Information Security Organization and Mechanisms

Cathay continues to follow Financial Supervisory Commission’s “Financial Information Security Action Plan” and take continuous steps to strengthen its defense against security threats, thereby ensuring the security, convenience, and continuity of financial services rendered. Cathay FHC has an Information Security Committee that formulates the group's information security policy and implements the management system. Cathay FHC, Cathay Life, CUB, and Cathay Century each have an independent information security unit and supervising officer responsible for planning, monitoring, and implementing information security management. The implementation status of information security in the previous year is reported to the Board of Directors annually.

 

Cathay FHC Information Security Organizational Chart

Cathay FHC has a cross-company FHC-level Information Security Communications Committee and FHC-level information security incident emergency response team, which is fully dedicated to information security management and quality improvement. Furthermore, Cathay FHC has established the Security Operation Center in 2020 that operates 24/7 to monitor and provide prompt alerts to information security risks. In addition, external consultants and emergency response team are leveraged, which are highly experienced in responding to information security incidents, to provide appropriate and professional recommendations and emergency response support.
Cathay FHC and its subsidiaries have all separately established information security policies, which are subject to approval by their respective board of directors, and all examine the confidentiality, completeness, availability, and compliance of information assets through annual inspections. Cathay FHC's major subsidiaries Cathay Life, CUB, and Cathay Century have all obtained the international certification ISO 27001:2013 Information Security Management System. As of the end of 2020, coverage of ISO 27001:2013 reached 96.5% of the group, and Cathay FHC will assist in promoting the ISO 27001:2013 framework in Cathay Securities, Cathay Futures, Cathay SITE, and Cathay SICE in 2021. This will complete the information security governance framework and management system, and reinforce information security incident warning, reporting, and response procedures to provide customers with safe financial services.
In order to ensure the information security of outsourced operations, the major subsidiaries, including Cathay United Bank, Cathay Life, Cathay Century, Cathay Securities, Cathay Futures, and Cathay Securities Investment Trust, will conduct regular audits on the entrusted institutions that handle customer information in cooperation with business units. We also verify information security risks and ensure legal compliance, in the aim to improve data security and reduce the risk of data leakage.


We attach great importance to information security, and periodically organize training sessions while providing a variety of promotion channels to raise employees' information security awareness, so that information security can be properly managed. Cathay FHC and its subsidiaries provide all employees with 3 hours of information security education and training each year, and the completion rate of information security training at all subsidiaries was 100% in 2020. Furthermore, personnel of dedicated information security units must receive at least 15 hours of professional information security training each year.

Furthermore, Cathay FHC and its subsidiaries established a group information and threat intelligence sharing mechanism. Cathay FHC summarizes and generates information security newsletters irregularly each month, and provides the newsletters to the information security units of Cathay FHC and its subsidiaries, raising information security awareness and increasing their sensitivity to information security events.


When Cathay FHC and its subsidiaries discover a cyber attack or malware, the information security incident reporting and response mechanism is initiated. The highest level responder to an emergency information security incident is the president in all companies, and the incident is handled in accordance with the Information Security Incident Reporting and Emergency Response Management Guidelines. Cathay FHC summarizes severe information security incidents of all subsidiaries and presents it to the Information Security Committee. Incidents involving customer rights shall be handled in accordance with the Group’s “Regulations Governing the Handling of Major Incidents” and “Media Information Disclosure Guidelines”, and customers shall be given updates on how the incidents are being handled.

Cathay Life and CUB invite vendors to perform a white-hat hacker penetration test each year to strengthen their information security. Different hacking methods are used to analyze vulnerabilities and scenarios that may be attacked by hackers, including connection management, access right testing, raising authority and escape. Improvements are made for high risk items in test results, and reinforcement measures are taken to improve the quality of information security. Improvements were completed for 100% of severe risk and high risk items in the test results.

In addition, the major subsidiaries, including Cathay United Bank, Cathay Life, Cathay Century, Cathay Securities, Cathay Futures, and Cathay Securities Investment Trust, have established external intelligence processing procedures and regularly collect external threat intelligence including F-ISAC. In addition, the subsidiaries conduct risk assessments based on the contents of the intelligence, while the information security personnel will validate and track the results of various information processing, thereby strengthening the protection against external cybersecurity risks.

Furthermore, Cathay FHC and its subsidiaries all had an external vendor conduct computer system safety evaluations in 2020, which examined information structure, inspected network activity, conducted vulnerability scanning and penetration testing, examined security settings, and examined compliance. We carried out follow-up and improvement measures based on the system security status, and improvements for severe risk and high risk items were all 100% completed to ensure the safety of data.


Feedback

Please let us know your precious opinions.

Contact US

Video

Happiness is how you think of what you have.

More

News Center

For more information, please visit our News Center.

More