Amended Article

Title:

Establishing Information Security Inspection Mechanisms for Securities Firms 

Amended Date: 2024.05.15 (Articles 1, 4, 7, 10, 12 amended,English version coming soon)
Current English version amended on 2022.12.28 
Categories: Market Supervision > Regulation of Securities Firms
2     Information Security Policy: (CC-12000, annual audit)
  1. The company shall adopt an information security policy and set information operations security standards in accordance with its business needs and applicable laws and regulations.
  2. The following content shall be included in the information security policy:
    1. A definition of information security, information security objectives, and scope of information security.
    2. An explanation and description of the information security policy, information security principles and standards, and rules the employees must comply with.
    3. A description of the organizational unit in charge of the information security work, the unit's authority and duties, and segregation of said duties.
    4. Emergency procedures for reporting and handling an information security incident, along with related regulations.
  3. The information security policy adopted by the company shall be approved by its management, formally issued, observed by all of its employees, and notified to and observed by public and private authorities / institutions and providers of information services with network connection with the company.
  4. The company's information security policy shall be evaluated at least once per year to reflect the latest developments in laws, regulations, bylaws, technology, and business etc., and to ensure the efficacy of the company's information security operations. Records of the above evaluations shall also be retained.
  5. Information security policy evaluations shall be conducted in an independent and objective manner either internally or through an outsourced professional institution.
  6. The company shall have its chief information security officer or highest officer responsible for information security, and its board chairperson, general manager and chief audit officer jointly issue an internal control system statement on overall implementation of the information security measures during the previous year, in accordance with Article 24 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets, which will be submitted to the board of directors for approval. The statement shall be disclosed at the Market Observation Post System (MOPS) within three months after the closing of a fiscal year.
  7. The company shall take the required measures for tiered protection of information security by referring to the Establishing Information Security Inspection Mechanisms for Securities Firms – Schedule for Required Measures under Tiered Protection.
  8. The company shall introduce the core system to the information security management system according to its information security level, and this system must be validated by an impartial third party and the validity of validation should continue to be maintained.
Info
3     Security Organization (CC-13000, annual audit)
  1. The company shall follow the requirements to have appropriate human resources and equipment available for planning and monitoring of the information security system and implementing the information security management operation. The job responsibilities of the relevant staff and their other concurrent responsibilities shall be in compliance with regulations.
  2. The company shall designate a vice president or high level supervisor to take overall charge of affairs pertaining to the promotion of information security policies and allocation of resources and, where necessary, may also establish an interdepartmental "Information Security Task Force." If the company satisfies certain conditions prescribed by the competent authority, it shall designate a person of or above the rank of vice president or with comparable functions to act concurrently as a chief information security officer to handle the aforementioned business.
  3. As necessary for the purposes of information security management and according to its information security level, the company shall specifically assign personnel or unit(s) to be responsible for planning and implementing information security work, and the information security staff and the supervisor(s) shall attend regular information security professional programs and trainings of at least 15 hours and pass the assessment in year. Other staff with access to information system shall attend information security awareness promotion programs of at least three hours in a year.
  4. If the company lacks sufficient information security manpower, skills, or experience, it may retain external scholars, experts, or professional private institutions and groups to provide information security consulting services.
  5. The authority and duties of the company's information processing department shall be clearly differentiated from those of its business units.
  6. The company shall request its information security personnel to receive and maintain such information security professional license adequate to its information security level.
Info
7     Management of Communications and Operations (CC-17000)
  1. Management of network security (CC-17010, applicable to securities firms placing orders via the Internet; items a, b and e are applicable to all securities firms, subject to monthly audit):
    1. Evaluating the security of network systems:
      1. The company shall regularly evaluate the security of its own network systems (e.g., its operating system, network servers, browsers, firewall, and anti-virus software) and retain related records.
      2. Security gaps in the network operating environment and operating system (including servers, portables, personal terminals, and computers available on business premises to investors for shared use) shall be repaired regularly or timely. The related documentation shall be retained.
      3. Matters bearing on computer network security (including the promotion of awareness of the information security policy, prevention of hacking, and anti-virus measures) shall be internally announced at any time and from time to time.
      4. A specially appointed employee shall be designated to be responsible for computer servers and important software and hardware.
      5. The company’s network shall be categorized, according to purpose of use, as DMZ, operating environment, testing environment and other environment, and there shall be an appropriate division mechanism between these environments (e.g. firewall, virtual local area network, and physical separation).
      6. Personal information and confidential and sensitive information shall be stored in a secured network area, and shall not be stored on the Internet or other non-secured areas.
      7. Only necessary services and programs may be available in the system, and unused services and functions should be made unavailable.
      8. The company shall establish the guidelines for remote connection management to control the internal operation within the organization through remote connection via the external network, keep the relevant maintenance records to be regularly reviewed by the proper supervisor.
      9. The company shall prevent use of the internal network from an unauthorized device.
    2. Managing firewall security:
      1. A firewall shall be established.
      2. A specially appointed employee shall be responsible for managing the firewall.
      3. Records of firewall entries, exits, and backup copies shall be retained for at least three years.
      4. Important website and server systems (e.g. online order placing systems) shall be isolated from the Internet by the firewall.
      5. The firewall system configuration shall be approved by the proper supervisor.
      6. The company shall regularly examine and maintain the setup of control of access to firewall on a yearly basis and keep the relevant examination records.
      7. No products that may jeopardize the national information security may be used on the equipment directly connecting to the networks used for the company’s transactions.
    3. Managing network transmission and connection security:
      1. Online order placing pages shall be protected by encryption (e.g. SSL).
      2. The company shall monitor and analyze on a daily basis records of log-in failures in connection with core system accounts and attempts to log in to non-customer accounts etc., promptly ascertain the reasons for any irregular log-ins upon discovery (e.g., three wrong attempts when entering a password, mass log-in failures within a certain time, irregular downloads by an account of applications for certificates or updated certificates), and retain the relevant records.
      3. When providing online order service, the company shall, upon login to place an order, implement multi-factor authentication, e.g., order certification, device identifier, OTP, biometric system etc.), to ensure login by the customer itself.
    4. Managing CA authentication and certificates:
      1. A securities firm placing orders online shall adopt certificate delivery procedures to prevent certificates from being obtained by persons other than their intended owners. When a customer downloads an application for a certificate or downloads updated certificate, multi-factor authentication must be performed (such as order certification, device binding, OTP, biometric and SIM authentication etc.), using factors different from those for log-in to identify the customer, and the relevant records must be retained..
      2. A securities firm placing orders online shall use an authentication system for all orders.
    5. Protecting against computer viruses and malicious software:
      1. Anti-virus software shall be installed. Its programs and virus definitions shall be given timely updates.
      2. Computer systems and data storage media (including emails) shall be regularly scanned for viruses.
      3. Anti-virus protection shall cover personal terminals (including portables and computers available on business premises to investors for shared use) and network servers.
      4. Emails from unknown sources shall not be opened. Special care shall be used in opening emails with attachments containing executable files.
      5. To prevent computer viruses from spreading and affecting computer security, the company shall adopt security rules governing email use and establish an email filter system.
      6. The company shall have online use control measures in place to prevent download of malware.
      7. The company shall detect links that connect to phishing websites and malicious websites and remind clients to be cautious about online phishing.
      8. The company is advised to conduct regular social engineering exercises on a yearly basis, and provide coaching to personnel who have opened an email or clicked a link they have been advised against opening or clicking, and keep relevant records.
    6. Inspecting the functions of online systems:
      1. The functions provided by online systems shall be inspected regularly and inspection records shall be kept.
      2. To monitor record and notify changes to web pages and programs of online systems available for external connection and use, and request the related staff to handle the matter.
    7. Regulations governing the company's provision of API services:
      The application procedure, approval standards and relevant control measures and operations in regard to the company's provision of API services to customers are governed by the Directions for the Provision of Application Programming Interface (API) Service by Securities Firms to Customers
    8. Quality standards for services for placing orders via the Internet:
      When providing services for placing orders via the Internet, the company needs to maintain the quality of customer services by establishing quality standards for placing orders via the Internet, which shall cover the key elements such as transaction security, stability and system availability, and customer services.
    9. Introduction of cyber-attack prevention system and security tests:
      1. The company shall perform infiltration tests on the core system that provides the Internet services regularly according to its information security level, and make improvements based on the test results. (To become effective by end of January 2022.)
      2. The company shall conduct regular information and communication security checkups according to its information security level, which should include inspection of network structure, inspection of malicious cyber activities, inspection of malicious activities at a user’s computer, inspection of malicious activities at the server, setup of directory server, and inspection of setup of firewall connection. (To become effective by end of January 2023.)
      3. The company shall establish an information and communication security threat detection management system according to its information security level, which should include collection of events, analysis of irregularities, detection of attacks, and determination of attack acts.
      4. The company shall establish an invasion detection and prevention system according to its information security level.
      5. The company shall set up firewalls for its applications according to its information security level.
      6. The company shall implement advanced prevention measures against continuous threats and attacks according to its information security level. (To become effective by end of January 2023.)
    10. Notice of log-in or irregularity (to become effective as of 28 February 2023):
      It is advisable that the company give notice upon the log-in of a customer's account. In the event of the following irregularities, immediate notice shall be given to the customer, and relevant records retained, to prevent log-in by persons other than the customer:
      1. a wrong password is entered or the account is blocked
      2. an application for a certificate is made or a certificate is updated
      3. particulars are amended
      4. a log-in is attempted by an irregular source or act
      5. an application for changing or replacing the password is made
    11. Monitoring and warning of irregular IP log-ins
      The company shall monitor, analyze, and document irregular IP connections and IP connections from unknown sources. If the following circumstances are discovered, it shall develop an alert mechanism and inspect it regularly to confirm its effective operation:
      1. Different accounts are logged in from an IP from the same source for a certain number of times.
      2. IThe same account is logged in from different countries within a certain time.
      3. An attempt at log-in from an irregular source (e.g. as blacklisted by the Financial Information Sharing and Analysis. Center (F-ISAC) or an overseas IP) is found.
  2. Computer system and operation safety management (CC-17020, semi-annual audit)
    1. Managing computer equipment:
      The company shall enter into a written maintenance agreement with the maintenance service provider to establish the content of computer equipment maintenance work. A maintenance log shall be retained after the completion of maintenance. The information unit shall appoint personnel to conduct inspection together with the maintenance personnel from the maintenance service provider.
    2. Environment configuration and use authorization settings of the operating systems of computers:
      1. The environment configuration and use authorization settings of the operating systems of computers shall be approved by the relevant supervisor and implemented by system administrators.
      2. Appropriate backup measures shall be in place with respect to files in the computer system before and after they are modified.
      3. The company shall establish the guidelines for management of accounts with the highest system authorization level, covering both operating system and application system, and the approval of the proper supervisor is required for use of an account with the highest authorization level, and relevant records shall be retained.
      4. The company shall create and diligently implement the security configuration basis for personal computers, servers and network communication devices (e.g. length of a password, and how frequently a password may be changed).
      5. The company shall adopt a multiple-factor authentication method when using an account to log in a system via the Internet.
    3. Security management of computer media:
      1. Backup copies of important software, related documents, and inventory lists shall be made and stored in a separate safe location.
      2. If important backup files and software are stored in the same building that houses the computer center, they shall be kept locked in a fireproof room or in a cabinet that is both fireproof and earthquake-proof.
      3. Storage media used for backup materials shall be labeled with the name of the materials and their retention period.
      4. Handling procedures shall be established for media used to store confidential and sensitive information so as to prevent leaking or improper use of the information.
      5. To build a testing mechanism for data saving to verify integrity of backups and environmental suitability.
    4. Management of computer operation:
      1. Computer operators shall strictly adhere to prescribed operating procedures.
      2. Complete and accurate records shall be provided in an operating log, which shall be inspected and approved daily by a supervisor. The operator and the supervisor may not be the same person.
      3. Specially appointed personnel shall be responsible for inspecting information in the logs of the system console and for regularly submitting the information to a supervisor for inspection and approval.
    5. The securities broker shall have a computer system that has adequate capacity and is capable of meeting the needs of its business.
    6. The securities broker shall adopt mechanisms and procedures for regular evaluations (at least once a year) of the capacity of and security measures for its computer system, to be carried out either internally or outsourced to a professional institution. The system capacity shall be stress-tested regularly and records of the testing retained.
Info