management of release of a mobile app)
  1. Before releasing its mobile app, an organization shall examine to make sure the authorization required for the mobile app is adequate for the services to be provided. First release or changes to authorization should be approved by the information security and compliance departments and records should be kept to help a comprehensive evaluation to determine whether the notification obligations under the Personal Data Protection Act have been performed.
  2. An organization shall release its mobile app on a reliable app store or website and shall at the same time of the release provide information about what sensitive information may be accessed, resources of mobile device and declared authorization and use.
  3. For a mobile app to be used by clients, an organization shall, prior to the first release and on a yearly basis, appoint a qualified third-party testing laboratory certified by Taiwan Accreditation Foundation (TAF) to conduct and complete the information security testing with a satisfied test result. The test should be performed in consistent with the basic mobile app information security tests published by the implementing organization Mobile Application Security Alliance, appointed by the Industrial Development Bureau, Ministry of Economic Affairs. For a mobile app not to be used by clients, an organization shall refer to the above information security test standards during development and design of the app.
  4. When updates on the released app are necessary within one year after the laboratory test, the organization shall perform the test or appoint a third party to perform the test on important updates prior to every release. Important updates are changes to the functions relating to “placing orders”, “accessing account information”, “identity verification” and “changes relating to client’s important rights and interest”. The tests should be based on most current OWASP MOBILE TOP 10 and the relating test records should be kept, and completion of improvement shall be verified by the unit (or personnel) responsible for information security. In case of an urgent release (subject to approval of an appropriate level of authority), improvement shall still be completed within one month.
  5. The organization shall establish the review system based on the basic mobile app information security tests published by the implementing organization Mobile Application Security Alliance, appointed by the Industrial Development Bureau, Ministry of Economic Affairs, for the test reports delivered by the third-party laboratory to ensure the tests have been conducted in accordance with the requirements, and the review records should be kept. The review records shall be submitted to the unit (or personnel) responsible for information security for monitoring, and completion of improvement shall be verified by the unit (or personnel) responsible for information security.
 
   Chapter V –Security Control and Management of the Internet of Things (IoT) Equipment
Article 21    (Definition and scope of application for directions on IoT equipment)
    For purpose of these directions, IoT equipment refers to an embedded system (with a small operating system) enabling Internet connection that is connected to the Internet or Intranet (the “equipment”), including automated office (OA)(such as digital recorder, IP-PBX (Private Branch eXchange), fax machine, audio recorder, copy machine, and surveillance system), and detectors without remote operation and control interface.
Article 22    (Equipment inventory and evaluation)
    An organization shall prepare the management list of the IoT equipment that should be updated at least once a year for identification of purpose of equipment, online setups (including online IP, connection method and port in use), storage location and managers, and evaluate appropriate physical environment control and management measures and access/authorization control.
Article 23    (Equipment and software control and management)
    The IoT equipment installed by an organization shall have a security updating system and updates should be made regularly to maintain the functions and integrity of the equipment.
Article 24    (Control and management of access to equipment)
    The IoT equipment installed by an organization shall have an identity verification system or pairing and bondingsystem, and requires a change to the initial password. Authorization of users should be granted on a minimal basis to ensure only authorized users may access data, manage the equipment and have security updates.
Article 25    (Control and management of equipment connection)
    An organization shall turn off or disable unnecessary online connection and services of the IoT equipment and avoid uses of an Internet location open to the public. If the equipment is using a public Internet location, a firewall at the front of the equipment should be in place for protection, and accesses should be filtered based on a white list. If the equipment connects to the Internet via a wireless network, a wireless access point with the encryption protocol should be used for the Internet connection, and only the network interface cards with their number on the white list may access the equipment or other protection measures should be taken.
Article 26    (Control and management of equipment purchases)
    Before purchasing the IoT equipment, an organization shall perform evaluations and tests in accordance with Articles 23 and 25. It is preferable to purchase the IoT equipment with the information security certification mark.
 Info
Article 27    (Supplier management)
    If an organization signs a purchase agreement with the IoT equipment supplier, the agreement should include terms and conditions on information and communication security, stating the relevant responsibilities (e.g. undertakings of services, period for security updates, voluntary reporting known information security loopholes in the equipment and providing relevant action plans) to ensure the equipment has no known security loopholes.
Article 28    (Control and management of awareness of IoT)
    An organization shall regularly provide information security trainings to the staff who are using and managing the IoT equipment.
Article 29    (Control and management of exceptions)
    When becoming aware that the IoT equipment has known defects that cannot be corrected via update, or the requirements under Articles 23 to 25 cannot be met due to limitations on equipment functions, an organization shall disconnect the connection of the equipment to the Internet, or have the equipment connected to the Internet only when necessary and make a plan to obsolete and replace the equipment. Prior to the replacement, the equipment should be placed at an independent network segment and separated from the Intranet.
 Info
Article 30    (Control and management of sensors without management functions)
    While sensors of the IoT equipment without management functions have simpler functions and involve less risks, an organization shall still follow the requirements under Articles 22, 25, 26, 27, 28 and 29 of these directions.
 Info 
   Chapter VI – Security Control and Management of Identity verification for Electronic Trading
Article 31    (Definition of identity verification for electronic trading)
    Verification of information about a user’s identification prior to electronic consigned trading agreed to by an organization.
Article 32    (Electronic trading)
    Electronic trading refers to the electronic consigned trading by a client under Article 75 of the Operating Rules Of the Taiwan Stock Exchange Corporation, Article 62 of the Taipei Exchange Rules Governing Securities Trading on the TPEx, Article 23 of the Taipei Exchange Rules Governing the Trading of Emerging Stocks on the TPEx, Article 48 of the Operating Rules of the Taiwan Futures Exchange Corporation, Article 2 of the Operating Guidelines for Electronic Trading by Domestic Securities Investment Trust Funds of the Securities Investment Trust and Consulting Association of R.O.C., and Article 2 of the Operating Guidelines for Electronic Trading by Offshore Funds of the Securities Investment Trust and Consulting Association of R.O.C.
 Info
Article 33    (Scope of application for directions on identity verification for electronic trading)
    The identity verification for electronic trading as defined under these directions applies only to the systems processing trading via the Internet, not including services enabled by telephone calls, Direct Market Access (DMA), or Co-Location.
Article 34    (Information protection measures for electronic trading)
    Information protection measures should have the security designs that ensure confidentiality, integrity, authentication, and non-duplication, and should satisfy with the following requirements:
  1. Confidentiality: Information should be encrypted using the algorithm with a security level at or above AES 128bits, RSA2048bits or ECC 256bits. The communication protocol at or above TLS 1.2 should be adopted, and key exchanges should be made via Elliptic Curve Diffie-Hellman Exchange.
  2. Integrity: Information should have a message authorization code (MAC) or be encrypted using the algorithm with a security level at or above SHA 256bits, AES 128bits, RSA 2048bits or ECC 256bits.
  3. Authentication: Information should have a message authorization code (MAC), be encrypted or contain a digital signature using the algorithm with a security level at or above SHA 256 bits, AES 128bits, RSA 2048bits or ECC 256bits.
  4. Non-duplication: Information shall be generated by using methods such as serial number, one-time random number, and time stamp.
  5. Non-repudiation: Information should have a message authorization code (MAC)using the algorithm with a security level at or aboveSHA256, and contain a digital signature using the algorithm with a security level at or above RSA 2048bits or ECC 256bits.
Article 35    (Management of identity verification method for electronic trading)
  1. Except for the methods otherwise provided under the Guidelines for Security Control and Management of Use of Fast Identity Verification Methods by Financial Institutions, when an organization allows log-in for electronic trading, its security design should implement any two or more of the following three technologies:
    1. Information agreed with the organization not known to a third party (e.g. PIN, pattern lock or gesture lock).
    2. The organization shall verify the physical device (e.g. password generator, PIN card, chip card, computer, mobile device, certification carrier) held by the client is the device agreed to by the client and the organization.
    3. The organization shall directly or indirectly verify the biometrics (e.g. fingerprints, face, iris, voice, palm prints, vein, signature) owned and provided by the client to the organization. Indirect verification means authentication by the device at the client (e.g. mobile device) or verification by an appointed third party, in which case the organization accesses only the results of verification and may add an authentication where necessary. In the case of indirect verification, the organization shall first review the validity of the client’s identity verification method.
  2. Where an organization uses PIN as the verification method, the organization shall apply irreversible computing (such as hash function) prior to storing the PIN. Further, to prevent guessing of a PIN by using pre-generated hash values, information should be encrypted or added with unknown data in the computing. In case of encryption, the key shall be stored within the hardware security module certified by third party (such as the FIPS 140-2 Level 3 standards or higher standards) and export of plaintext shall be restricted.
  3. When an organization directly verifies biometrics and stores the biometric data in its internal system, it should deidentify the original biometric data, make data difficult to be reversed, store the data by encrypting the original biometric data and alia ID, and store different parts of the biometric data separately on different storage media (e.g. databases). The encryption key shall be stored on the equipment meeting the standards higher than the FIPS 140-2 Level 3 standards or equivalent certified security level to prevent export or duplication of the private key.
  4. When directly verifying the biometric data, an organization shall establish its error tolerance rate and the standards for error tolerance rate based on its risk capacity and perform examinations prior to release as well as regular examinations on an annual basis. There shall be compensation measures for inconsistency with the organization’s requirements. For technologies of indirect verification of biometric data, it should perform regular examinations on an annual basis and collect information security threat intelligence and create compensation measures. In the case of indirect verification, it should first review the validity of the client’s identity verification method.
  5. When using the certificate as the verification method, an organization shall accept only the certificates issued by a certification agency approved or permitted by the Ministry of Economic Affairs, and strengthen the verification for issue of certificates (e.g. use of OTP) to ensure only the client him/herself may log in the system.
Article 36    (Control and management of identity verification of electronic trading)
  1. An organization shall establish regulations governing applications, delivery, use, update and verification of identity of electronic trading.
  2. An organization shall encrypt all information relating to identity verification for electronic trading transmitted via the Internet throughout the whole transmission.
  3. An organization shall store information relating to identity verification for electronic trading after information has been hashed or encrypted.
  4. An organization shall verify the identity for electronic trading at its server to avoid the risks of verification being tampered with if it is performed on the client’s device.
  5. An organization shall use enhanced password functionality and conduct control and management, and shall always lock an account after five failed attempts to enter the correct password have taken place. An account may only be unlocked after the user’s identification is verified.
  6. An organization shall provide a method allowing periodic changes of password to its clients and implement enhanced password functionality requiring six or more characters containing both letters and digits or symbols (e.g. reminding a client to change his/her password via the method for changing the password when the same password has been in use for more than three months).
  7. An organization shall monitor and analyze the records of failed attempts to log in an account in the core system and attempts to log in a non-client account on a daily basis.
Article 37    (Audit trail of electronic trading)
  1. An organization shall keep the audit trail (e.g. login accounts, system functions, time, system names, inquiry instructions or results) or identification system of uses of personal information to facilitate tracking of uses of personal information when unauthorized disclosure occurs. The relevant trail information, evidence and records shall be kept for at least five years, unless otherwise provided under the law or by contract.
  2. An organization shall record and notify the account owner of account logins and occurrence of trading and keep the relevant records.
 
   Chapter VII –Security Control and Management of Deepfake Prevention
Article 38    (Definition of deepfake)
    Forms of technologies of computer-generated imagery or other technologies that allow production or dissemination of video recording, motion graphics, audio recording, electronic images, photographs and any verbal words or behaviors showing the behaviors of a real person that have not occurred.
Article 39    (Control and management of identity verification of telephone trading)
  1. When providing telephone trading services, an organization shall establish the identify verification procedure (e.g. voice password, randomly generated initial password or information unrelated to identity as agreed with the party) to prevent unauthorized uses of the services by a person other than the account owner.
  2. When a client is giving the authorization via voice services, the relevant telecommunication service provider should be asked to display the caller’s number so as to record the incoming telephone number.
Article 40    (Control and management of identity verification for video call)
  1. When verifying identity for a video call, an organization shall implement the one-time password (OTP), make a telephone call by its representative, or verify the identity of the person making the video call against his/her photo ID as part of the enhanced verification.
  2. When using the video services, an organization shall validate the authenticity of a real environment where the video call is taking place (e.g. random questions and answers) to prevent uses of prerecorded video via technologies.
  3. An organization shall keep the video recording or photograph for subsequent verifications.
Article 41    (Control and management of deepfake prevention)
    An organization shall conduct regular information security trainings every year and the trainings should cover topics such as awareness of deepfake and how to prevent deepfake.
 
   Chapter 8 – Use of Artificial Intelligence for Security Control and Management
Article 42    (Definition of Artificial Intelligence)
  1. Artificial intelligence (AI) system: Refers to a system that, through learning of a huge amount of data, uses machine learning or the algorithm of relevant modeling to imitate human learning, thinking and reaction modes such as feeling, expectation, decision-making, planning, reasoning and communication.
  2. Generative AI: A type of AI; refers to an AI system that has the ability to generate contents imitating human intelligence through learning of a huge amount of data. The form of its contents includes but not limited to articles, images, audio, video and software codes.
Article 43    (Scope of application for directions on AI)
  1. An organization shall follow the control and management advised in these directions when using AI in its direct interactions with consumers and provision of advice on financial products, or provision of customer services that may affect client’s rights and interests in financial trading or have a material impact on operation.
  2. For material impact on operation in this article, refer to the Directions for Operations Outsourcing by Securities Firms, the Directions for Operations Outsourcing by Futures Commission Merchants, and the Directions for Operations Outsourcing by Securities Investment Trust Enterprises and Securities Investment Consulting Enterprises for the definition of materiality.
  3. If a Taiwanese subsidiary or branch of a foreign business group provides the services in the first paragraph through the AI system provided by its foreign parent company or head office, it may follow the management and control measures established by its foreign parent company or head office, provided the requirements shall not be less than those under these directions. The Taiwanese subsidiary or branch of a foreign business group shall still establish an adequate internal control and risk management mechanism for its Taiwanese business to have a full control over control and management of its Taiwanese operation involving AI services.
Article 44    (Compliance of law)
    When using AI systems, an organization shall verify appropriateness of sources of information, and diligently comply with the financial and other legal regulations governing information and communication security, personal data protection, intellectual property rights and trade secrets.
Article 45    (Governance and powers and responsibilities of an organization)
  1. An organization shall appoint a senior executive or commission to be in charge of supervision and management of AI and create an internal governance structure, and designate a unit or personnel to take the responsibility for promotion and management of AI and provide necessary resources.
  2. An organization shall implement development of talents and provide adequate training resources to improve personnel’s understanding and ability of introduction, use and management of AI systems, adaptation to rapid development and changes of AI systems, and ability of proper risk-based decisions and supervision.
Article 46    (Risk management and regular reviews)
  1. When using AI systems, an organization shall, guided by the risk-based approach, review individual circumstances of use and perform risk assessments by considering whether or not to provide customer services or if there is a material impact on operation, amount of personal data being used, level of AI’s autonomy in decision-making, complexity of AI system, scope and width of impact on interested parties, and whether all remedy options are available.
  2. An organization shall establish adequate risk management and control measures and regular review mechanism depending on the level, characteristics or scope of risks based on the results of risk assessments.
  3. When conducting regular reviews, an organization shall assess whether the AI system meets the original purpose and risk level. For an AI system with a higher risk level, a third party with expertise in AI may be appointed to conduct reviews. It is advisable that these reviews cover data quality, model quality, system security, and equality, sustainable development, transparency and explainability. Relevant strategies and measures shall be adjusted and improved based on the results of reviews.
  4. Before using AI systems to provide financial services to consumers through direct interactions with AI, an organization shall perform evaluations on how data used in the system is governed, information and communication security, supervision mechanism, protection of consumer rights and response measures for unexpected event from the aspects of information security, compliance and risk control.
Article 47    (Management of operation outsourcing)
  1. When contracting a third-party provider to introduce AI systems, an organization is advised to assess the third-party provider to make sure it has relevant knowledge, expertise and experience.
  2. An organization shall include the terms on information security, data protection, subcontracting, scope of responsibility and penalty in the contract by considering outsourced services and its scope and establish an appropriate data or system migration mechanism in case of termination of contract.
  3. When using the AI system developed or operated by a third-party provider to provide financial services, an organization shall perform supervision operation and ensure the third-party provider to keep written or digital operation records of performance of contracted services to facilitate subsequent follow-up, verification and management.
  4. For outsourcing of AI operation involving the business activities stated in the business license or client information, the Directions for Operations Outsourcing by Securities Firms, the Directions for Operations Outsourcing by Futures Commission Merchants, and the Directions for Operations Outsourcing by Securities Investment Trust Enterprises and Securities Investment Consulting Enterprises shall be complied with.
Article 48    (Principle of equality)
  1. When using AI, an organization shall adopt the people-oriented and human controllable measures in the design of algorithm, development, data collection, selection of training data, processing, building/generation/optimization of model, and subsequent application in financial services, to be in line with the principle of treating all clients equally respected by the financial service providers.
  2. For collection and processing of data and information, an organization is advised to use diverse data covering different backgrounds and characteristics, not relying solely on data of a single category or group, to reduce bias and discrimination against certain groups.
  3. If the following data parameters are included in algorithmic determination, such as name, residence, group, religion, nationality, ages not subject to limit or prohibition under the law, all physical characteristics (including but not limited to height, weight, sex, color, hair volume, and physical disability), or all diseases not involving incapacity causing inability to understand or make decisions on the financial product, evaluations of necessity from the aspects of information security, compliance and risk control shall be performed.
  4. For use of AI systems to provide financial services, it is advisable to evaluate the availability of remedy options, which may include complaint or remediation method, dispute resolution mechanism, etc. If the AI systems in use are related to anti-money laundering or fraud detection, for which availability of remedy option is advised against, no such options may be available.
Article 49    (Protection of data privacy)
  1. When using AI, an organization shall pay attention to protection of data privacy of individuals and the organization in its processing, storage, transmission and use of data, and shall have adequate protection measures in place to ensure security of its system and data and prevent unauthorized access, modification or disclosure of data.
  2. An organization shall on a minimum basis collect and process only necessary client information and avoid collecting excessive or unnecessary sensitive information.
Article 50    (Principles of security and stability)
  1. When AI is used during model building and validation stages (including pre-trainings and optimization trainings), an organization shall pay attention to the security and take effective measures, including but not limited to data quality processing, model validation and monitoring, in selection of models or algorithms and other relevant tools, to enhance training quality and prevent generation of improper information with the purpose of increasing accuracy and reliability of contents exported or generated by AI systems.
  2. An organization shall comply with information security regulations and create appropriate information security protection or management and control measures to prevent security threats and attacks, such as hacker attack and malware, and continue to monitor operation results to ensure the security of AI systems.
Article 51    (Principles of transparency and explainability)
  1. When using AI systems in its direct interactions with consumers, an organization shall inform consumers of the fact that the interactions or services are automatically completed by AI systems, or disclose the target groups of people, circumstances and purpose of the interactions or automatic financial services. It is advisable consumers are given options to decide whether or not to use the services and consumers shall be informed if there are alternatives to these services, unless otherwise provided by law.
  2. When using AI systems and technologies, if the use involves financial trading, an organization shall understand how decisions are made and increase the level of explainability to ensure an effective management of operation of AI systems.
Article 52    (Record retention)
    When developing and optimizing AI systems or have AI systems developed and optimized, an organization shall retain necessary technical documents and relevant records for the life cycle of the AI systems, including records of important data, models or algorithms that could influence decision making in the developer’s design, development and practice, to ensure these records can be available for examination when necessary.
Article 53    (Generative AI)
  1. An organization shall not totally trust the information generated by generative AI and shall instead perform objective assessments and management and control of the risks in the information, and shall not directly use the generated contents that have not been validated as the sole basis of decision making.
  2. Without a proper management and control system in place at the organization, no staff may provide information that should be kept in confidentiality, or disclosure of which is not consented by an individual or the organization to generative AI, nor shall they ask questions that may involve confidential business or personal data to generative AI. Notwithstanding, in the case of closed generative AI deployed on site, after security of the system environment is verified, certain confidential information, where appropriate, can be provided.
  3. When using the generative AI system developed by third-party provider, if an organization cannot have control over the training process or ensure the results from its data or computation meet the principle of equality, the organization shall have its staff to perform objective and professional management and control for risks in the information generated by the system.
  4. When introducing a generative AI system, an organization shall have an emphasis on whether equality and people-oriented value assessment would create bias or discrimination against certain groups of people, and reduce the possibility of inequality.
Article 54    (Principle of sustainable development)
  1. Respect and protect general employees’ right to work, including providing adequate education and trainings to help them adapt to a new working environment during the digital transformation.
  2. The organization’s strategies and implementation direction in its use of AI systems shall incorporate, as appropriate, comprehensive sustainable development indexes based on the international sustainable development objectives and the organization’s own sustainable development principle.