Information and Transaction Security
Information Security Management Mechanisms
Taishin FHC has implemented "Information Security Policy" and "Taishin Holdings Internet Security Management Guidelines" to serve as guiding principles for security protection. Meanwhile, an "Information Security Committee" comprising the Group Director expert at information/information security, the Group President, the Group CIO, Taishin Bank President and level-1 managers has been assembled within the organization. The committee holds quarterly meetings to discuss information security issues and improvement measures; in the first half of each year, a report on the overall information security governance situation and an annual security management plan is submitted to the Board of Directors and the implementation results of the annual plan are reported to the Board in the second half of the year. Also, trends in security awareness promotion are reported to the Board and the Board offers guidance for information security governance semi-annually.
An Information Security Department comprising employees from various fields of expertise was established to oversee the planning and execution of Taishin Bank's information security policy. Meanwhile, an Information Security Specialist Team comprising employees who are information security contacts of various units has been established to facilitate more efficient management of information security risks from an organizational perspective. The Information Security Department oversees the information security management system and related internal and external issues and responds to stakeholders' requests. It coordinates with relevant departments to assess and manage related issues, and constantly searches for internal and external threats from a risk perspective to create an information security system that supports development of FinTech.
Taishin Bank first passed certification for ISO/IEC 27001 ISMS in 2010. Since then, the Bank has been engaging an independent third party to conduct half-yearly reviews and re-certification once every three years to optimize information security management, and thereby ensure effective functioning of the information security management system. In 2015, the company passed the PCI-DSS payment card industry data security certification. To keep the security of card payments at optimum levels, PCI-DSS is evaluated every year by a fair and independent third-party organization to ensure effective and safe card payments.
Upgraded Security Protection
Information security risk management is currently executed as part of ISO/IEC 27001. The Bank gathers information security management issues from within and outside the organization, and engages various departments of the IT Division to assess the risks involved and potential impacts.
Given the increasing number of information security threats and attacks around the world, Taishin Bank has complied with laws of the home country and foreign countries where overseas branches are domiciled by conducting regular reviews and making regular reports to the local competent authority. In 2021, there had been no occurrence of information securityrelated or extraordinary incident that had to be reported to the local financial competent authority, and neither was there any compliance-related defect. During the past five years, no major security incidents affecting customers occurred, such as operational attacks or business impacts caused by systems being hacked, nor were any customer's personal or sensitive information leaked through phishing. In addition, Taishin's network security management mechanism is running 24/7 year round to prevent hacking attacks.
Enhancement of Transaction Security
The rampant use of Internet fraud and fraud apps by hackers for watering hole attacks, spear phishing attacks, and ransomware attacks in recent years have severely damaged the interests of customers of banks worldwide. Taishin Bank has established multiple information security protection measures for the information system, internal and external network environments, and transaction websites and has established a Security Operation Center (SOC) for the entire Bank in 2020, to monitor the information security systems for abnormalities and analyze intelligence on all types of security threats. The Center will be used to optimize Taishin Bank's information security network and we shall continue to enhance information security and protect customer transaction security.
-
Global digital corporate banking network
-
Enhancement of multiple security certification and transmission encryption protocols to ensure data protection.
-
Mobile devices
-
Use biometrics/account and password, and one-time passwords to provide rapid, convenient, and secure NFC sensing applications and remote credit card transactions.
-
Electronic channels
-
Use mobile device binding, real-time payment notification SMS, transaction detection system, and other transaction verification protocols.
-
Transaction website and app
-
Introduce anti-phishing detection services to reduce significant numbers of fraudulent websites and apps to protect consumers' transaction security.
Information Security Awareness and External Party Management
1. Education and Drills
-
General information security training
- All employees of the Bank receive at least 3 hours of "information security awareness training" courses and evaluations each year. The contents include regulations, social engineering, basic information security awareness, customer personal information protection, and case studies of information security incidents which help enhance information security. The training coverage rate and completion rate in 2022 were both 100%.
- The Information Security Department issues information security notices to all employees of the Bank based on current events involving information security to continue to enhance their information security awareness.
-
Professional information security training
- All employees of dedicated information security units have completed at least 15 hours of external training based on the requirements for their operations to enhance their professional information security skills.
- Information security contacts of all units are invited to attend professional information security training courses provided by external professionals to strengthen the information security capabilities of all units.
-
Social engineering drills
-
4 social engineering drills such as simulated phishing email tests are implemented for employees of the Bank on an irregular basis each year. The test results are analyzed to identify employees with insufficient information security incidents to enhance training and reduce the risks of potential vulnerabilities.
-
2. Supplier Management
Taishin Bank has a set of "Information Service Outsourcing Guidelines" in place that outlines the standard operating procedures and rules concerning outsourcing of information service. The guidelines cover several issues including outsourced custody of computer hardware software, and outsourcing of information process and service. To ensure the safety and feasibility of outsourced processes, the project handler collaborates with employees from the IT Division to perform comprehensive and rigorous supplier assessments as well as risk assessments on selected vendors. Credit assessments are performed where appropriate to ensure the quality of internal processes and the vendor's ability to provide services in the best interest of the Bank and customers.
3. No violations of information security regulations at the Bank in the past three years.