A service enterprise with specific requirements shall appoint a person at the level of deputy general manager (vice president) or higher or a person of equivalent position to concurrently serve as its chief information security officer, who shall be in charge of the overall promotion of information security policy and the allocation of related resources. Those requirements shall be prescribed by the competent authority.
A service enterprise shall allocate adequate human resources and equipment for the planning and monitoring of the information security system and the implementation of information security management operations. The competent authority may, after having considered the size, business nature, and organizational characteristics of the services enterprise, order service enterprises to establish a dedicated information security (i.e., cybersecurity) unit, chief officer, and other personnel.
Each year, the service enterprise's chief information officer or highest officer responsible for information security and its chairman, president, and chief internal auditor shall jointly sign and issue the Statement on Internal Control set out in Article 24, with content including the status of overall implementation of information security in the preceding fiscal year, and submit it to the board of directors for approval within 3 months after the end of the fiscal year.
The service enterprise's information security officer and personnel shall attend at least 15 hours of information security professional courses or functional training every year. All other personnel who use the information system shall attend at least 3 hours of information security awareness courses every year.
The Securities Association, National Futures Association, and Securities Investment Trust and Consulting Association of the R.O.C. shall adopt and regularly review self-disciplinary regulations relating to information security.