Go to Main Content

Last update:2020/01/22

Company Information Security Policy

Taiwan Financial Holdings logo
Article 1

The Taiwan Financial Holding Co., Ltd. ("the Company") specially adopts this policy to strengthen information security management and ensure the security of its data, systems, equipment, and network.

Article 2

This policy has been adopted on the basis of the "Information Security Management Directions for the Executive Yuan and its Subordinate Agencies," the "Information Security Management Rules for the Executive Yuan and its Subordinate Agencies," and the "Information Security Management Criteria for the Ministry of Finance and its Subordinate Agencies and Institutions.

Article 3

The term "information security management " as used in this Policy means to ensure that: the Company handles information correctly; the computer software, hardware, peripheral equipment, and network systems used by operations personnel are reliable; and the aforementioned resources are free of interference, sabotage, or intrusion, or any attempts at such acts.

Article 4

The objectives of information security management are to ensure that: the Company's information is legally accessed, and the Company can provide full and uninterrupted information system operations even when it is under attack by an external intruder; and when an emergency occurs the Company will, after quickly taking necessary response measures, be able to restore normal operations within the shortest possible time, thereby limiting the possible damage that might be caused by the emergency.

Article 5

The scope of information security management includes the following:

  • segregation of authority and responsibilities;
  • education and training activities to familiarize personnel with security management and information security;
  • computer systems security management;
  • network security management;
  • systems access control and management;
  • security management for systems development and maintenance;
  • information asset security management;
  • physical and environmental security management;
  • business continuity management;
  • other information security management matters;

The matters listed in items 3 to 9 of the preceding paragraph shall be handled in accordance with the provisions of the "Taiwan Financial Holding Company Rules Governing Information Operations.

Article 6

When hiring information-related personnel, the Company shall give consideration to the security evaluation items set out in the "Information Security Management Rules for the Executive Yuan and its Subordinate Agencies." This shall be handled by the Information Management Department. Information security maintenance shall be included among the items receiving attention in ethics management, and the Information Management Department shall be responsible for handling this matter in cooperation with the proper units. The Internal Auditing Department of the Board of Directors shall be responsible for handling information security audit matters.

Article 7

In carrying out information security education and training, the Company shall take care to abide by the following points:

  • The Company shall carry out information security training and awareness activities geared to the needs of management, business, and information, so as to instill security awareness among employees and raise the level of information security at the Company.。
  • The Company shall strengthen training of information security management personnel to improve its information security management capability.

The Information Management Department shall handle the information security education and training matters set out in the preceding paragraph.

Article 8

To guard against computer virus intrusions, the Company shall purchase legal anti-virus software, and shall regularly update its virus definitions and virus scan engine.

Article 9

In order to effectively implement information security work, the Company shall establish the "Taiwan Financial Holding Company Information Security Implementation Team" to exercise unified coordination of information security policy, plans, and resource allocations, and to carry out related research. The president of the Company shall appoint one of the vice presidents to serve as chairperson of the Implementation Team referred to in the preceding paragraph. This chairperson shall be responsible for coordinating and implementing information security management. The chief information officer shall serve as the executive secretary. The heads of the Compliance Department, the Business Development Department, the Risk Management Department, the Financial Management Department, the Administration Department, and the Information Management Department shall comprise the membership of the Implementation Team. The Information Management Department shall be responsible for secretariat operations.

Article 10

If a unit in the Company experiences an information security incident, it shall promptly inform the Information Management Department for handling of the matter, and the Information Management Department shall report the matter in accordance with the legal requirements of the competent authority. In the event of an emergency, the Company shall handle the matter in accordance with the provisions of the "Taiwan Financial Holding Company Crisis Management Guidelines.

Article 11

When outsourcing information system operations, the Company shall act in advance to identify information security needs, adopt clear rules governing information security responsibilities and confidentiality, and include these in the contract so as to require the services provider to comply. The Company shall also regularly check on the state of compliance.

Article 12

Where there is a contractual relationship between the Company and one or more of its subsidiaries for the provision of information system operations, the matter shall be handled in accordance with the "Rules Governing Segregation of Authority and Duties in Contractual Relationships Between the Taiwan Financial Holding Company and its Subsidiaries for the Development and Administration of Information Systems.

Article 13

When an employee violates a rule related to information security, his or her liability with respect to information security shall be handled in accordance with disciplinary procedures.

Article 14

This Policy shall be evaluated at least once per year by the Information Security Implementation Team. To ensure the effectiveness of the Company's information security operations, such evaluations shall focus especially on whether this Policy complies with applicable legislation and is suited to the most current technologies and business practices.

Article 15

All matters on which this Policy is silent shall be governed by applicable legislation and related rules adopted by this Company.

Article 16

This Policy, and any amendment hereto, shall be issued and implemented once it has been approved by the Board of Directors.​​​​