台新新光金控

Taishin FHC has established information security regulations such as the "Information Security Policy" and "Management Guidelines for Network Security Management" as guiding principles for the continued effectiveness of information security protection. It adopts the "Plan-Do-Check-Act" (PDCA) cycle operation model to establish an information security management system and continues to invest resources to maintain its effective operation and continuous improvement; clearly defines the rules for handling and protecting various information assets to enhance the reliability of information processing software and hardware, as well as the physical security maintenance of computer equipment; establishes an information security operation center (SOC) to strengthen security protection and obtain global intelligence to address security threats. The "Management Guidelines for IT Outsourcing" have been formulated for outsourced information
operations to standardize the information security requirements and scope of responsibility that third-party information service providers should comply with and improve the security management of projects.

The Company has established an "Information Security Committee" with Taishin FHC directors, Taishin FHC President, Taishin FHC chief information security officer, Taishin Bank President and first-level supervisors with information/security expertise as members. Meetings are held quarterly to discuss information security-related issues and improvement measures. The committee reports the overall information security governance and annual information security governance plan to the board members in the first half of each year, and reports the effectiveness of the information security plan in the second half of each year. The committee summarizes the latest information security threats and trends every six months, reports it to the Board of Directors, and obtains information security governance guidelines. The Information Security Committee held 4 meetings in 2024 and the attendance rate of directors was 100%.

The Company appointed a Chief Information Security Officer (CISO) as the highest level supervisor of informationsecurity, supervising company-wide information security operations and the effectiveness of information security management mechanisms. In order to improve the planning and management of information security risks from the perspective of business continuity management within the organization and enhance the overall information security maintenance capabilities, the Information Security Committee has established an "Information Security Specialist Team" composed of information security contact persons from various units. As seed members, they are responsible for promoting resolutions on information security matters and reporting the results of the promotion to the committee. The Information Security Department regularly convenes seed members to promote information security issues and related requirements to all employees of the Company in order to establish information security awareness among all employees.

The Information Security Department holds an Information Security Operations Review Meeting bimonthly, where the Chief Information Security Officer (CISO) reviews the execution status of various security tasks.

We have a director on the board and Cybersecurity / Information Security Committee with relevant background in IT engaged on the cybersecurity strategy process and someone in the Executive Management team who oversees the company’s cybersecurity strategy:

l   Name of board member: Mr.& Dr. Kuo, Jui-Sung

l   Relevant experience and previously held positions:

Dr. Kuo is an expert at information/information security; Professor of Department of Information Science, Business School, Soochow University; Professor of Department of Electrical Engineering, National Taiwan University; Chairman of TECO Technology Foundation; Director of TECO Image Systems; Supervisor of SerComm; Director of International Bank of Taipei; Director of Taishin FHC and Taishin Bank; Ph.D. in Physics, University of New Hampshire.

l   Name of Chief Information Security Officer (CISO): Jeff, Chen

l   Relevant experience and previously held positions:

Mr. Chen is an expert at information/information security; The Head of the Information Division at The Criminal Investigation Bureau of the National Police Agency, Ministry of the Interior ; Master's degree in Computer Science and Information Engineering from National Taiwan University of Science and Technology.

External Verification
Taishin's major subsidiaries and businesses have all obtained related international certifications for information security management system. Including banking, securities, and life insurance subsidiaries. Taishin Bank, Taishin Securities, and Taishin Life Insurances have obtained ISO 27001 Information Security Management System certification annually from 2010, 2022, and 2016, respectively, up until 2024 creating a safe and trustworthy information security environment, and protecting company assets and stakeholders' interests.

Taishin Bank attaches great importance to the security of customer personal information and obtained ISO 27701 Privacy Information Management System certification in 2024 to enhance personal data management and protection capabilities, strengthen information security control, and continue to provide more stable, safer, and higher-quality financial services while ensuring the security of data and safeguarding the rights and interests of customers.

Taishin Bank continues to obtain ISO 22301 business continuity management system certification. It ensures fast recovery of core business operations after a major disaster or incident in order to reduce impacts on stakeholders, financial markets, and the community and to fulfill Taishin's commitment to sustainability.

Internal Audit
Taishin regularly conducts IT inherent risk assessments, self-assessments and self-audits of projects and general matters, and continuously maintains and monitors various information security risk indicators to ensure that various security risks can be detected and addressed in a timely manner, thereby strengthening the information security internal control mechanism and improving the level of information security protection. In addition to the aforementioned initiatives, the internal audit of Taishin FHC and its subsidiaries conduct internal audits. In accordance with the Taishin FHC Internal Audit System, the company performs at least one general business audit annually and at least one special audit every six months for both the company and its subsidiaries. These audits include information security objects such as the formulation and implementation of information security policies, management of information and communication system security, server and network security management. The findings are compiled into an internal audit report and submitted to the Audit Committee for review.

For the purpose of building a complete information security chain, Taishin gathers information security data, such as hacker techniques and latest threats and trends from around the world. Taishin also checks whether internal security measures are able to detect and respond in real time. Cyber Offensive and Defensive Exercise and social engineering drills based on hacker logic and techniques are conducted regularly to identify hidden risks and reduce attacks and exposures and improve overall information security. The FFIEC/CAT framework is used to assess the development of IT security governance. Drills in 2024 included distributed denial of service drills and red team drills. All drills were completed on time, and system vulnerabilities and the effectiveness of cybersecurity defense systems were checked on an ongoing basis. Taishin has the Computer Security Incident Response Team (CSIRT) working under Taishin FHC to coordinate financial information security defense and facilitate real-time access and support for response measures taken by the Company and its subsidiaries in information security incidents and to reduce damages. Furthermore, Taishin has purchased information security insurance to prevent escalated losses and reduce damages caused by information security incidents in order to protect company assets and rights.

The rampant use of Internet fraud and fraud app by hackers for watering hole attacks, spear phishing attacks, and ransomware attacks in recent years have severely damaged the interests of customers of banks worldwide. Taishin Bank and major subsidiary had established multiple information security controls for the information system, internal and external network environments and online transaction sites. The security status are presented on the Security Operation Center (SOC) platform to assist security operator to enhance Taishin Bank's information security, providing real-time information security event monitoring services.

To enhance overall information security abilities, the Company deployed a number of information security measures and became a member of the Financial Information Sharing and Analysis Center (F-ISAC) to enjoy information security intelligence, warning, and joint defense services, so that we can plan preventive, detection, and corrective security controls. We signed a MOU with a domestic government agency in 2022 and joined the key infrastructure information security joint defense system, becoming a pioneer of the financial industry in participating in Taiwan's information security national team. This has allowed us to further strengthen the security of stakeholders and the overall financial environmen.

1. Information Security System

2. Supplier Management

Taishin FHC has a set of” Information Service Outsourcing Guidelines” in place that outlines the standard operating procedures and rules concerning outsourcing of information service.  Taishin Bank has the IT Outsourcing Guidelines in place to provide the standard operating procedures and rules for IT outsourcing, which covers outsourcing custody of computer hardware/software and outsourcing IT processes and services. To ensure security and feasibility of outsourcing, the persons in charge of the bank's projects and the relevant personnel of the Information Technology Division will perform full and rigorous supplier evaluation, and assess the access risk in selected suppliers and perform background or credit checks as needed in order to ensure the quality and security of internal operation and protect the rights of the bank and its customers.

3. Information Security Incident Reporting and Handling

Taishin FHC has implemented the "Taishin FHC Information Security Incident Management Guidelines" to establish the reporting and response procedures for information security incidents. The Company and its subsidiaries will each consider the scope and severity of impact of information security incidents and proceed to determine and analyze such incidents. For example, major information security incidents will be reported to the supervisors in charge as well as Taishin FHC Chief Information Security Officer and Chief Information Office. The information security response procedures will be carried out for incident management, cause confirmation and correction, service restoration, and review and improvement in order to reduce hazards and losses. Taishin adheres to the domestic regulatory requirements as well as local regulatory requirements in other countries, and checks and reports compliance regularly to the local competent authorities.

In 2024, two cybersecurity incidents related to system-related data breaches occurred at subsidiaries of Taishin. Upon investigation and follow-up, the first incident was found to be caused by the exploitation of a web vulnerability. In collaboration with the information security team and external digital forensics experts, it was confirmed that the incident did not result in operational disruptions or data tampering. Traffic analysis showed no evidence of breaches involving customer personal data breaches. The vulnerability has been remediated, and monitoring and alert mechanisms have been reinforced to prevent recurrence. The second incident involved irregularities in the mailing addresses of dunning letters and errors in credit card statement data. In response, internal controls and operational procedures have been enhanced, and pre-event, in-process, and postevent verification mechanisms have been established to prevent recurrence.