Taishin Holdings-Sustainability

Business Continuity and Technology Risk Management

Management System

Taishin has implemented business continuity measures as part of its banking service to ensure proper response to situations such as natural disaster, liquidity, IT system fault or man-made incidents, and thereby maintain key operations and ensure fast recovery. By minimizing impact and service downtime, we strive to protect customers' and shareholders' interests and strengthen our competitiveness.

Impact Assessment

Disaster Type Impact Analysis

Natural disasters
Such as fires, earthquakes, typhoons

By their very nature, natural disasters are unpredictable, and in recent years the deteriorating greenhouse effects have heightened the probability of natural disasters. Not only will such disasters damage our operating premises, buildings, equipment and the like, but loan collateral and investment objects may also be affected, which may lead to defaulting on repayments or loss of collateral.

Man-made incidents
Such as political incidents, strikes, wars

Events due to human factors such as politics and strikes may lead to traffic blocks that make it impossible for our employees to commute between home and work and for our business to run normally. Under such circumstances, our business premises may be unable to provide regular services and operations. Intensifying conflicts, if they cannot be resolved in the short term, may cause business losses or other impacts for our business premises.

Disaster Information System
Such as cyber security attacks, digital viruses, data corruption, system crashes,
computer room inoperability

Cyber attacks may lead to the suspension or remote operation of our systems, damage to the database, network interruption, tampering with or theft of customer data, exposure of customers and employees’ private information, violation of service contracts with partner stores, etc., and result in significant losses to our bank.

Others
Mass infectious diseases

When a major infectious epidemic occurs, it may affect the health of our employees, cause a lack of human resources, or even render it impossible for certain locations to continue operations or provide customer services. In addition, improper epidemic prevention measures may lead to increased operating costs or even disruption of operations and services.

Responses and Recovery Plans

Business Continuity Plan

Our Business Continuity Plan (BCP) is a pre-planned response and recovery process in response to a disaster to ensure that a company can continue to reliably provide key services to important customers at an acceptable minimum operating level. This plannning also provides for operational impact analysis, minimum resource requirements, and test drills.

Business Impact Analysis (BIA)

Business Impact Analysis is used to determine the target time for recovery, tolerable data loss time and recovery priorities, and to assess in advance the minimum resource requirements.

Minimum Resource Requirements (MRR)

Minimum Resource Requirements (MRR) refers to the assessment of the backup resources required to recover operations to an acceptable minimum level. MRR includes staff, office space and facilities, computer equipment, software, applications, systems communication equipment, computer networks, important documentation, electronic files, paper files, means of transportation, stationery, etc. MRR should be sufficient to continue operations for a period of time.

Tests and Drills

In principle, at least one drill is held every year and if necessary, drills may be conducted twice a year. For details, please see the "Drills and tests".

Information System Recovery Plan

Taishin has an appropriate backup plan in place for various levels of damage to the information system. This plan can be roughly divided into the following three types:

Damaged Data
- Switch to manual processing
- Carry out a data reversal operation
Crashed Operating System
- Assess the scope of impact, start response operations, and temporarily switch manual processing methods
- Start backup hosting
No Service in the Server Room
- Activate the remote backup system and
  network connections in accordance with
  procedures

Contingency Funding Plan

Taishin Bank has an Emergency Response Team to ensure that during a liquidity crisis, the bank can fulfill contractual payment obligations within the planned time and to respond to the bank's funding needs. The President of Taishin Bank is the convener of the Emergency Response Team, and the CEO of Finance and Financial Market Group is the deputy convener.

Activate the Emergency Response Team
The responsible person in charge of the Financial Management Unit notifies the relevant response unit of the Emergency Response Team to conduct a meeting by telephone.

After the activation of the Emergency Response Team, the convener will notify the Chairman immediately.
Assignment of duties

If the Emergency Response Team decides to activate the Contingency Funding Plan for emergency fund transfers, each authorized unit must discharge its duties as assigned by the Emergency Response Team.
Daily meetings
The relevant Authorized Units hold daily meetings → implementation → report results.

The convener reports on the progress and efficacy of the Contingency Funding Plan to the Chairman as needed.
Notification of Closure

A decision to close a case will be communicated only after agreement from the convener. Also, the head of the Financial Management Unit will notify the heads of authorized units by email.

Drills and Tests

Item Description

Business Continuity Plan Drill

The Business Continuity Plan Drill (BCP Drill) is to ensure that after a disaster emerges, the BCP can be activated immediately and to ascertain that it is indeed feasible, so that key operations can be restored to their normal state within the recovery time limit. The test drill results ensure the following:
- The BCP Drill is to ensure that after a disaster emerges, the BCP can be activated immediately and to ascertain that it is indeed feasible, so that key operations can be restored to their normal state within the recovery time limit.
- The content of the BCP is complete, not only covering all key duties and various types of emergencies, but also leaving no ambiguity so that even those not familiar with the BCP can easily join in the implementation.
- The BCP is regularly reviewed and updated. Important members understand the BCP operations, their roles, and responsibilities.
- In principle, at least one drill is held every year and if necessary, drills may be conducted twice a year. When there are major changes in the operation items, personnel, business premises, or the external operating environment, the time schedule for testing must be adapted.

Information Business Continuity Walkthrough

Each year, major anomalous incidents on the group’s major information systems are simulated, and contingency planning drills for different scenarios are conducted. The drill results and deficiencies in implementation are reviewed and presented in a report to the top management to safeguard the integrity of the system’s backup environment and to ensure that the data recovery processes run smoothly and stable so that reliable financial services can be provided, and the security of customer transactions is protected.

Computer System Incident Response Drill

- We simulate various network hacking attacks and conduct emergency response planning exercises under different scenarios every year to familiarize employees with the procedures for processing information security incidents. The exercises in 2021 included distributed denial of service (DDoS) attacks and Red team drill.

Contingency Funding Capability Review

- To ensure that the current assets position retains access to funds, the liquidity position is tested by a round of repurchase agreement and selling securities once every six months.
- The Financial Management Unit normally uses the interbank financing channels to test whether interbank financial transactions granted to the bank by other financial institution remain normal. The test adopts the principle of decentralization to avoid the risk of negative rumors caused by the market at the time of an incident.
- The Financial Management Unit incorporates the results of stress tests into the planning parameters of the Contingency Funding Plan, which is reviewed and revised regularly every year to ensure the plan’s efficacy and appropriateness.

Brand story

Business Philosophy

Management Team

Organization Chart

Milestones

Performance Review

Monthly Results

Financial Statement

Legal Disclosure

Dividend Policy & Payout

Shareholders' Meeting

Annual Report

Shareholder Structure

Analyst Coverage

Transfer Agency

Board Members

Director Election Process

Major Resolutions

Audit Committee

Remuneration Committee

Risk Management Committee

Nomination Committee

Corporate Sustainability Committee

Organization and Operation of Internal Audit

Statement of Internal Control System

Message from the Chairman and the President

Sustainability Performance and SDGs

Sustainability Committee Operations

Corporate Governance and Business Integrity

Risk Management and Internal Control

Information and Transaction Security

Operatonal Continuity and Technology Risk Management

Sustainable Supplier Management

AML/CFT

Sustainable Policies and Actions

Responsible Investment and Lending

FinTech/Digital Innovation

Customer Relationship Management and Consumer Protection

Protection of Privacy

Financial Inclusion

Net zero emission goal

Climate-related financial disclosures

Environmental Management Framework

Energy Conservation and Carbon Reduction

Waste Management and Water Resource Management

Talent Development

Remuneration, Benefit & Employee Care

Occupational Health Safety

Labor-Management Relations

Human Rights and Gender Equality

Social Involvement Strategy

Local Caring

Arts and Culture Development

Sports Sponsorship

Academic Exchange

Stakeholder Identification and Engagement

Material Topics Identification

Feedback

Business Continuity and Technology Risk Management