• Font Size:
  • S
  • M
  • L
友善列印
WORD

Article NO. Content

Title:

Establishing Information Security Inspection Mechanisms for Securities Firms  CH

Amended Date: 2024.02.05 (Articles 1, 2 amended,English version coming soon)
Current English version amended on 2022.12.28 
Categories: Market Supervision > Regulation of Securities Firms
10     Business Continuity Management (CC-20000, semi-annual audit)
  1. Failure recovery procedures (e.g. backup and recovery plans for computer equipment, communications equipment, power systems, databases, and computer operating systems etc.) shall be clearly formulated and implemented, and records shall be made.
  2. Failure recovery procedures shall be tested periodically; after testing, a review meeting shall be convened to consider ways to improve in response to deficiencies and a record thereof shall be retained.
  3. Securities brokers shall have backup measures in place for their trading servers.
  4. The company shall formulate a business continuity plan (covering such matters as activation conditions, participating personnel, emergency response procedures, backup procedures, maintenance schedules, education and training, descriptions of job duties, response plans of outside entities with which the company does business, and contract suitability), maintain measures necessary for the plan, and to prescribe the key operations and related impact analyses, followed by business continuity operation exercise, that will take place regularly, according to its information security level. (To become effective by end of January 2022.)
  5. The company shall adopt an information security reporting mechanism (e.g. formal reporting procedures and appointed contacts for information security incident reports). In the event of information security and service irregularities relating to information systems, the company shall apply the Operational Guidelines on Reporting of Information and Communication Security Related Events in Securities and Futures Markets, take appropriate corrective procedures, and retain related records.
  6. Any theft, alteration, damage, loss or divulgence of, or other information security incident involving, personal information shall be immediately reported by the company to the TWSE (TPEx or Taiwan Securities Association) in writing, to be advised to the competent authority.
  7. The company shall establish clear operational procedures to defend and respond to distributed denial-of-service attack (DDoS).