Information Security Organization and Mechanisms

Cathay FHC has an Information Security Committee that formulates the group's information security policy and implements the information security management system. Cathay FHC, Cathay Life, CUB, and Cathay Century each have an independent information security unit and departmental head responsible for planning, monitoring, and implementing information security management. The implementation and management status of information security in the previous year is reported to the Board of Directors in the first quarter of each year. Cathay FHC has a cross-company FHC-level Information Security Communications Committee and FHC-level information security incident response team, which fully dedicated to information security management and quality improvement.

 

Cathay FHC Information Security Organizational Chart

Cathay FHC and its subsidiaries have all separately established information security policies, which are subject to approval by their respective board of directors. These policies, reviewed annually, secure the confidentiality, completeness, availability, and compliance of information assets. Cathay FHC's subsidiaries including Cathay Life, CUB, and Cathay Century have all obtained the international certification ISO 27001:2013 Information Security Management System. As of the end of 2019, coverage of ISO 27001:2013 reached 94.88% of the group’s information system. In addition, reinforced information security incident warning, reporting, and response procedures are in place to provide customers with safe financial services.


Cathay FHC takes information security and customer information protection as high priority, and has improved employees' understanding of information security by regularly organizing education and awareness training. These measures aim to raise our employees’ awareness of information security, protect information assets from interference, damage, intrusion, or any unfavorable actions and intents, and properly implement information security and customer information management. Cathay FHC and its subsidiaries provide all employees with 3 hours of information security education and training each year, and the completion rate of information security training at all subsidiaries was 100% in 2019. Furthermore, personnel of dedicated information security units must receive at least 15 hours of professional information security training annually.

Furthermore, Cathay FHC and its subsidiaries established the information security and threat intelligence sharing mechanism. Cathay FHC summarizes and generates information security newsletters monthly on an ad hoc basis, and provides the newsletters to the information security units of Cathay FHC and its subsidiaries, raising information security awareness and increasing their sensitivity to information security events.


In the event if Cathay FHC and its subsidiaries discover a cyber attack or malware, the information security incident reporting and response mechanism is initiated. The highest level responder to an emergency information security incident is the President in all companies, and the incident is handled in accordance with the Information Security Incident Reporting and Emergency Response Management Guidelines. Cathay FHC shall summarize severe information security incidents of all subsidiaries and present it to the Information Security Committee.

Cathay FHC and its subsidiaries all periodically analyze and continue to make improvements to system vulnerabilities of important systems or equipment, so as to achieve the goal of reducing information security risks. Cathay Life and CUB have invited vendors to perform red-team test service each year to strengthen their information security. Different hacking methods are used to analyze vulnerabilities and scenarios that may be attacked by real hackers, including connection status management, access control testing, elevated privilege access and escape. Remediation measures are made for high risk items in test results, and reinforcement measures are taken to improve the quality of information security. Improvements were completed for 100% of severe risk and high risk items in the test results. Furthermore, Cathay FHC and its subsidiaries all had external independent consultants to conduct information security assessments in 2019, including the IT infrastructure review, network activity review, security configuration review, and IT compliance review. Follow-up and improvement measures are carried out based on the remedial measure. Improvements for severe risk and high risk items were all completed to ensure security in place. 


Feedback

Please let us know your precious opinions.

Contact US

Video

Happiness is how you think of what you have.

More

News Center

For more information, please visit our News Center.

More