Article NO. Content


Establishing Information Security Inspection Mechanisms for Securities Firms 

Amended Date: 2024.05.15 (Articles 1, 4, 7, 10, 12 amended,English version coming soon)
Current English version amended on 2022.12.28 
Categories: Market Supervision > Regulation of Securities Firms
2     Information Security Policy: (CC-12000, annual audit)
  1. The company shall adopt an information security policy and set information operations security standards in accordance with its business needs and applicable laws and regulations.
  2. The following content shall be included in the information security policy:
    1. A definition of information security, information security objectives, and scope of information security.
    2. An explanation and description of the information security policy, information security principles and standards, and rules the employees must comply with.
    3. A description of the organizational unit in charge of the information security work, the unit's authority and duties, and segregation of said duties.
    4. Emergency procedures for reporting and handling an information security incident, along with related regulations.
  3. The information security policy adopted by the company shall be approved by its management, formally issued, observed by all of its employees, and notified to and observed by public and private authorities / institutions and providers of information services with network connection with the company.
  4. The company's information security policy shall be evaluated at least once per year to reflect the latest developments in laws, regulations, bylaws, technology, and business etc., and to ensure the efficacy of the company's information security operations. Records of the above evaluations shall also be retained.
  5. Information security policy evaluations shall be conducted in an independent and objective manner either internally or through an outsourced professional institution.
  6. The company shall have its chief information security officer or highest officer responsible for information security, and its board chairperson, general manager and chief audit officer jointly issue an internal control system statement on overall implementation of the information security measures during the previous year, in accordance with Article 24 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets, which will be submitted to the board of directors for approval. The statement shall be disclosed at the Market Observation Post System (MOPS) within three months after the closing of a fiscal year.
  7. The company shall take the required measures for tiered protection of information security by referring to the Establishing Information Security Inspection Mechanisms for Securities Firms – Schedule for Required Measures under Tiered Protection.
  8. The company shall introduce the core system to the information security management system according to its information security level, and this system must be validated by an impartial third party and the validity of validation should continue to be maintained.


Relevant Laws: