Article NO. Content


Establishing Information Security Inspection Mechanisms for Securities Firms 

Amended Date: 2024.05.15 (Articles 1, 4, 7, 10, 12 amended,English version coming soon)
Current English version amended on 2023.08.23 
Categories: Market Supervision > Regulation of Securities Firms
3     Security Organization (CC-13000, annual audit)
  1. The company shall follow the requirements to have appropriate human resources and equipment available for planning and monitoring of the information security system and implementing the information security management operation. The job responsibilities of the relevant staff and their other concurrent responsibilities shall be in compliance with regulations.
  2. The company shall designate a vice president or high level supervisor to take overall charge of affairs pertaining to the promotion of information security policies and allocation of resources and, where necessary, may also establish an interdepartmental "Information Security Task Force." If the company satisfies certain conditions prescribed by the competent authority, it shall designate a person of or above the rank of vice president or with comparable functions to act concurrently as a chief information security officer to handle the aforementioned business.
  3. As necessary for the purposes of information security management and according to its information security level, the company shall specifically assign personnel or unit(s) to be responsible for planning and implementing information security work, and the information security staff and the supervisor(s) shall attend regular information security professional programs and trainings of at least 15 hours and pass the assessment in year. Other staff with access to information system shall attend information security awareness promotion programs of at least three hours in a year.
  4. If the company lacks sufficient information security manpower, skills, or experience, it may retain external scholars, experts, or professional private institutions and groups to provide information security consulting services.
  5. The authority and duties of the company's information processing department shall be clearly differentiated from those of its business units.
  6. The company shall request its information security personnel to receive and maintain such information security professional license adequate to its information security level.