Information Security - Sustainable Governance - Corporate Sustainability

Sustainable Governance

Cathay FHC Information Security Organizational Chart

Cathay FHC Information Security Governance

Cathay continues to follow Financial Supervisory Commission’s “Financial Information Security Action Plan” and take continuous steps to strengthen its defense against cybersecurity threats, thereby ensuring the security, convenience, and continuity of financial services rendered. Cathay FHC and its subsidiaries each have an independent information security unit and supervising officer responsible for planning, monitoring, and implementing information security management. The implementation status of information security in the previous year is reported to the Board of Directors annually. The Information Security Committee, a cross-functional committee, is responsible for formulating information security policies and promoting management systems at the group level. To further facilitate effective cross-functional communication and consistent information security management across Cathay FHC and its subsidiaries, the cross-functional Information Security Communication Committee was established to carry out information security controls and quality enhancement.

Board Member

Matthew Miau is one of the independent directors of Cathay FHC. He had a bachelor's degree in Electrical Engineering from the University of California at Berkeley and an MBA from Santa Clara University. He is currently the chairman of Lien Hwa Industrial Holdings Corp. Westcon-Comstor of the group's North American Synnex Corp. is a leader in information security and network collaboration. He was a former Laureate of Industrial Technology Research Institute (ITRI) and was pioneer in Taiwan's computer information industry. He has IT-related experience, information security and is good at IT channel layout, global production, corporate logistics, joint ventures and strategic alliances, venture capital, and other fields of management capabilities.

Strengthening Cyber Resilience

Measures

Action Plans

Formulated Information Security Policies

Cathay FHC and its subsidiaries have established information security policies separately, which are subject to approval by their respective board of directors, and also examine the confidentiality, integrity , availability, and compliance of information assets through annual inspections.

Established a 24/7 Security Operation Center

To stay on top of cybersecurity risks, Cathay FHC established the Security Operation Center (SOC) in 2020. The SOC monitors cybersecurity status, enables immediate action against emerging cybersecurity threats, and conducts associative analysis of cyber-security equipment, network equipment, and operating system logs to alert and identify cybersecurity incidences, abnormal connections, etc. It also enables tracking and response mechanisms to enforce measures to control and manage cybersecurity risks.

Information Security Incident Response (IR)

Integrated resources of Cathay Financial Group and assembled cross-functional " Cybersecurity Emergency Response Team" to assist with IR(Incident Response) and monitor cybersecurity incidences in Cathay FHC and its subsidiaries through incident reporting and emergency response procedures.

lConducted tabletop exercises to familiarize employees with IR processes regarding different scenarios and ensure immediate response in the event of cybersecurity incidences. Leveraged IR experiences from third-party experts, advisors, and IR teams to provide applicable, suggestions and IR support.

Introduced ISO 27001: 2013

Information Security Management (ISM) System

As of the end of 2022, coverage of ISO 27001:2013 reached 99.5% of the group. This will complete the information security governance framework and management system, and reinforce cybersecurity incident warning, reporting, and response procedures to provide customers with safe financial services.In 2022, Cathay FHC introduced the ISO 27001: 2013 framework and will seek to verify the framework in 2023

Major subsidiaries of Cathay FHC have all received ISO 27001: 2003 certification and continue to hold valid certificates. Expiration dates for the subsidiaries’ certificates are as follow:

Cathay United Bank (CUB)

2020/11/26 ~ 2023/11/25

Cathay Life

2019/02/27 ~ 2022/02/26; 2022/02/27 ~ 2025/02/26

Cathay Century

Insurance

2020/01/16 ~ 2023/01/15;

2023/01/16-2025/10/31

Cathay Securities

(2022/04/11 ~ 2025/04/10)

Cathay Futures

2022/04/01 ~ 2025/03/31

Cathay Securities Investment Trust

2022/03/28 ~ 2025/03/27

Cathay SITE

2022/07/19 ~ 2025/07/18

We attach great importance to information security, and periodically organize training sessions while providing a variety of promotion channels to raise employees' information security awareness, so that information security can be properly managed.Furthermore, Cathay FHC and its subsidiaries established a group information and threat intelligence sharing mechanism. Cathay FHC summarizes and generates information security newsletters irregularly each month, and provides the newsletters to the information security units of Cathay FHC and its subsidiaries, raising information security awareness and increasing their sensitivity to information security events.Cultivate employee’s information security awareness to enforce information security management and control under trends of digital transformation.

"Security by Design" Strategy

Information security, from a business perspective, is taken into account as a factor of consideration during the early stages of service or business model designsInformation security personnel become involved when projects are still in the nascent stages to provide safety designs from a business perspective and enable project members to learn and understand topics of concern in information security

Information Security Training

All employees are required to complete at least 3 hours of Information Security Training. In 2022, 100% of employees at all subsidiaries fulfilled the 3-hour training requirementEmployees in information security units are required to complete at least 15 hours of professional information security training

When Cathay FHC and its subsidiaries discover a cyber attack or malware, the cybersecurity incident reporting and response mechanism is initiated. The highest level responder to an emergency cybersecurity incident is the president in all companies, and the incident is handled in accordance with the Cybersecurity Incident Reporting and Emergency Response Management Guidelines. Cathay FHC summarizes severe cybersecurity incidents of all subsidiaries and presents it to the Information Security Committee. In 2022, there were no major cybersecurity incident. For information leaks, please refer to Customer Value and Social Relationships on website.

Measures	Action Plans
Cyber-attack Drills	Cathay Life, CUB, Cathay Century Insurance, and Cathay Securities commission experts as white hat hackers to conduct annual cyber-attack drills. In 2022, Cathay SITE also conducted cyber-attack drills for the first time White hat hackers expose loopholes and scenarios, including connection status management, access control testing, and authorization escalation & bypass where IT systems are vulnerable to cyber-attacks by attempting to hack into the system
Information Security Assessments for Computer Systems	Cathay FHC and its subsidiaries all had an external vendor conduct computer system safety evaluations every year, which examined information structure, inspected network activity, conducted vulnerability scanning and penetration testing, examined security settings, and examined compliance. We carried out follow-up and improvement measures based on the system security status, and improvements for severe risk and high risk items were all 100% completed.
Threat Intelligence Sharing & Analysis Mechanism	Established "Group Information & Threat Intelligence Sharing Mechanism" to report and share major cyber threat intelligence in order to implement enhancement and prevention measures. Signed the "Memorandum of Understanding on National Cyber-security Protection & Intelligence Sharing" with MJIB (Ministry of Justice Investigation Bureau) to strengthen the scope and depth of information security protection at Cathay Financial Group and establish a public-private information security cooperation framework to develop an allied cyber defense mechanism.

Feedback

Please let us know your precious opinions.

Video

Happiness is how you think of what you have.

News Center

For more information, please visit our News Center.