資訊安全
資訊安全管理
為統籌集團資訊發展與資訊安全管理事項、降低資安風險,兆豐金控已建置資訊安全管理系統,訂有《資訊安全政策》及《資訊安全管理作業要點》,每年定期檢視資安相關規章,並於2022年導入並取得國際資安認證ISO 27001資訊安全管理系統,經由資安治理、法令遵循、風險控管與稽核審查等機制運作,配合科技運用,全面提升資安防護能力。
兆豐金控依金管會「公開發行公司建立內部控制制度處理準則」第九條之一規定,已指派督導副總兼任資訊安全長,綜理資訊安全政策推動及資源調度事務,並設置資訊安全專責單位,配置資安專責主管與人員共5人,負責本公司資訊安全政策之訂定與維護,建立整體資訊安全防護機制及緊急應變計畫。
為建立兆豐集團資安穩健基礎,另召開「集團資安會議」,由金控資安長擔任召集人,由各子公司資安長、資安(訊)主管或指派代表參與會議,每季召開一次,以統籌集團資訊安全管理事項及各公司資安政策推動協調與資源調度,提升對於資安議題之決策能量,並督導各子公司完備資安相關規範、強化系統防護,建立金融資安聯防體系,提升組織資安應變及防護能量,降低資安風險,並依照業務風險及各業別內控辦法規定,銀行、證券、產險、票券、投信等每年定期將前一年度資訊安全整體執行情形報告陳報董事會。
資訊安全管理機制與措施
對於科技發展所帶來的網路威脅與風險變化,兆豐集團持續檢視相關規範與措施之妥適性,建立完整的網路及電腦安全防護系統,每年不定期進行系統弱點掃描及修補、執行滲透測試、社交工程演練、資通安全教育訓練等,並透過導入ISO 27001資訊安全管理系統驗證及建置SOC(資訊安全監控中心),確保資安與網路風險控管的適當性及有效性。為確保永續經營與信譽,銀行及保險於2023年持續投保「電子商務及資訊安全保障責任保險(資安險)」,保險期間涵蓋全年度,保額分別為美金500萬元及新臺幣3,000萬元。
兆豐金控已於2022年9月19日取得ISO 27001國際資安認證,
效期自2022年9月19日至2025年9月19日
資安通報流程與資安事件
兆豐金控已訂定《重大偶發事件作業要點》、《集團資安事件應變小組(CSIRT)組織設置要點》及《資訊安全事件管理及通報作業須知》,用以強化集團資安事件應變處理能力及整合集團資源相互支援,即時掌握及支援集團內成員資安事件之應變處置,降低事件損害對集團帶來之營運衝擊,以符合金管會「金融資安行動方案」中「鼓勵金控建立電腦資安事件應變小組」要求。
當發生重大資安事件時,由事件發生之子公司資安事件處理團隊陳報集團CSIRT小組,進行溝通確保應變流程一致,並依要點中「各級資安事件應變小組協調溝通流程圖」辦理,進行資安事件處理應變。資安事件結束後,事件發生單位將召開會議,報告資安事件處理情形及檢討報告,避免事件再次發生。
資訊安全教育訓練
為使客戶安心使用兆豐集團提供之服務,需確保員工具備資訊安全知識與提升意識,集團各子公司每年辦理資訊安全相關教育訓練,並透過實體、線上授課及辦理演講,讓員工每年提升資安知識以因應多變的資安議題。2023年相關教育訓練主題與內容包含「社交工程攻擊手法介紹及電子郵件安全」、「資訊安全防護實務」、「物聯網與數位轉型下的資安風險」、「ChatGPT資安宣導」、「生成式AI與社交工程產生的資安風險」與「ESG企業永續發展與資安治理策略」等,共36,927人次完訓(其中24場設有課後測驗,全體30,070人次皆通過測驗),受訓總時數達40,559小時,平均每人受訓達4.2小時。
客戶隱私與個資保護
兆豐集團對個人資料及客戶隱私資料保護採取洩漏「零容忍政策」,並善盡客戶資料保密之職責,由兆豐金控法遵部門訂定及維護《客戶資料保密措施》,敘明兆豐金控及各子公司依「個人資料保護法」、「金融控股公司法」、「金融控股公司子公司間共同行銷管理辦法」相關規定,蒐集、處理及利用客戶資料,訂定客戶資料保密措施,並且透過客戶個資保護納入內控系統、辦理員工教育訓練,每年委由第三方機構進行個人資料保護查驗,確保落實客戶隱私與個資保護。兆豐銀行與兆豐保險於2023年分別完成BS 10012:2017個人資訊管理系統與ISO 27701:2019隱私資訊管理系統之導入與第三方續證。
此外,為了成為客戶最信賴的夥伴,兆豐金控於《公司員工行為準則》、《獎懲辦法》及《兆豐金融控股公司及其子公司客戶資料保密措施》規範員工對於公司資訊及客戶隱私資料應負保密義務,非依法令或經核准不得洩漏,離職後亦同。若員工有違反本準則與保密措施之規定者,將立即終止違法員工使用公司資訊之權限,並按情節輕重,依公司懲處相關規定提報議處並追究其法律責任,以示兆豐集團對個資保護與客戶隱私權之重視。有關兆豐集團2023年度客戶隱私與個資保護情形,請詳見2023年永續報告書4.4.2客戶隱私與個資保護。
Information Security
Information Security Management
To oversee Mega Group's information development and information security management matters and reduce information security risks, Mega Financial Holding has established the "Information Security Policy and Guidelines for Information Security Management Operations". The international information security certification ISO 27001 was introduced and obtained in 2022. Through the operation of mechanisms such as information security governance, compliance, risk control, and audit review, and in conjunction with technological applications, Mega Group has comprehensively enhanced its information security protection capabilities.
In accordance with Article 9-1 of the FSC's "Regulations Governing Establishment of Internal Control Systems by Public Companies ", Mega Financial Holding appointed an Executive Vice President as the Chief Information Security Officer (CISO) to comprehensively supervise the information security policy and resource allocation matters. A dedicated information security unit has also been set up, with a total of 5 dedicated information security supervisors and personnel, responsible for formulating and maintaining the Company's information security policy, and establishing an overall information security protection mechanism and emergency response plan.
In order to establish a sound foundation for the information security of Mega Group, the "Group Information Security Meeting" was also held, with the Chief Information Security Officer as the convener, and the Chief Information Security Officer of each subsidiary, the head of information security (communication) or the designated representative participated in the meeting, which was held once a quarter to coordinate the Group's information security management matters and the information security policies of each company, promote coordination and resource scheduling, enhance the decision-making energy on information security issues, and supervise each subsidiary to complete information security-related specifications, strengthen system protection, establish a joint defense system for financial and financial security, and enhance the organization's information security response and protection energy. Reduce information security risks, and in accordance with the provisions of business risks and internal control measures of various industries. Mega Banks, Mega Securities, CKI, Mega Bills, and Mega Funds shall regularly report to the board of directors on the overall implementation of information security in the previous year every year.
Information Security Management Mechanisms and Measures
In response to the changes in cyber threats and risks brought about by the development of science and technology, Mega Group continues to review the appropriateness of relevant norms and measures, establishes a complete network and computer security protection system, conducts system vulnerability scanning and patching from time to time every year, conducts penetration tests, social engineering drills, information security education and training, etc., and ensures the appropriateness and effectiveness of information security and cyber risk control through the introduction of ISO 27001 information security management system verification and the establishment of SOC (Information Security Monitoring Center). In order to ensure sustainable operation and reputation, the Bank and Insurance Company will continue to apply for the "E-Commerce and Information Security Liability Insurance (Information Security Insurance)" in 2023, covering the whole year, with an insurance amount of US$5 million and NT$30 million respectively.
Mega Financial Holding has obtained the ISO 27001 international information security
certification on September 19, 2022, with the validity period from September 19,
2022, to September 19, 2025.
Information Security Reporting Process and Information Security Incidents
Mega Financial Holding has formulated the "Guidelines for Major Contingency Operating Procedure", the "Guidelines for the Establishment of a Computer Information Security Incident Response Team (CSIRT)", and the "Guidelines for Information Security Incident Management and Notification Operation" to strengthen the Group's ability to respond and handle information security incidents, monitor and support in-house employees' emergency response to an information security incident, reduce the operational impact that the event has on the Group, and comply with one of the objectives of the FSC's Financial Cyber Security Action Plan which is to "encourage financial holding companies to establish a Computer Information Security Incident Response Team".
When a major information security incident occurs, the information security incident handling team of the subsidiary where the incident occurred shall communicate with the Group's CSIRT and ensure that response procedures are consistent, and follow the "Flowchart of Coordination and Communication among All Levels of Information Security Incident Response Team" to handle the response to the information security incident. After the information security incident ends, the unit involved in the incident will convene a meeting, so as to prevent recurrence of the incident in the future. In the meeting, the progress of handling and a review report are presented.
Information Security Education and Training
To ensure that customers can use the services provided by Mega Group with peace of mind, it is necessary to ensure that employees have information security knowledge and enhanced awareness. Each subsidiary of the Group conducts information security-related education and training every year, and provides both physical and online courses as well as lectures, so that employees can enhance their knowledge of information security and respond to changing security issues every year. In 2023, the topics and contents of the related training included "Introduction to Social Engineering Attack Methods and Email Security", "Information Security Protection Practices", "Information Security Risks under the Internet of Things and Digital Transformation", "ChatGPT Information Security Promotion", "Information Security Risks Generated by Generative AI and Social Engineering", and "ESG Corporate Sustainability and Information Security Governance Strategies". A total of 34 trainings and promotion seminars were held, with a total of 36,927 attendees completing the training (of which 24 sessions had post-tests, and all 30,070 attendees passed the tests), and 40,559 total hours of training, with an average of 4.2 hours of training per person.
Customer Privacy and Personal Information Protection
Mega Group has adopted a "Zero Tolerance Policy" against the leakage of personal data and customer privacy information, and fulfills its duty to protect customer privacy and ensure information security. Mega Financial Holding adopts the "Customer Data Confidentiality Measures", which are established and maintained by the Compliance Department. The measures provide details on the collection, processing, and use of customer data by Mega Financial Holding and subsidiaries in accordance with the "Personal Data Protection Act", the "Financial Holding Company Act", and the "Regulations Governing Administration of the Collective Marketing in Inter-Subsidiaries Company of a Financial Holding Company". In addition, the protection of customers' personal information is included in our internal control system and employee training on this topic is organized. Each year, a third-party is commissioned to verify our personal data protection practice, thereby ensuring the effective protection of customer privacy and personal data. Mega Bank and CKI have respectively completed the introduction of BS 10012:2017 Personal Information Management System and ISO 27701:2019 Privacy Information Management System and third-party verification in 2023.
Furthermore, to become our customers' most trusted partner, Mega Financial Holding enforced the "Employee Code of Conduct and Reward", the "Punishment Regulations", and the "Customer Data Confidentiality Measures of Mega Financial Holding and its Subsidiaries". According to these regulations, employees shall be bound by the obligation to maintain the confidentiality of the company's information and customer data, and such information shall not be disclosed without authorization unless otherwise required by law. The same rules shall apply after the resignation of an employee. If employees violate the provisions of the "Code of Conduct and Confidentiality Measures", their access to company information will be immediately terminated. Depending on the severity of the situation, the offending employee will be reported and handled in accordance with relevant punishment regulations and be held liable, demonstrating Mega Group's commitment to the protection of personal data and customer privacy rights.
For the Group's 2023 customer privacy and personal information protection, please refer to 4.4.2 Customer Privacy and Personal Information Protection.
資訊安全
資訊安全管理
為統籌集團資訊發展與資訊安全管理事項、降低資安風險,兆豐金控已建置資訊安全管理系統,訂有《資訊安全政策》及《資訊安全管理作業要點》,每年定期檢視資安相關規章,並於2022年導入並取得國際資安認證ISO 27001資訊安全管理系統,經由資安治理、法令遵循、風險控管與稽核審查等機制運作,配合科技運用,全面提升資安防護能力。
兆豐金控依金管會「公開發行公司建立內部控制制度處理準則」第九條之一規定,已指派督導副總兼任資訊安全長,綜理資訊安全政策推動及資源調度事務,並設置資訊安全專責單位,配置資安專責主管與人員共5人,負責本公司資訊安全政策之訂定與維護,建立整體資訊安全防護機制及緊急應變計畫。
為建立兆豐集團資安穩健基礎,另召開「集團資安會議」,由金控資安長擔任召集人,由各子公司資安長、資安(訊)主管或指派代表參與會議,每季召開一次,以統籌集團資訊安全管理事項及各公司資安政策推動協調與資源調度,提升對於資安議題之決策能量,並督導各子公司完備資安相關規範、強化系統防護,建立金融資安聯防體系,提升組織資安應變及防護能量,降低資安風險,並依照業務風險及各業別內控辦法規定,銀行、證券、產險、票券、投信等每年定期將前一年度資訊安全整體執行情形報告陳報董事會。
資訊安全管理機制與措施
對於科技發展所帶來的網路威脅與風險變化,兆豐集團持續檢視相關規範與措施之妥適性,建立完整的網路及電腦安全防護系統,每年不定期進行系統弱點掃描及修補、執行滲透測試、社交工程演練、資通安全教育訓練等,並透過導入ISO 27001資訊安全管理系統驗證及建置SOC(資訊安全監控中心),確保資安與網路風險控管的適當性及有效性。為確保永續經營與信譽,銀行及保險於2023年持續投保「電子商務及資訊安全保障責任保險(資安險)」,保險期間涵蓋全年度,保額分別為美金500萬元及新臺幣3,000萬元。
兆豐金控已於2022年9月19日取得ISO 27001國際資安認證,
效期自2022年9月19日至2025年9月19日
資安通報流程與資安事件
兆豐金控已訂定《重大偶發事件作業要點》、《集團資安事件應變小組(CSIRT)組織設置要點》及《資訊安全事件管理及通報作業須知》,用以強化集團資安事件應變處理能力及整合集團資源相互支援,即時掌握及支援集團內成員資安事件之應變處置,降低事件損害對集團帶來之營運衝擊,以符合金管會「金融資安行動方案」中「鼓勵金控建立電腦資安事件應變小組」要求。
當發生重大資安事件時,由事件發生之子公司資安事件處理團隊陳報集團CSIRT小組,進行溝通確保應變流程一致,並依要點中「各級資安事件應變小組協調溝通流程圖」辦理,進行資安事件處理應變。資安事件結束後,事件發生單位將召開會議,報告資安事件處理情形及檢討報告,避免事件再次發生。
資訊安全教育訓練
為使客戶安心使用兆豐集團提供之服務,需確保員工具備資訊安全知識與提升意識,集團各子公司每年辦理資訊安全相關教育訓練,並透過實體、線上授課及辦理演講,讓員工每年提升資安知識以因應多變的資安議題。2023年相關教育訓練主題與內容包含「社交工程攻擊手法介紹及電子郵件安全」、「資訊安全防護實務」、「物聯網與數位轉型下的資安風險」、「ChatGPT資安宣導」、「生成式AI與社交工程產生的資安風險」與「ESG企業永續發展與資安治理策略」等,共36,927人次完訓(其中24場設有課後測驗,全體30,070人次皆通過測驗),受訓總時數達40,559小時,平均每人受訓達4.2小時。
客戶隱私與個資保護
兆豐集團對個人資料及客戶隱私資料保護採取洩漏「零容忍政策」,並善盡客戶資料保密之職責,由兆豐金控法遵部門訂定及維護《客戶資料保密措施》,敘明兆豐金控及各子公司依「個人資料保護法」、「金融控股公司法」、「金融控股公司子公司間共同行銷管理辦法」相關規定,蒐集、處理及利用客戶資料,訂定客戶資料保密措施,並且透過客戶個資保護納入內控系統、辦理員工教育訓練,每年委由第三方機構進行個人資料保護查驗,確保落實客戶隱私與個資保護。兆豐銀行與兆豐保險於2023年分別完成BS 10012:2017個人資訊管理系統與ISO 27701:2019隱私資訊管理系統之導入與第三方續證。
此外,為了成為客戶最信賴的夥伴,兆豐金控於《公司員工行為準則》、《獎懲辦法》及《兆豐金融控股公司及其子公司客戶資料保密措施》規範員工對於公司資訊及客戶隱私資料應負保密義務,非依法令或經核准不得洩漏,離職後亦同。若員工有違反本準則與保密措施之規定者,將立即終止違法員工使用公司資訊之權限,並按情節輕重,依公司懲處相關規定提報議處並追究其法律責任,以示兆豐集團對個資保護與客戶隱私權之重視。有關兆豐集團2023年度客戶隱私與個資保護情形,請詳見2023年永續報告書4.4.2客戶隱私與個資保護。
Information Security
Information Security Management
To oversee Mega Group's information development and information security management matters and reduce information security risks, Mega Financial Holding has established the "Information Security Policy and Guidelines for Information Security Management Operations". The international information security certification ISO 27001 was introduced and obtained in 2022. Through the operation of mechanisms such as information security governance, compliance, risk control, and audit review, and in conjunction with technological applications, Mega Group has comprehensively enhanced its information security protection capabilities.
In accordance with Article 9-1 of the FSC's "Regulations Governing Establishment of Internal Control Systems by Public Companies ", Mega Financial Holding appointed an Executive Vice President as the Chief Information Security Officer (CISO) to comprehensively supervise the information security policy and resource allocation matters. A dedicated information security unit has also been set up, with a total of 5 dedicated information security supervisors and personnel, responsible for formulating and maintaining the Company's information security policy, and establishing an overall information security protection mechanism and emergency response plan.
In order to establish a sound foundation for the information security of Mega Group, the "Group Information Security Meeting" was also held, with the Chief Information Security Officer as the convener, and the Chief Information Security Officer of each subsidiary, the head of information security (communication) or the designated representative participated in the meeting, which was held once a quarter to coordinate the Group's information security management matters and the information security policies of each company, promote coordination and resource scheduling, enhance the decision-making energy on information security issues, and supervise each subsidiary to complete information security-related specifications, strengthen system protection, establish a joint defense system for financial and financial security, and enhance the organization's information security response and protection energy. Reduce information security risks, and in accordance with the provisions of business risks and internal control measures of various industries. Mega Banks, Mega Securities, CKI, Mega Bills, and Mega Funds shall regularly report to the board of directors on the overall implementation of information security in the previous year every year.
Information Security Management Mechanisms and Measures
In response to the changes in cyber threats and risks brought about by the development of science and technology, Mega Group continues to review the appropriateness of relevant norms and measures, establishes a complete network and computer security protection system, conducts system vulnerability scanning and patching from time to time every year, conducts penetration tests, social engineering drills, information security education and training, etc., and ensures the appropriateness and effectiveness of information security and cyber risk control through the introduction of ISO 27001 information security management system verification and the establishment of SOC (Information Security Monitoring Center). In order to ensure sustainable operation and reputation, the Bank and Insurance Company will continue to apply for the "E-Commerce and Information Security Liability Insurance (Information Security Insurance)" in 2023, covering the whole year, with an insurance amount of US$5 million and NT$30 million respectively.
Mega Financial Holding has obtained the ISO 27001 international information security
certification on September 19, 2022, with the validity period from September 19,
2022, to September 19, 2025.
Information Security Reporting Process and Information Security Incidents
Mega Financial Holding has formulated the "Guidelines for Major Contingency Operating Procedure", the "Guidelines for the Establishment of a Computer Information Security Incident Response Team (CSIRT)", and the "Guidelines for Information Security Incident Management and Notification Operation" to strengthen the Group's ability to respond and handle information security incidents, monitor and support in-house employees' emergency response to an information security incident, reduce the operational impact that the event has on the Group, and comply with one of the objectives of the FSC's Financial Cyber Security Action Plan which is to "encourage financial holding companies to establish a Computer Information Security Incident Response Team".
When a major information security incident occurs, the information security incident handling team of the subsidiary where the incident occurred shall communicate with the Group's CSIRT and ensure that response procedures are consistent, and follow the "Flowchart of Coordination and Communication among All Levels of Information Security Incident Response Team" to handle the response to the information security incident. After the information security incident ends, the unit involved in the incident will convene a meeting, so as to prevent recurrence of the incident in the future. In the meeting, the progress of handling and a review report are presented.
Information Security Education and Training
To ensure that customers can use the services provided by Mega Group with peace of mind, it is necessary to ensure that employees have information security knowledge and enhanced awareness. Each subsidiary of the Group conducts information security-related education and training every year, and provides both physical and online courses as well as lectures, so that employees can enhance their knowledge of information security and respond to changing security issues every year. In 2023, the topics and contents of the related training included "Introduction to Social Engineering Attack Methods and Email Security", "Information Security Protection Practices", "Information Security Risks under the Internet of Things and Digital Transformation", "ChatGPT Information Security Promotion", "Information Security Risks Generated by Generative AI and Social Engineering", and "ESG Corporate Sustainability and Information Security Governance Strategies". A total of 34 trainings and promotion seminars were held, with a total of 36,927 attendees completing the training (of which 24 sessions had post-tests, and all 30,070 attendees passed the tests), and 40,559 total hours of training, with an average of 4.2 hours of training per person.
Customer Privacy and Personal Information Protection
Mega Group has adopted a "Zero Tolerance Policy" against the leakage of personal data and customer privacy information, and fulfills its duty to protect customer privacy and ensure information security. Mega Financial Holding adopts the "Customer Data Confidentiality Measures", which are established and maintained by the Compliance Department. The measures provide details on the collection, processing, and use of customer data by Mega Financial Holding and subsidiaries in accordance with the "Personal Data Protection Act", the "Financial Holding Company Act", and the "Regulations Governing Administration of the Collective Marketing in Inter-Subsidiaries Company of a Financial Holding Company". In addition, the protection of customers' personal information is included in our internal control system and employee training on this topic is organized. Each year, a third-party is commissioned to verify our personal data protection practice, thereby ensuring the effective protection of customer privacy and personal data. Mega Bank and CKI have respectively completed the introduction of BS 10012:2017 Personal Information Management System and ISO 27701:2019 Privacy Information Management System and third-party verification in 2023.
Furthermore, to become our customers' most trusted partner, Mega Financial Holding enforced the "Employee Code of Conduct and Reward", the "Punishment Regulations", and the "Customer Data Confidentiality Measures of Mega Financial Holding and its Subsidiaries". According to these regulations, employees shall be bound by the obligation to maintain the confidentiality of the company's information and customer data, and such information shall not be disclosed without authorization unless otherwise required by law. The same rules shall apply after the resignation of an employee. If employees violate the provisions of the "Code of Conduct and Confidentiality Measures", their access to company information will be immediately terminated. Depending on the severity of the situation, the offending employee will be reported and handled in accordance with relevant punishment regulations and be held liable, demonstrating Mega Group's commitment to the protection of personal data and customer privacy rights.
For the Group's 2023 customer privacy and personal information protection, please refer to 4.4.2 Customer Privacy and Personal Information Protection.