Article NO. Content


Establishing Information Security Inspection Mechanisms for Securities Firms 

Amended Date: 2024.05.15 (Articles 1, 4, 7, 10, 12 amended,English version coming soon)
Current English version amended on 2022.12.28 
Categories: Market Supervision > Regulation of Securities Firms
12     Application of new technologies (CC-21100, annual audit)
  1. Cloud services:
    1. If the company is using cloud services, it shall establish the cloud computing service operation security regulations, covering the method to select a cloud service provider, audit measures, backup system, service standards, including information security protection, and requirements on recovery time. When any requirement is not met, there should be additional compensatory measures.
    2. If the company is a cloud service provider, if shall establish the cloud computing service security control and management measures, covering compliance of law, authority control and management, allocation of rights and responsibilities, and information security protection. In the event of transmission of sensitive information, encryption Internet communication protocols such as HyperText Transfer Protocol Secure (HTTPS) and Secret File Transfer Protocol (SFTP) shall be used.
  2. Social media:
    1. The company shall establish the information security regulations for social media and the regulations for use of social media, covering:
      1. Define what business-related information may be shared on the social media for business purpose.
      2. Distinction between social media for personal or business purposes and important information about their use.
    2. Levels if risks in allowing employees to use social media shall be assessed, including information disclosure, social engineering, malware attacks, etc. and appropriate security control measures shall be taken.
    3. The company shall establish the information security regulations and management policies for operation of its official pages on the social media, which shall cover the following:
      1. Understand the privacy policy applicable to the social media on which it maintains its official page, and review the changes to its privacy policy and assess the risks regularly (once a year).
      2. If the official website contains a link that takes users away from the website to the social media, when a user clicks the link, there should be a pop-up window notifying the user he or she is leaving the company's website.
      3. The name and contact method of the securities firm should be specified on the social media page to distinguish it from the official page on the social media.
      4. An account authorization management system shall be established to control and monitor posts and inappropriate comments and irregularities shall be reported or handled.
  3. Mobile devices:
    1. The company shall establish the information securities regulations and management policies for mobile devices for business use, which shall cover the following:
      1. The management policies for mobile devices shall include applicable regulations for request, use, replacement and return of a mobile device.
      2. When the user is changed, the mobile device should be reconfigured or the original configurations should be cleared to ensure the security of the environment of the mobile device.
      3. It is advisable only official applications or such other applications approved in the tests and listed as downloadable by the company be installed on the device.
    2. The company shall establish the information security regulations and management policies for mobile devices owned by employee, which shall cover the following:
      1. The company shall ask employees to use their own mobile devices only for certain purposes.
      2. The company shall sign the agreement of employee's use of their own mobile device with the employee using their own device, with terms and conditions on limit on use and liabilities of the parties, etc.
      3. The company shall prohibit unauthorized connection of its internal information equipment to the Internet from mobile device owned by employee.
  4. The Internet of things:
    The information security regulations and management policies for the Internet of things (IoT) shall be established, which shall cover the following:
    1. The management list of IoT equipment shall be created and updated at least once a year, and the initial password to the above equipment shall be changed.
    2. IoT equipment shall have the security update mechanism and shall be updated regularly (once a year). If a defect to the equipment is known and no update to correct the defect is possible, a compensatory control system shall be established.
    3. Network connection and services not needed for IoT equipment should be turned off. Use of public Internet connection is advised against.
    4. When signing a procurement contract with a supplier of IoT equipment, it is advisable the contract include terms on information security, a clear definition of related liabilities, e.g. service warrant, lifespan of security updates, voluntary notification of known loopholes in the information security equipment, and submission of appropriate response measures, to ensure no known security loopholes in the equipment.
    5. When procuring IoT equipment, the company is advised to make it a priority to procure such IoT equipment with information security certification.
    6. The company shall regularly conduct information security education and trainings for users and management personnel of IoT equipment.
  5. Remote Work:
    1. To mitigate data breach risks, the company shall install information security related softwares on remote work equipment to control access authority of applications.
    2. The company shall specify the authority of work-from-homers with regard to system functions according to the scope of business and control authority.
    3. The company shall establish the restrictions on the time of connection and relevant regulations based on the duties performed by the employees.
    4. The company shall keep track of remote employees' user log-ins to systems, operation of computer equipment, and transaction records.
    5. The company shall adopt multi-factor authentication (employee account password, dynamic password, one-time password) and create safe remote network channels to mitigate risk of forgery or unauthorized use of the relevant account passwords.
    6. The company shall prevent malicious or unauthorized connection and establish remote account access rules in accordance with the Principle of Least Privilege, PoLP.
    7. The company shall regularly update the security control measures concerning connection to the virtual private network, VPN, and other remote access systems.
    8. The company shall develop measures to protect client privacy and the security of client data and records.
    9. The company shall have in place an information security mechanism to strengthen promotion of information security and educate employees work remotely on cyber vigilance.