• Font Size:
  • S
  • M
  • L

Amendments

Title:

Establishing Information Security Inspection Mechanisms for Securities Firms  CH

Amended Date: 2024.11.12 (Articles 2, 9 amended,English version coming soon)
Current English version amended on 2023.08.23 
Categories: Market Supervision > Regulation of Securities Firms

Title: Establishing Information Security Inspection Mechanisms for Securities Firms(2023.07.21)
Date:
10 10. Business Continuity Management (CC-20000, semi-annual audit)
  1. Failure recovery procedures (e.g. backup and recovery plans for computer equipment, communications equipment, power systems, databases, and computer operating systems etc.) shall be clearly formulated and implemented, and records shall be made.
  2. Failure recovery procedures shall be tested periodically; after testing, a review meeting shall be convened to consider ways to improve in response to deficiencies and a record thereof shall be retained.
  3. Securities brokers shall have backup measures in place for their trading servers.
  4. The company shall formulate a business continuity plan (covering such matters as activation conditions, participating personnel, emergency response procedures, backup procedures, maintenance schedules, education and training, descriptions of job duties, response plans of outside entities with which the company does business, and contract suitability), maintain measures necessary for the plan, and to prescribe the key operations and related impact analyses, followed by business continuity operation exercise, that will take place regularly, according to its information security level. (To become effective by end of January 2022.)
  5. The company shall adopt an information security reporting mechanism (e.g. formal reporting procedures and appointed contacts for information security incident reports). In the event of information security and service irregularities relating to information systems, the company shall apply the Operational Guidelines on Reporting of Information and Communication Security Related Events in Securities and Futures Markets, take appropriate corrective procedures, and retain related records.
  6. Any theft, alteration, damage, loss or divulgence of, or other information security incident involving, personal information shall be immediately reported by the company to the TWSE (TPEx or Taiwan Securities Association) in writing, to be advised to the competent authority.
  7. The company shall establish clear operational procedures to defend and respond to distributed denial-of-service attack (DDoS).
  8. The company shall proceed with the following information security matters:
    1. designate personnel and departments to bring together and coordinate and liaise with all related departments;
    2. periodically evaluate core operating systems and equipment, take appropriate measures in response to evaluation results, and make a report to the board of directors, to ensure capability for business continuity and operational resilience;
    3. disclose in sustainability reports, annual reports, or financial reports or on the company website the resources required for the company to continue with the operation of core operating systems and equipment within the year and the relevant implementation of annual budgets or education and training programs, etc.