Information Security

TOP

●  Information Security/Cybersecurity Governance Framework

The Board of Directors of SinoPac Holdings is the highest governing unit responsible for the supervising the Group's information security strategies. The Director Chi-hsing YEH, who has a background in information security, is responsible for supervising the Group's information security strategies. The Information Security Committee was established under the President of SinoPac Holdings in September 2018 and is the highest-ranking unit responsible for information security management. The Committee is responsible for information security implementation and governance, and information security risk supervision and management. Vice President Sean LEE, who specializes in information security, serves as the convener of the Committee. Committee members include the head of the Legal & Compliance Division, the Risk Management Division, the Digital Technology Division, and information security related supervisors at subsidiaries; the chief auditor is invited to attend committee meetings. The Committee's responsibilities are to review the information security policy and regulations, review the information security management system, raise information security awareness, formulate related education and training plans, and evaluate and decide on information security related infrastructure.
SinoPac Holdings adjusted the organization in June 2020 to dedicate full efforts into digital technology transformation. The "Information Security Division" and "Information Technology Division" are set up under SinoPac Holdings to elevate information security protection from subsidiaries to the Group level. SinoPac Holdings established the information security governance structure for the entire Group to consolidate resources of SinoPac Holdings and subsidiaries and provide full support for the Group's development of digital technologies.
Bank SinoPac and SinoPac Securities have both established dedicated information security units in accordance with the “Information Security Policy” of SinoPac Holdings. They also completed the update of the ISO 27001 Information Security Management certificate in 2020 and implemented comprehensive management of customers' data access, processing, transmission, storage, and security of personnel and equipment .

● Information Security/Cybersecurity Management

  • Information Security Policy

SinoPac Holdings established the "Information Security Policy" to ensure that information processing at SinoPac Holdings and its subsidiaries complies with information security related regulations to protect customers' rights and interests. In 2020, SinoPac Holdings adjusted the internal regulations in accordance with the
Finance Action Plan of the Financial Supervisory Commission and the amendments of Taiwan's Cyber Security Management Act, and reinforced information security plans and operating procedures including IT system security management, network security management, application system access management, application system development, maintenance, and management, computer asset management, system environment security management, and IT system disaster recovery management to ensure the implementation of the information security management system. Each year, SinoPac Holdings, Bank SinoPac, and SinoPac Securities review whether the Information Security Policy and information security incident response procedures are suitable for the business environment and comply with the competent authority's regulatory requirements. The Company also evaluates material information security issues and analyzes the Group's internal information security risks and vulnerabilities.

  • Information Security Management Process and System

The system management, application software development, outsourcing management, database management, network management, information security management, and infrastructure maintenance by the information related units (including information security units) of Bank SinoPac and SinoPac Securities all comply with and have obtained ISO 27001 certification. This is to prevent IT systems from being hacked and personal data leakage due to improper design of the information security framework, or inadequate control from system, network, and privacy management mechanisms, which will affect the Company's information security. In addition, SinoPac Holdings will continue to strengthen the information security mechanisms and personal data protection and management in the aspects of APT defense system, defense against DDoS attacks, e-mail content filtering, malware detection, website and app vulnerability scanning, and security inspections. SinoPac Holdings also isolated and strengthened the security of high-risk systems (such as ATM and SWIFT systems). SinoPac Holdings did not receive any fines or sustain any financial losses due to accidental damages to IT systems or equipment in 2020.

  • Information Security Incident Escalation Process

● Professional Training Programs

SinoPac Holdings implements the annual information security training (computer-based training) for all employees every year. The courses include basic information security concepts, review of recent information security incidents, trends in information security, social engineering methodology, promotion of internal regulations, and the cultivation of information security awareness. SinoPac Holdings also organizes training and exercises to prevent social engineering via malicious e-mails, designed various phishing e-emails, and conducted comprehensive tests on all employees to improve employees' information security awareness. Dedicated information security personnel are required to participate professional information security training or professional skills training each year for at least 15 hours and pass the evaluation. All other employees are required to participate more than 3 hours of information security courses each year. Compliance with requirements for information security/cybersecurity has been included as a part of the employee performance evaluation. The "Employee Rewards and Punishment Regulation" of SinoPac Holdings and its subsidiaries also specify that if an employee violates information security regulations and damages the interests of SinoPac Holdings or its subsidiaries, the unit supervisor shall submit a list of personnel to be penalized to the Human Resources Department for disciplinary actions, and the results shall be submitted to the authorized supervisor for approval in accordance with the tiered internal accountability regulations .