Business Continuity and Technology Risk Management
Management System
Taishin has implemented business continuity measures as part of its banking service to ensure proper response to situations such as natural disaster, liquidity, IT system fault or man-made incidents, and thereby maintain key operations and ensure fast recovery. By minimizing impact and service downtime, we strive to protect customers' and shareholders' interests and strengthen our competitiveness.
Impact Assessment
-
Natural disasters
Such as fires, earthquakes, typhoons
-
By their very nature, natural disasters are unpredictable, and in recent years the deteriorating greenhouse effects have heightened the probability of natural disasters. Not only will such disasters damage our operating premises, buildings, equipment and the like, but loan collateral and investment objects may also be affected, which may lead to defaulting on repayments or loss of collateral.
-
Man-made incidents
Such as political incidents, strikes, wars
-
Events due to human factors such as politics and strikes may lead to traffic blocks that make it impossible for our employees to commute between home and work and for our business to run normally. Under such circumstances, our business premises may be unable to provide regular services and operations. Intensifying conflicts, if they cannot be resolved in the short term, may cause business losses or other impacts for our business premises.
-
Disaster Information System
Such as cyber security attacks, digital viruses, data corruption, system crashes,
computer room inoperability
-
Cyber attacks may lead to the suspension or remote operation of our systems, damage to the database, network interruption, tampering with or theft of customer data, exposure of customers and employees’ private information, violation of service contracts with partner stores, etc., and result in significant losses to our bank.
-
Others
Mass infectious diseases
-
When a major infectious epidemic occurs, it may affect the health of our employees, cause a lack of human resources, or even render it impossible for certain locations to continue operations or provide customer services. In addition, improper epidemic prevention measures may lead to increased operating costs or even disruption of operations and services.
Responses and Recovery Plans
Business Continuity Plan
Our Business Continuity Plan (BCP) is a pre-planned response and recovery process in response to a disaster to ensure that a company can continue to reliably provide key services to important customers at an acceptable minimum operating level. This plannning also provides for operational impact analysis, minimum resource requirements, and test drills.
-
Business Impact Analysis (BIA)
-
Business Impact Analysis is used to determine the target time for recovery, tolerable data loss time and recovery priorities, and to assess in advance the minimum resource requirements.
-
Minimum Resource Requirements (MRR)
-
Minimum Resource Requirements (MRR) refers to the assessment of the backup resources required to recover operations to an acceptable minimum level. MRR includes staff, office space and facilities, computer equipment, software, applications, systems communication equipment, computer networks, important documentation, electronic files, paper files, means of transportation, stationery, etc. MRR should be sufficient to continue operations for a period of time.
-
Tests and Drills
-
In principle, at least one drill is held every year and if necessary, drills may be conducted twice a year. For details, please see the "Drills and tests".
Information System Recovery Plan
Taishin has an appropriate backup plan in place for various levels of damage to the information system. This plan can be roughly divided into the following three types:
-
Damaged Data
- Switch to manual processing
- Carry out a data reversal operation
-
Crashed Operating System
- Assess the scope of impact, start response operations, and temporarily switch manual processing methods
- Start backup hosting
-
No Service in the Server Room
- Activate the remote backup system and
network connections in accordance with
procedures
- Activate the remote backup system and
Contingency Funding Plan
Taishin Bank has an Emergency Response Team to ensure that during a liquidity crisis, the bank can fulfill contractual payment obligations within the planned time and to respond to the bank's funding needs. The President of Taishin Bank is the convener of the Emergency Response Team, and the CEO of Finance and Financial Market Group is the deputy convener.
-
Activate the Emergency Response Team
- The responsible person in charge of the Financial Management Unit notifies the relevant response unit of the Emergency Response Team to conduct a meeting by telephone.
- After the activation of the Emergency Response Team, the convener will notify the Chairman immediately.
-
Assignment of duties
If the Emergency Response Team decides to activate the Contingency Funding Plan for emergency fund transfers, each authorized unit must discharge its duties as assigned by the Emergency Response Team.
-
Daily meetings
- The relevant Authorized Units hold daily meetings → implementation → report results.
- The convener reports on the progress and efficacy of the Contingency Funding Plan to the Chairman as needed.
-
Notification of Closure
A decision to close a case will be communicated only after agreement from the convener. Also, the head of the Financial Management Unit will notify the heads of authorized units by email.
Drills and Tests
-
Business Continuity Plan Drill
-
The Business Continuity Plan Drill (BCP Drill) is to ensure that after a disaster emerges, the BCP can be activated immediately and to ascertain that it is indeed feasible, so that key operations can be restored to their normal state within the recovery time limit. The test drill results ensure the following:
- The BCP Drill is to ensure that after a disaster emerges, the BCP can be activated immediately and to ascertain that it is indeed feasible, so that key operations can be restored to their normal state within the recovery time limit.
- The content of the BCP is complete, not only covering all key duties and various types of emergencies, but also leaving no ambiguity so that even those not familiar with the BCP can easily join in the implementation.
- The BCP is regularly reviewed and updated. Important members understand the BCP operations, their roles, and responsibilities.
- In principle, at least one drill is held every year and if necessary, drills may be conducted twice a year. When there are major changes in the operation items, personnel, business premises, or the external operating environment, the time schedule for testing must be adapted.
-
Information Business Continuity Walkthrough
-
Each year, major anomalous incidents on the group’s major information systems are simulated, and contingency planning drills for different scenarios are conducted. The drill results and deficiencies in implementation are reviewed and presented in a report to the top management to safeguard the integrity of the system’s backup environment and to ensure that the data recovery processes run smoothly and stable so that reliable financial services can be provided, and the security of customer transactions is protected.
-
Computer System Incident Response Drill
-
-
We simulate various network hacking attacks and conduct emergency response planning exercises under different scenarios every year to familiarize employees with the procedures for processing information security incidents. The exercises in 2021 included distributed denial of service (DDoS) attacks and Red team drill.
-
-
Contingency Funding Capability Review
-
- To ensure that the current assets position retains access to funds, the liquidity position is tested by a round of repurchase agreement and selling securities once every six months.
- The Financial Management Unit normally uses the interbank financing channels to test whether interbank financial transactions granted to the bank by other financial institution remain normal. The test adopts the principle of decentralization to avoid the risk of negative rumors caused by the market at the time of an incident.
- The Financial Management Unit incorporates the results of stress tests into the planning parameters of the Contingency Funding Plan, which is reviewed and revised regularly every year to ensure the plan’s efficacy and appropriateness.