|
2
|
II Securities firm work-from-home application processand application documents
- Application process
(1) A securities firm applying for the first time for working from home to handle brokerage trading and transactions,dealer trading and transactions, and clearing and reporting etc. shall make the application to the Taipei Stock Exchange Corporation for special transfer to the competent authority for approval. Notwithstanding, the securities firm may prepare the relevant documents to apply to the TWSE for preliminary examination to shorten the application procedure;if prevented by an emergency (e.g., lockdown, any confirmed case among employees etc.) from making a written application according to normal procedure, said firm may make a reportto the TWSEby special means (e.g., email),followed by the submission of the relevant documents to the TWSE for the record after the incident.
(2) The period of work-from-home sought by a securities firm may not exceed three months, provided an applicationwith good cause may be made prior to expiration to the TWSE for approval of a three-month extension. If it is deemed necessaryupon assessment to continue with the work-from-home arrangement upon expiration of the extension, an application may be made to the TWSE in accordance with the process in (1) above.
- Application documents
A securities firm applying for working from home shall make a special application to the TWSE in advance, with a contingency plan and case list (as attached) containing the following presented:
(1) Availability period: The period of work-from-home arrangement being sought.
(2) Personnel deployment: Information pertaining to personnel deployment. A senior officer must be designated as a point of contact.
(3) Business activities: Businesses handled during the work-from-home period are limited to those stated in the application (e.g., transactions, clearing). If the work-from-home application is to handle transactions only, clearing not covered by the application may be handled at the place of business only. If changes are necessary, an applicationshall be made to the TWSE for special transfer to the competent authority for approval.If prevented by an emergency from making a written application according to normal procedure, a securities firm may make a report to the TWSE by special means, followed by the submission of the relevant documents to the TWSE for the record after the incident.
(4) Operation and procedure: The operation and procedure of work-from-home must expressly describe the differences with working at the place of business.
(5) Control measures on transactions and employee conduct:
- The company shall establish measures to monitor the activities and communications of employees working from home. Work-from-home activities are limited to those approved by the company. Stricter reviewsshall be conducted of the personal transactions of work-from-home employees, including thatmethods for managing the employees’ communications and activities in connection with brokerage trading etc. shall be expressly prescribed. In principle no personnel responsible for reviewing and monitoring the activities of work-from-home employees may work from home, unless such personnel’s review and monitoring will not be hindered by their working from home.
- The company shall inform work-from-homers of their rights and obligations and explain the importance of legal compliancefully.
- The company shall adopt measures to protect and expressly prescribe management measures for client privacy and the safety of client data and records etc.
- The company must verify client identity (e.g., when accepting orders) and step up measures to manage client accounts.
- The company shall publish an outline of the work-from-home arrangement on the company website (home page) and assist clients in understanding company operations and risk of suspension of transactions etc.
- Control measures for brokerage trading, dealer trading, settlement, and declaration procedures include audio or video recording or relevant alternative measures.
(6) Test report: The company must first test the remote access system for work-from-home purposes and ensure employees may access the company system only through safe connection.
(7) Information security control measures:
- The company must develop safe remote access systems (such asvirtual private network, VPN, virtual desktop infrastructure, VDI), including the following security measures:adoptingmulti-factor authentication (employee account number and password, dynamic password, one-time password), secure connection, the principle of least privilege (PoLP), retaining complete operation and audit trails of users, monitoring and cautioning against irregularities, updating security vulnerabilities etc., and must further educate work-from-homers on cyber vigilance etc.
- The company must establish safe channels for remote access, restrict log-in to company employees only, fully track in writing operation of equipment, and prescribe regulations governing the hours that connection is available subject to the schedule ofthe employees’ performance of duties.
- The company must set up firewalls against malicious or unauthorized connection, devise rules n accordance with the principle of least privilege, close non-essential ports, and monitor network traffic, anomaly alerts, and disconnection mechanisms.
- The company must employ differentiation in managing the access authority of users in accordance with the principle of least privilege. Work-from-homers are authorized to access functions only to the extent required for business execution. Authorizations with regard to non-essential systems and functions must be disabled.
(8) Issue a statement on the Establishment of Information Security Inspection Mechanisms.
(9) Measuresfor the prevention ofconflicts of interest and violations of rules and regulations: Prescribe comprehensive and express measures to prevent conflicts of interest and violations of rules and regulations by work-from-homers.
(10) Minutes of the board of directors’ meeting where the board of directors agrees to the work-from-home, or in lieu thereof, the consent of the head office or regional center of the group. Subsequent ratification is acceptable in the event of emergency preventing the procurement of advance consent of the board of directors.
(11) Risk assessment of enforcement: Where a work-from-home period as applied for lasts a consecutive year or more, whether the content of the contingency plan conforms to the current situation shall be reviewed (at lease once a year), and possible new risks that may arise out of a long-term work-from-home arrangement shall be assessed (risk assessment should cover cybersecurity risk, legal risk, operational risk, personal data risk, and financial crime risk, etc.).
(12) Records of work-from-home education and training and awareness programs (at least semiannual).
|