2
|
II Securities firm work-from-home application processand application documents 1. Application process (1) A securities firm applying for working from home to handle brokerage trading and transactions,dealer trading and transactions, and clearing and reporting etc. shall make the application to the Taipei Stock Exchange Corporation for special transfer to the competent authority for approval, in accordance with Article 1.(5) of the Securities Firms COVID-19 Response Measures. Notwithstanding, the securities firm may prepare the relevant documents to apply to the TWSE for preliminary examination to shorten the application procedure;if prevented by an emergency (e.g., lockdown, any confirmed case among employees etc.) from making a written application according to normal procedure, said firm may make a reportto the TWSE by special means (e.g., email),followed by the submission of the relevant documents to the TWSE for the record after the incident. (2) A securities firm applying for working from home to handle businesses other than brokerage trading and transactions, dealer trading and transactions, and clearing and reporting etc. shall make a report to the TWSE for recordation purposes, with the relevant documents (including the period, personnel deployment, business activities, and management measuresin regard to the work-from-home arrangement) submitted, within three days prior to the, or from the date of, work-from-home. 2. Application documents A securities firm applying for working from home shall make a special application to the TWSE in advance, with a contingency plan and case list (as attached) containing the following presented: (1) Availability period: The period available for work-from-home being sought may not exceed three months, provided an applicationwith good cause may be made prior to expiration to the TWSE for special transfer to the competent authority for approval of a three-month extension. If prevented by an emergency from making a written application according to normal procedure, a securities firm may make a report to the TWSE by special means,followed by the submission of the relevant documents to the TWSE for the record after the incident. (2) Personnel deployment: Information pertaining to personnel deployment. A senior officer must be designated as a point of contact with the TWSE. (3) Business activities: Businesses handled during the work-from-home period are limited to those stated in the application (e.g., transactions, clearing). If the work-from-home application is to handle transactions only, clearing not covered by the application may be handled at the place of business only. If changes are necessary, an applicationshall be made to the TWSE for special transfer to the competent authority for approval.If prevented by an emergency from making a written application according to normal procedure, a securities firm may make a report to the TWSE by special means, followed by the submission of the relevant documents to the TWSE for the record after the incident. (4) Operation and procedure: The operation and procedure of work-from-home must expressly describe the differences with working at the place of business. (5) Control measures on transactions and employee conduct: A. The company shall establish measures to monitor the activities and communications of employees working from home. Work-from-home activities are limited to those approved by the company. Stricter reviewsshall be conducted of the personal transactions of work-from-home employees, including thatmethods for managing the employees’ communications and activities in connection with brokerage trading etc. shall be expressly prescribed. In principle no personnel responsible for reviewing and monitoring the activities of work-from-home employees may work from home, unless such personnel’s review and monitoring will not be hindered by their working from home. B. The company shall inform work-from-homers of their rights and obligations and explain the importance of legal compliancefully. C. The company shall adopt measures to protect and expressly prescribe management measures for client privacy and the safety of client data and records etc. D. The company must verify client identity (e.g., when accepting orders) and step up measures to manage client accounts. E. The company shall publish an outline of the work-from-home arrangement on the company website (home page) and assist clients in understanding company operations and risk of suspension of transactions etc. F. Control measures for brokerage trading, dealer trading, settlement, and declaration procedures include audio or video recording or relevant alternative measures. (6) Test report: The company must first test the remote access system for work-from-home purposes and ensure employees may access the company system only through safe connection. (7) Information security control measures: A. The company must develop safe remote access systems (such asvirtual private network, VPN, virtual desktop infrastructure, VDI), including the following security measures:adoptingmulti-factor authentication (employee account number and password, dynamic password, one-time password), secure connection, the principle of least privilege (PoLP), retaining complete operation and audit trails of users, monitoring and cautioning against irregularities, updating security vulnerabilities etc., and must further educate work-from-homers on cyber vigilance etc. B. The company must establish safe channels for remote access, restrict log-in to company employees only, fully track in writing operation of equipment, and prescribe regulations governing the hours that connection is available subject to the schedule ofthe employees’ performance of duties. C. The company must set up firewalls against malicious or unauthorized connection, devise rules n accordance with the principle of least privilege, close non-essential ports, and monitor network traffic, anomaly alerts, and disconnection mechanisms. D. The company must employ differentiation in managing the access authority of users in accordance with the principle of least privilege. Work-from-homers are authorized to access functions only to the extent required for business execution. Authorizations with regard to non-essential systems and functions must be disabled. (8) Issue a statement on the Establishment of Information Security Inspection Mechanisms. (9) Measuresfor the prevention ofconflicts of interest and violations of rules and regulations: Prescribe comprehensive and express measures to prevent conflicts of interest and violations of rules and regulations by work-from-homers. (10) Minutes of the board of directors’ meeting where the board of directors agrees to the work-from-home, or in lieu thereof, the consent of the head office or regional center of the group. Subsequent ratification is acceptable in the event of emergency preventing the procurement of advance consent of the board of directors. (11) Risk assessment of enforcement: Where a work-from-home period as applied for lasts a consecutive year or more, whether the content of the contingency plan conforms to the current situation shall be reviewed (at lease once a year), and possiblenew risks that may arise out of a long-term work-from-home arrangement shall be assessed (risk assessment should cover cybersecurity risk, legal risk, operational risk, personal data risk, and financial crime risk, etc.). (12) Records of work-from-home education and training and awareness programs (at least semiannual).
|
3
|
III Complementary measures for work-from-home management of securities firms 1. Brokerage trading and transactions (1) Brokerage trading personnel shall conduct business honestly and in good faith and avoid misusing non-public information and conflicts of interest. (2) Personal computers for use at home shall all be allocated by the company. Use of a personal computer not provided by the company is subject to company approval and information security testing in advance. Relevant computer equipment may be used only for official business purposes during work-from-home hours. (3) Work-from-homers may not proceed with transactions until after VPN connection and authorized log-in. All user log-ins and transactions shall be fully tracked in writing. (4) Multi-factor authentication: To enhance safety of use and operation, two-factor authentication of the multi-factor authentication shall be adopted for personal account numbers and passwords (employee account number and password, dynamic password, one-time password) to verify user identity. (5) A principal shall dial the brokerage order number of the place of business to have the call transferred to the mobile phone or home phone of a brokerage trading representative (the call to be recorded by company equipment). If existing company equipment cannot record the entire call, it will be recorded either by the mobile phone of, or by, said representative, with the following measures adopted: After placing the order, the representative must, as soon as possible, make an audio recording of the time and content of the order and file such recording with the recording equipment of the company or email the recording to the company and client. (6) Personnel responsible for reviewing and monitoring the activities of work-from-home employees must verify the audio recordings of work-from-homers periodically to ensure both conformance to those kept at the place of business and that the audio recordings of work-from-homers are distinguishable as such. (7) Brokerage trading personnel will access the order system of the company's personal computer through the VPN. Trading limits of principals are governed by existing mechanisms. (8) Express modes of operation and management methods shall be in place for personal transactions of work-from-home employees, including communications and activities pertaining to brokerage trading etc. 2. Dealer trading and transactions (1) Dealer trading personnel shall conduct business honestly and in good faith and avoid misusing non-public information and conflicts of interest. (2) Personal computers for use by dealer trading personnel at home shall all be allocated by the company, with hardware and software appropriate for the business performed by the personnel installed for management purposes. (3) Work-from-homers may not proceed with transactions until after VPN connection and authorized log-in. All user log-ins and transactions shall be fully tracked in writing. (4) Multi-factor authentication: To enhance safety of use and operation, two-factor authentication of the multi-factor authentication shall be adopted for personal account numbers and passwords (employee account number and password, dynamic password, one-time password) to verify user identity. (5) The company shall provide sufficient computer monitors at the work-from-home space of a trader. Video equipment and headsets shall also be provided to ensure unimpeded communications. Whole transactions shall be videotaped throughout the trading hours and documented. (6) A trader must remain connected to the video equipment and keep all communication channels connected at all times throughout the trading hours. The system shall have the function to close a transaction should the trader be disconnected in the course of the transaction. (7) System closure during non-trading hours: In respect of work-from-homers responsible for day trading orders, the trading system shall immediately be closed after the close of the day trading session, and such personnel shall be prohibited from accessing the system to trade. (8) Personnel responsible for reviewing and monitoring the activities of work-from-home employees verify the audio recordings of transactions of work-from-homers periodically to ensure both conformance to the audio recordings kept at the place of business and that the audio recordings of work-from-homers are distinguishable as such. (9) With regard to the risk exposure of a close position, the company shall be able to control trading limits and position risks, whether in the event of working at the place of business or from home. (10) Control of personal transactions of work-from-homers: The company may allow or prohibit personal transactions of work-from-homers upon careful assessment in accordance with company management policies. If it so allows, the ways of control of such transactions shall include prescribing express modes of operation and management methods in regard to communications and activities pertaining to brokerage trading (e.g., stipulating that audio recordings be made of whole telephone orders, recordings be made of all electronic orders placed on computers allocated by the company). 3. Clearing and reporting (1) A securities firm shall complete clearing and settlement in accordance with the TWSE Operating Rules and relevant regulations and also complete all clearing procedures and the reporting that is required by laws and regulations. Said firm shall in principle handle the above at the place of business (including an outside backup place of business) or assign work-from-homers to assist in handling. (2) When performing procedures pertaining to settlement of payment, non-trading activities of a credit transaction (such as demand of payment, cash repayment, return of securities), and borrowing and transfer of securities, a principal shall in principle do so at the place of business (including an outside backup place of business) or assign work-from-homers to assist in doing so. (3) Clearing and settlement procedures may be performed only at the original place of business if the applicant does not apply for handling clearing from home in its work-from-home application. Said applicant shall still make an application to the TWSE for special transfer to the competent authority for approval if, after its work-from-home application, it must assign work-from-homers to handle clearing and settlement as a result of the original place of business being subject to isolation. If prevented by an emergency from making a written application according to normal procedure, a securities firm may make a report to the TWSE by special means, followed by the submission of the relevant documents to the TWSE for the record after the incident. 4. Information Security (1) No unauthorized expansion of capability or installation of software/hardware equipment and tools that are not required for official business is allowed in respect of computer equipment, including notebooks and tablets, used by work-from-homers. (2) Log-ins to major systems and transactions by all work-from-homers shall be fully tracked and documented. (3) Computers for home may be used for entering data only. No access to the data of the computer equipment of the company is allowed through computers for home use. (4) To mitigate data breach risks, specific information security software shall be installed on the computer equipment of work-from-homers to control access authority of applications; non-essential service and operating systems on the computers, as well as the USB and Bluetooth devices and optical disc drives of the aforementioned equipment, shall be disabled; and the VPN shall be set up in a way as to restrict two-way file copying and transfers. (5) A virtual private network that uses the Secure Sockets Layer protocol (SSL-VPN) and multi-factor authentication (employee account number and password, dynamic password, one-time password) shall be adopted. Safe channels for remote access shall be established. Log-in shall be restricted to company employees only. Operation of equipment shall be fully tracked in writing. Regulations governing the hours that access is available shall be prescribed subject to the schedule of the employees' performance of duties. (6) Firewalls shall be set up against malicious or unauthorized connection. Rules shall be established in accordance with the principle of least privilege. Non-essential ports shall be closed. Network traffic and warning and disconnection mechanisms shall be monitored. (7) Functions of the work-from-home system shall be designed with differential levels of control, with settings configured to permit the lowest level of authority. Authorization for non-essential functions of the system shall be disabled. The system shall apply differential management by user. Users of work-from-home computers shall be granted differential authorization for use in accordance with the risk policy of the company. Work-from-homers may be authorized to use functions necessary for conducting business only. 5. Prevention of conflicts of interest and violations of rules and regulations (1) To ensure confidentiality of trading information, a work-from-homer must conduct business in an independent instead of public space, with no one allowed in the independent space during trading hours. (2) A work-from-homer must properly retain all transaction related records as requested by competent authorities, the TWSE, and the company. (3) The company shall appoint a senior officer as chief supervisor responsible for implementing relevant monitoring measures during trading hours. 6. The work-from-home procedures of a securities firm shall be included in the scope of internal audit and internal control. Internal control systems shall also be strictly enforced.
|