A service enterprise shall allocate adequate human resources and equipment for the planning and monitoring of the information security system and the implementation of information security management operations. The competent authority may, after having considered the size, business nature, and organizational characteristics of the services enterprise, order service enterprises to establish a dedicated information security (i.e., cybersecurity) unit, chief officer, and other personnel.
Each year, the service enterprise's highest officer responsible for information security and its chairman, president, and chief internal auditor shall jointly sign and issue a written statement on the overall implementation of information security in the preceding fiscal year, and submit it to the board of directors within 3 months after the end of the fiscal year.
The service enterprise's information security officer and personnel shall attend at least 15 hours of information security professional courses or functional training every year. All other personnel who use the information system shall attend at least 3 hours of information security awareness courses every year.
The Securities Association, National Futures Association, and Securities Investment Trust and Consulting Association of the R.O.C. shall adopt and regularly review self-disciplinary regulations relating to information security.