• Font Size:
  • S
  • M
  • L

Chapter Content

Title:

Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets  CH

Announced Date: 2024.01.09 (Articles 15 amended,English version coming soon)
Current English version amended on 2022.04.26 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Legislative History Chinese 
   Chapter 1 General Provisions
Article 1    (Purpose)
    For the purpose of strengthening the information and communication security of securities firms, futures commission merchants, and securities investment trust and consulting enterprises, these information and communication system protection reference guidelines are drafted addressing security issues concerning information and communication systems in accordance with the "financial data security action plan" of the Financial Supervisory Commission to improve data security of financial enterprises.
 Info
Article 2    (Applicability and Parties Governed)
    Parties governed by these guidelines include securities firms, futures commission merchants, securities investment trust enterprises and securities investment consulting enterprises and are divided into two types as below:
  1. Type 1:
    1. organizations appointing a chief information security officer in accordance with Article 36-2 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets
    2. tiers 1, 2, and 3 securities firms in the Establishing Information Security Inspection Mechanisms for Securities Firms – Schedule for Required Measures under Tiered Protection
    3. tiers 1, 2, and 3 futures commission merchants in the Establishing Information Security Inspection Mechanisms for Futures Commission Merchants – Schedule for Required Measures under Tiered Protection
  2. Type 2:
    3. non-type 1 organizations
  3. The reference guidelines below address matters to be observed by types 1 and 2 organizations unless otherwise specially remarked.
  4. If the data security management policy of a Taiwan subsidiary or branch of a foreign group is controlled and established by the foreign parent company or head office, it should follow the relevant control measures established or set up by the parent company or head office prevail if they provide for better regulation; if no such measures are in place, the policy shall be in accordance with the Taiwan laws and regulations.
 Info
Article 3    (Definitions)
  1. Information and communication system:
    2. A system used for collecting, controlling, transmitting, storing, circulating, deleting information or otherwise processing, using, and sharing information
  2. Core system:
    3. An essential system that is directly available to a client for trading purposes or that supports the continued operation of trading businesses, such as a trading system, quotation system, middle office risk control, after-hour clearing system, billing system, and other essential systems maintaining trading businesses. The others are non-core systems.
  3. Non-client account:
    4. An information and communication system account used by a non-client, such as one available to an internal staffer, administrator, and manufacturer.
  4. Information asset:
    5. An asset pertaining to the processing of information, including hardware, software, data, and documents, etc., such as information of the operating system, applications, and other software of a server or a user’s computer.