“Data fraud and theft” and “cyberattacks” were listed among the world’s top five risks in the 2019 Global Risk Report of the World Economic Forum, showing that information security and personal information protection have become the center of attention worldwide in this digital era.
Information Security Organization and Mechanisms
√ Cathay FHC has an Information Security Committee that oversees the group's information
security policy making and management system promotion. The committee completed an
information security blueprint in 2018 and laid out 8 security domains and 84 information
security control items.
√ Cathay FHC and its 6 subsidiaries have all separately established information security
policies, and all examine the confidentiality, integrity, availability, and compliance of
information assets through annual inspections.
√ Cathay FHC and its subsidiaries commissioned external consultants to perform an
information security operations assessment in 2018 for inspecting the compliance of
regulations made by competent authority and information security operations.
The board of directors examines the assessment report and overall implementation
of information security in the first quarter of 2019.
√ Cathay FHC, Cathay Life, and CUB all have an independent and dedicated information
security unit and a chief information security officer to plan, monitor and implement
information security operations, and also a cross-company information security joint
meeting and an emergency response team, exerting every effort to ensure information
security control and quality improvement.
√ Cathay Life, CUB and Cathay Century have also completed an information security
governance framework and information security management system through the
international certifications “ISO 27001:2013 Information Security Management System”
and “BS 10012:2017 Personal Information Management System”, and have thereby
strengthened their warning, reporting, and response procedures for information
security incidents. Cathay strives to provide secure financial services and reduce
the risk of customers’ personal information leakages.
Information Security Education and Training and Promotion
Cathay FHC promotes information security and personal information protection by enhancing employees' awareness of information security and regularly organizing education and training courses and holding promotion events. These measures aim to raise our employees’ awareness of information security and Internet security, protect information assets from any sort of interference, damage, intrusion, or any unfavorable actions and intents, and properly implement information security and personal information management. Cathay FHC and its subsidiaries conducted information security education and training to all its employees. The completion rate of Cathay FHC’s subsidiaries information security education in 2018 reached 100%.
Cathay FHC held “Cathay Financial and Real Estate Group Senior Supervisors Meeting” in 2018 and invited experts to share opportunities and challenges related to information security with executives or above the executive vice president level of Cathay Financial and Real Estate Group. The Chairman of Cathay FHC also attended the meeting.
Protection of Customers' Personal Information and Management of Infringement Incidents
When Cathay FHC and its subsidiaries discover a cyber threat that will endanger information security, the information security incident response system is initiated. The highest level responder to an emergency information security incident is the president in all companies. Please see the Cathay FHC official website for the flowchart of information security incident reporting and response process. Cathay FHC and its subsidiaries did not have any information security incidents, violate any regulations on customer information protection, and were not fined for violations of information security between 2016 and 2018.
Cathay FHC and its subsidiaries collect, process, and use personal information in accordance with the Personal Information Protection Act and related laws and regulations, and do not exceed the scope necessary for specific purposes. Customers are informed of the purpose for collecting personal information and who the information will be shared with, and all third parties are required to comply with company policies. Each company has established regulations for reporting and handling personal information incidents, and will notify the persons affected within processing time to effectively respond to and handle the emergency incident, minimizing the damage to the persons involved. If an employee discovers or receives a report regarding the infringement of personal information, the employee can access the regulations and reporting procedures via Intranet. Customers can also notify Cathay FHC and its subsidiaries via 24-hour customer service hotlineor email.
(Click on the picture to zoom in)
Cathay Life complies with requirements on audits by mandated institutions according to the "Cathay Life Insurance Co., Ltd. Outsourcing Guidelines," and conducts on-site audits of the physical environment, network structure, computer system, access control, end point security, and data processing security of suppliers with whom we have data connections. A total of 7 suppliers were audited with audit coverage reaching 100% in 2018. CUB conducts semi-annual information security audits of all suppliers that have data connections with the bank. A total of 4 suppliers were audited with audit coverage reaching 100% in 2018.