• Font Size:
  • S
  • M
  • L

Amendments

Title:

Establishing Information Security Inspection Mechanisms for Securities Firms  CH

Amended Date: 2025.07.03 (Articles 2, 7 amended,English version coming soon)
Current English version amended on 2024.11.12 
Categories: Market Supervision > Regulation of Securities Firms
Article Content Content Search Article No. Search Amended Article Legislative History Chinese

Title: Establishing Information Security Inspection Mechanisms for Securities Firms(2024.05.15)
Date:
1     Risk Assessment and Management (CC-11000, applicable to securities firms placing orders via the Internet, but not applicable to those doing so via telephone or in the traditional manner; annual audit)
  1. All of the company's information assets within the scope of applicable information security risk and all owners of such assets shall be identified.
  2. The acceptable level of information security risk for each of the company's operations shall be determined.
  3. The company shall conduct information security risk inspections at least once per year and keep the relevant records. Significant risks and control and management measures relating to operation (including risks in new products, new technologies and information systems) shall be covered by the risk assessment to ensure validity of company policies, procedures and control and management measures.
  4. The core system should be examined with regard to tolerable time period for interruption, recovery time objective (RTO), and recovery point objective (RPO), and the tolerable time period for interruption to the core system shall be determined based on the market share of brokerage business and percentage scale of clients who are natural persons.
4     Categorization and Control of Assets (CC-14000, semi-annual audit)
  1. Information assets shall be set out in a list; and the list shall be maintained.
  2. Rules shall be adopted for classification and labeling of information. (This is applicable to securities firms placing orders via the Internet, but not applicable to those doing so via telephone or in the traditional manner).
  3. The company shall complete grading of the information system it developed independently or developed by outsourced provider. The minimum grading standard is to have core and non-core systems for the information system. The information system must be examined at least once a year to determine the appropriateness of grading. (To become effective by end of January 2022.)
  4. The company shall have regulations governing retention periods for information and documents relating to information assets, and have these documents deleted and destroyed after expiration of the retention period.
7     Management of Communications and Operations (CC-17000)
  1. Management of network security (CC-17010, applicable to securities firms placing orders via the Internet; items a, b and f are applicable to all securities firms, subject to monthly audit):
    1. Evaluating the security of network systems:
      1. The company shall regularly evaluate the security of its own network systems (e.g., its operating system, network servers, browsers, firewall, and anti-virus software) and retain related records.
      2. Security gaps in the network operating environment and operating system (including servers, portables, personal terminals, and computers available on business premises to investors for shared use) shall be repaired regularly or timely. The related documentation shall be retained.
      3. Matters bearing on computer network security (including the promotion of awareness of the information security policy, prevention of hacking, and anti-virus measures) shall be internally announced at any time and from time to time.
      4. A specially appointed employee shall be designated to be responsible for computer servers and important software and hardware.
      5. The company’s network shall be categorized, according to purpose of use, as DMZ, operating environment, testing environment and other environment, and there shall be an appropriate division mechanism between these environments (e.g. firewall, virtual local area network, and physical separation).
      6. Personal information and confidential and sensitive information shall be stored in a secured network area, and shall not be stored on the Internet or other non-secured areas.
      7. Only necessary services and programs may be available in the system, and unused services and functions should be made unavailable.
      8. The company shall establish the guidelines for remote connection management to control the internal operation within the organization through remote connection via the external network and to verify identification, keep the relevant maintenance records to be regularly reviewed by the proper supervisor.
      9. The company shall prevent use of the internal network from an unauthorized device.
      10. Use of network equipment beyond end of service (EOS)/end of life (EOL) shall be avoided; and plans for elimination and replacement of network equipment beyond EOS/EOL shall be created.
    2. Managing network equipment security:
      1. A firewall shall be established.
      2. A specially appointed employee shall be responsible for managing the firewall.
      3. Records of firewall entries, exits, and backup copies shall be retained for at least three years.
      4. Important website and server systems (e.g. online order placing systems) shall be isolated from the Internet by the firewall.
      5. The firewall system configuration shall be approved by the proper supervisor.
      6. The company shall regularly examine and maintain the setup of control of access to firewall on a yearly basis and examine the firewall rules for the DMZ zone on a semi-annual basis and keep the relevant examination records.
      7. No products that may jeopardize the national information security may be used on the equipment directly connecting to the networks used for the company’s transactions.
      8. When establishing the network equipment rules, the company shall follow the principle of minimum authorization and positive list.
      9. The company shall review its external network equipment rules at least once a year, and shall retain relevant records.
    3. Managing network transmission and connection security:
      1. Online order placing pages shall be protected by encryption (e.g. SSL).
      2. The company shall monitor and analyze on a daily basis records of log-in failures in connection with core system accounts and attempts to log in to non-customer accounts etc., promptly ascertain the reasons for any irregular log-ins upon discovery (e.g., three wrong attempts when entering a password, mass log-in failures within a certain time, irregular downloads by an account of applications for certificates or updated certificates), and retain the relevant records.
      3. When providing online order service, the company shall, upon login to place an order, implement multi-factor authentication, e.g., fixed password, pattern lock, order certification, device identifier, OTP, biometric system etc., to ensure login by the customer itself.
    4. Multi-factor authentication:
      5. The company shall have any two of the following three technologies in its use of multi-factor authentication:
      1. Information agreed with the company and unknown to third person, e.g. fixed password, pattern lock or gesture lock.
      2. The company shall verify the client’s physical device (e.g. PIN generator, password card, chip card, computer, mobile device, and certificate carrier) is the device designated by the client for this purpose.
      3. The company shall directly or indirectly verify the client’s biometrics provided by the client (e.g. fingerprints, face, iris, voice, palm print, vein patterns, and signature).
    5. Managing identification authentication and certificates:
      1. A securities firm placing orders online shall adopt certificate delivery procedures to prevent certificates from being obtained by persons other than their intended owners. When a customer downloads an application for a certificate or downloads updated certificate, multi-factor authentication must be performed (such as order certification, device identifier, OTP, biometric system, SIM verification etc.), using factors different from those for log-in to identify the customer, and the relevant records must be retained.
      2. A securities firm placing orders online shall use an authentication system for all orders.
      3. The company shall verify the client’s trading identify and user account at the server.
      4. The company shall establish regulations for application, delivery, use, update and authentication of electronic transaction identification.
    6. Protecting against computer viruses and malicious software:
      1. Anti-virus software shall be installed. Its programs and virus definitions shall be given timely updates.
      2. Computer systems and data storage media (including emails) shall be regularly scanned for viruses.
      3. Anti-virus protection shall cover personal terminals (including portables and computers available on business premises to investors for shared use) and network servers.
      4. Emails from unknown sources shall not be opened. Special care shall be used in opening emails with attachments containing executable files.
      5. To prevent computer viruses from spreading and affecting computer security, the company shall adopt security rules governing email use and establish an email filter system.
      6. The company shall have online use control measures in place to prevent download of malware.
      7. The company shall detect links that connect to phishing websites and malicious websites and remind clients to be cautious about online phishing.
      8. The company is advised to conduct regular social engineering exercises on a yearly basis, and provide coaching to personnel who have opened an email or clicked a link they have been advised against opening or clicking, and keep relevant records.
    7. Inspecting the functions of online systems:
      1. The functions provided by online systems shall be inspected regularly and inspection records shall be kept.
      2. To monitor record and notify changes to web pages and programs of online systems available for external connection and use, and request the related staff to handle the matter.
    8. Regulations governing the company's provision of API services:
      9. The application procedure, approval standards and relevant control measures and operations in regard to the company's provision of API services to customers are governed by the Directions for the Provision of Application Programming Interface (API) Service by Securities Firms to Customers
    9. Quality standards for services for placing orders via the Internet:
      10. When providing services for placing orders via the Internet, the company needs to maintain the quality of customer services by establishing quality standards for placing orders via the Internet, which shall cover the key elements such as transaction security, stability and system availability, and customer services.
    10. Introduction of cyber-attack prevention system and security tests:
      1. The company shall perform infiltration tests on the core system that provides the Internet services regularly according to its information security level, and make improvements based on the test results. (To become effective by end of January 2022.)
      2. The company shall conduct regular information and communication security checkups according to its information security level, which should include inspection of network structure, inspection of malicious cyber activities, inspection of malicious activities at a user’s computer, inspection of malicious activities at the server, setup of directory server, and inspection of setup of firewall connection. (To become effective by end of January 2023.)
      3. The company shall establish an information and communication security threat detection management system according to its information security level, which should include collection of events, analysis of irregularities, detection of attacks, and determination of attack acts.
      4. The company shall establish an invasion detection and prevention system according to its information security level.
      5. The company shall set up firewalls for its applications according to its information security level.
      6. The company shall implement advanced prevention measures against continuous threats and attacks according to its information security level. (To become effective by end of January 2023.)
      7. The core system identification verification mechanism shall prevent log-in by automated programs or attempts for password replacements, and it is advised to take prevention measures against log-in by automated programs or attempts for password replacements for non-core system.
      8. Notice of log-in or irregularity:
        9. It is advisable that the company give notice upon the log-in of a customer's account. In the event of the following irregularities, immediate notice shall be given to the customer, and relevant records retained, to prevent log-in by persons other than the customer:
        1. a wrong password is entered or the account is blocked
        2. an application for a certificate is made or a certificate is updated
        3. particulars are amended
        4. a log-in is attempted by an irregular source or act
        5. an application for changing or replacing the password is made
      9. Monitoring and warning of irregular IP log-ins
        10. The company shall monitor, analyze, and document irregular IP connections and IP connections from unknown sources. If the following circumstances are discovered, it shall develop an alert mechanism and inspect it regularly to confirm its effective operation:
        1. Different accounts are logged in from an IP from the same source for a certain number of times.
        2. The same account is logged in from different countries within a certain time.
        3. An attempt at log-in from an irregular source (e.g. as blacklisted by the Financial Information Sharing and Analysis. Center (F-ISAC) or an overseas IP) is found.
  2. Computer system and operation safety management (CC-17020, semi-annual audit)
    1. Managing computer equipment:
      2. The company shall enter into a written maintenance agreement with the maintenance service provider to establish the content of computer equipment maintenance work. A maintenance log shall be retained after the completion of maintenance. The information unit shall appoint personnel to conduct inspection together with the maintenance personnel from the maintenance service provider.
    2. Environment configuration and use authorization settings of the operating systems of computers:
      1. The environment configuration and use authorization settings of the operating systems of computers shall be approved by the relevant supervisor and implemented by system administrators.
      2. Appropriate backup measures shall be in place with respect to files in the computer system before and after they are modified.
      3. The company shall establish the guidelines for management of accounts with the highest system authorization level, covering both operating system and application system, and the approval of the proper supervisor is required for use of an account with the highest authorization level, and relevant records shall be retained.
      4. The company shall create and diligently implement the security configuration basis for personal computers, servers and network communication devices (e.g. length of a password, and how frequently a password may be changed).
      5. The company shall adopt a multiple-factor authentication method when using an account to log in a system via the Internet.
      6. The information and communication system shall have an internal clock that regularly synchronizes with the source of the standard time.
      7. The company shall encrypt or otherwise store in an appropriate manner the key configuration files of the core system and other information that needs protection based on its information security level.
      8. The company shall establish the idle time or available time of the core system and the status and conditions of use of the core system (e.g. account type and limitation on functions, limitation on operation time, restriction on source addresses, allowed number of connections, and assessable resources) based on its information security level.
    3. Security management of computer media:
      1. Backup copies of important software, related documents, and inventory lists shall be made and stored in a separate safe location.
      2. If important backup files and software are stored in the same building that houses the computer center, they shall be kept locked in a fireproof room or in a cabinet that is both fireproof and earthquake-proof.
      3. Storage media used for backup materials shall be labeled with the name of the materials and their retention period.
      4. Handling procedures shall be established for media used to store confidential and sensitive information so as to prevent leaking or improper use of the information.
      5. To build a testing mechanism for data saving to verify integrity of backups and environmental suitability.
      6. The company shall establish an adequate data backup mechanism based on the system characteristics and recovery point objective (RPO), considering backup frequency, type of storage media (optical disk, external drive, magnetic tapes), type of data (virtual DSM, source code, database, configuration files, etc.), type of backup (full backup, incremental backup and differential backup), method of backup (network synchronization, network asynchronization and offline backup). In case of offline backup, an appropriate backup baseline shall be created based on the type of backup to ensure correct data restoration.
      7. When establishing the data backup mechanism, the company is advised to consider the “3-2-1 backup rule” by creating at least three backup copies, store backup copies separately on two different storage media, and at least one copy is stored remotely.
    4. Management of computer operation:
      1. Computer operators shall strictly adhere to prescribed operating procedures.
      2. Complete and accurate records shall be provided in an operating log, which shall be inspected and approved daily by a supervisor. The operator and the supervisor may not be the same person.
      3. Specially appointed personnel shall be responsible for inspecting information in the logs of the system console and for regularly submitting the information to a supervisor for inspection and approval.
    5. The securities broker shall have a computer system that has adequate capacity and is capable of meeting the needs of its business.
    6. The securities broker shall adopt mechanisms and procedures for regular evaluations (at least once a year) of the capacity of and security measures for its computer system, to be carried out either internally or outsourced to a professional institution. The system capacity shall be stress-tested regularly and records of the testing retained.
10     Business Continuity Management (CC-20000, semi-annual audit)
  1. Failure recovery procedures (e.g. backup and recovery plans for computer equipment, communications equipment, power systems, databases, and computer operating systems etc.) shall be clearly formulated and implemented, and records shall be made.
  2. Failure recovery procedures shall be tested periodically; after testing, a review meeting shall be convened to consider ways to improve in response to deficiencies and a record thereof shall be retained.
  3. Securities brokers shall have backup measures in place for their trading servers and establish remote backup server rooms according to its information security level.
  4. The company shall formulate a business continuity plan (covering such matters as activation conditions, participating personnel, emergency response procedures, backup procedures, maintenance schedules, education and training, descriptions of job duties, response plans of outside entities with which the company does business, and contract suitability), maintain measures necessary for the plan, and to prescribe the key operations and related impact analyses, evaluate the degree of impact caused by interruption to the core system, and use the core system’s recovery time objective (RTO) and recovery point objective (RPO) as the basis of recovery of the core system, backup planning and implementation of recovery work, followed by business continuity operation exercise, that will take place regularly, according to its information security level. The company shall invite relevant service providers to participate in the exercise if the scope of exercise involves such third parties.
  5. The company shall adopt an information security reporting mechanism (e.g. formal reporting procedures and appointed contacts for information security incident reports). In the event of information security and service irregularities relating to information systems, the company shall apply the Operational Guidelines on Reporting of Information and Communication Security Related Events in Securities and Futures Markets and the Scope, Reporting Procedures and Other Requirements for Securities Firm’s Reporting of Material Information Security Events, take appropriate corrective procedures, and retain related records.
  6. Any theft, alteration, damage, loss or divulgence of, or other information security incident involving, personal information shall be immediately reported by the company to the TWSE (TPEx or Taiwan Securities Association) in writing, to be advised to the competent authority.
  7. The company shall establish clear operational procedures to defend and respond to distributed denial-of-service attack (DDoS).
  8. The company shall proceed with the following information security matters:
    1. designate personnel and departments to bring together and coordinate and liaise with all related departments;
    2. periodically evaluate core operating systems and equipment, take appropriate measures in response to evaluation results, and make a report to the board of directors, to ensure capability for business continuity and operational resilience;
    3. disclose in sustainability reports, annual reports, or financial reports or on the company website the resources required for the company to continue with the operation of core operating systems and equipment within the year and the relevant implementation of annual budgets or education and training programs etc.
  9. A company shall identify risk scenarios, and formulate, based on different risk scenarios, procedures for response, disaster risk reduction or recovery measures applicable to various systems in the event of abnormality or interruption of information operation caused by disaster.
  10. In case of interruption to the core system’s services, the core system shall be replaced by backup equipment or other method to provide services within the tolerable time period.
  11. If a securities firm’s outsourced operation involves core information and communication systems and information and communication services, the information service provider shall regularly provide a recovery plan for information and communication systems and information and communication services. A recovery plan may be in the form of a disaster recovery plan, backup exercise, or business continuity plan.
12     Application of new technologies (CC-21100, annual audit)
  1. Cloud services:
    2. Risks of use of cloud computing shall be evaluated in advance. If cloud computing involves key systems, data or services, security regulations relating to cloud computing service security shall be established.
    1. If the company is using cloud services, it shall establish the method to select a cloud service provider, audit measures, backup system, service standards, including information security protection, requirements on recovery time and measures to terminate services. When any requirement is not met, there should be additional compensatory measures.
    2. If the company is a cloud service provider, if shall establish the cloud computing service security control and management measures, covering compliance of law, authority control and management, allocation of rights and responsibilities, and information security protection. In the event of transmission of sensitive information, encryption Internet communication protocols such as HyperText Transfer Protocol Secure (HTTPS) and Secret File Transfer Protocol (SFTP) shall be used.
  2. Social media:
    1. The company shall establish the information security regulations for social media and the regulations for use of social media, covering:
      1. Define what business-related information may be shared on the social media for business purpose.
      2. Distinction between social media for personal or business purposes and important information about their use.
    2. Levels if risks in allowing employees to use social media shall be assessed, including information disclosure, social engineering, malware attacks, etc. and appropriate security control measures shall be taken.
    3. The company shall establish the information security regulations and management policies for operation of its official pages on the social media, which shall cover the following:
      1. Understand the privacy policy applicable to the social media on which it maintains its official page, and review the changes to its privacy policy and assess the risks regularly (once a year).
      2. If the official website contains a link that takes users away from the website to the social media, when a user clicks the link, there should be a pop-up window notifying the user he or she is leaving the company's website.
      3. The name, contact method, license number of the securities firm, customer complaint method and who to contact should be specified on the social media page to distinguish it from the official page on the social media.
      4. An account authorization management system shall be established to control and monitor posts and inappropriate comments and irregularities shall be reported or handled.
  3. Mobile devices:
    1. The company shall establish the information securities regulations and management policies for mobile devices for business use, which shall cover the following:
      1. The management policies for mobile devices shall include applicable regulations for request, use, replacement and return of a mobile device.
      2. When the user is changed, the mobile device should be reconfigured or the original configurations should be cleared to ensure the security of the environment of the mobile device.
      3. It is advisable only official applications or such other applications approved in the tests and listed as downloadable by the company be installed on the device.
      4. The management policies for mobile devices for business use shall cover restrictions and management method for storage of confidential information on mobile device.
    2. The company shall establish the information security regulations and management policies for mobile devices owned by employee, which shall cover the following:
      1. The company shall ask employees to use their own mobile devices only for certain purposes.
      2. The company shall sign the agreement of employee's use of their own mobile device with the employee using their own device, with terms and conditions on limit on use and liabilities of the parties, etc.
      3. The company shall prohibit unauthorized connection of its internal information equipment to the Internet from mobile device owned by employee.
      4. The management policies for mobile devices owned by employee shall cover restrictions and management method for storage of confidential information on mobile device.
  4. The Internet of things:
    5. The information security regulations and management policies for the Internet of things (IoT) shall be established, which shall cover the following:
    1. The management list of IoT equipment shall be created and updated at least once a year, and the initial password to the above equipment shall be changed.
    2. IoT equipment shall have the security update mechanism and shall be updated regularly (once a year). If a defect to the equipment is known and no update to correct the defect is possible, a compensatory control system shall be established.
    3. Network connection and services not needed for IoT equipment should be turned off. Use of public Internet connection is advised against.
    4. When signing a procurement contract with a supplier of IoT equipment, it is advisable the contract include terms on information security, a clear definition of related liabilities, e.g. service warrant, lifespan of security updates, voluntary notification of known loopholes in the information security equipment, and submission of appropriate response measures, to ensure no known security loopholes in the equipment.
    5. When procuring IoT equipment, the company is advised to make it a priority to procure such IoT equipment with information security certification.
    6. The company shall regularly conduct information security education and trainings for users and management personnel of IoT equipment.
    7. Control measures for access to IoT equipment shall be created.
  5. Remote Work:
    1. To mitigate data breach risks, the company shall install information security software on remote work equipment to control access authority of applications.
    2. The company shall specify the authority of work-from-homers with regard to system functions according to the scope of business and control authority.
    3. The company shall establish the restrictions on the time of connection and relevant regulations based on the duties performed by the employees.
    4. The company shall keep track of remote employees' user log-ins to systems, operation of computer equipment, and transaction records.
    5. The company shall adopt multi-factor authentication (employee account password, dynamic password, one-time password) and create safe remote network channels to mitigate risk of forgery or unauthorized use of the relevant account passwords.
    6. The company shall prevent malicious or unauthorized connection and establish remote account access rules in accordance with the Principle of Least Privilege, PoLP.
    7. The company shall regularly update the security control measures concerning connection to the virtual private network, VPN, and other remote access systems.
    8. The company shall develop measures to protect client privacy and the safety of client data and records.
    9. The company shall have in place an information security mechanism to strengthen promotion of information security and educate remote employees on cyber vigilance.
  6. Deepfake
    1. When video communication is used for identification verification, strengthened verification methods shall be used and other authentication factors (such as uploading ID, mobile phone OTP) shall be used at the same time.
    2. Regular information security trainings covering understanding and prevention of deepfake shall be provided.