Jump to main content
Chang Hwa Bank logo
For the best experience, change the screen to portrait mode.

For the best experience, change the screen to portrait mode.

:::

Information Security Mechanism

Policy and Commitment

  1. In order to strengthen information security management, the Bank has established the "Information Security Policy" to ensure the legitimate authorized access, confidentiality, integrity and availability of the Bank's information, to maintain the reliability of information equipment and network systems and the normal operation of business processes in the event of internal and external threats; to make prompt and necessary contingency measures in the event of accidents to minimize possible damage, and to continuously enhance colleagues' awareness of information security through education and training and social drills.
  2. This policy is reviewed regularly every year and amended by the Board of Directors to provide the most timely, good, stable and safe system services to ensure the quality of goods and services provided and the rights and interests of customers.

Information Security Management Framework

  1. Information Security Management Framework
  1. In order to effectively implement internal control of information security, the Bank has adopted a management framework with three lines of defense:
    1. The first line of defense: The implementation of information security operations by all units and IT Division across the Bank.
    2. The second line of defense: The Information Security Division is responsible for the monitoring and managing the implementation status of the information security policy and its derived information security risks and reporting to the Risk Management Committee on the status of information security management by monthly, summarizes and reports to the Audit Committee and the Board of Directors on a quarterly basis, and reports to the Board of Directors on the overall implementation and management of information security every year.
    3. The third line of defense: Audits by the Internal Auditing Division.
  2. Set up a Director of Information Security at the executive vice president level to coordinate information security policy promotion and resource allocation. The Director of the Information Security Division serves as the dedicated supervisor of information security. He must have a background in information security. His functional responsibilities are to be responsible for supervising and implementing information security policies and coordination and promoting information security management operations.
  3. The Bank hired an information security consultant to provide professional views and advice on information security management to strengthen the information security governance capacity of the Board of Directors.

Security Reporting Mechanism and Emergency Response

  1. For the notification and handling of information security incidents, according to the situation and severity of the incident, follow the "(CHB) Information Security Event Reporting Procedure" and "Chang Hwa Bank Major Contingency Incident Handling Procedures" to notify the affiliated units, through the "Information Security Event Reporting Management System", letters or phone calls for internal communication and reporting. The IT and Information Security Divisions need to eliminate and resolve information security incidents within the target processing time, follow up on the incidents, review improvement plans, and put forth preventive measures to prevent such incidents from recurring.
  2. Conduct an operational impact analysis and develop a disaster recovery plan to mitigate the risk of disruptions to the information system.

Security Measures and Management Mechanisms

  1. The Bank uses the PDCA management cycle to conduct information security risk management and addresses and prevents risks posed by new technologies, new products and business process changes.
  1. Management System and Information Security Evaluation
    1. The Bank confirms that the relevant systems comply with international standards through external review every year, and evaluates the operational effectiveness of the management systems. In 2023, we continue to ensure the effectiveness of "Business Continuity Management System ISO 22301", "Information Security Management System ISO 27001" and "Personal Information Management System BS 10012", and complete the upgrade of the information security management system in 2023.
    2. Every year, the Bank entrusts an independent third party to conduct computer system information security assessment, SWIFT CSP compliance assessment, and overall information security compliance assessment to improve the Bank's information security.
    3. The Bank conducts penetration testing on its mobile application (App) and the benchmark testing by the Digital Development Department every year, and all of them have obtained the "Mobile App Basic Cybersecurity Badge and Certificate."
  2. Multi-Level Security and Surveillance Mechanisms
    1. The Bank uses multi-level information security equipment to work together to establish protection and monitoring mechanisms for networks, endpoints and databases and servers, strengthen information security protection operations, and introduce two-factor authentication mechanisms into important systems to strengthen access security. 
    2. We use automated methods for 24/7 monitoring, detection, and tracking of fake websites and mobile applications that impersonate our bank and take necessary actions against such fraudulent activities.
    3. Regularly perform source code detection, vulnerability scanning, penetration testing and malicious program detection on the information system to confirm whether there are weaknesses in the information system of the Bank, find out and repair them early, so as to maintain a good quality of information system services.
    4. To ensure the Bank's information security monitoring and defense effectiveness, a combination of DDoS attack and defense, red and blue teaming, and breach and attack simulations are employed.
  3. Integration and Application of Information Security Information
    1. Through Financial Information Sharing and Analysis Center (F-ISAC) and Taiwan Computer Emergency Response Team / Coordination Center(TWCERT/CC), report information security incidents and information sharing, and send information security information back through Financial Security Operation Center (F-SOC) to improve the synergy of information security and joint defense. 
    2. In 2023, by proactively monitoring and analyzing real-time external information security status and threats, as well as integrating information security protection tools, we will achieve early detection of information security threats.
  4. Information Security Education, Training and Drills
    The Bank holds information security promotion training courses for all employees every year to strengthen employees' awareness toward information security. And every quarter, through information security information bulletins, social engineering exercises, emergency response exercises and system support exercises, etc., improve the alertness and resilience of colleagues.
    1. Information Security Education and Training in 2023
      Information Security Education and Training in 2022
    2. In 2023, at least 24 pieces of information security information will be announced on the bulletin board of the internal website to strengthen the awareness of information security among colleagues at home and abroad.
    3. We conducted social engineering drills every quarter. In 2023, a total of 16 (times), and a total of 115,216 test e-mails were sent. The content of e-mails includes in both Chinese and English to increase the vigilance of employees and reduce the chance of being attacked by social engineering.
    4. In 2023, 7 emergency response procedure drills was completed to familiarize colleagues with the response procedures for different incident scenarios.
    5. In 2023, 90 information system drills was completed to familiarize colleagues with the system operation process.
    6. The Bank invited external professional lecturers to hold the information security education and training for directors and senior executives, which was attended by a total of 25 people (including 9 directors). All directors have completed the training.
    7. The bank's information security personnel receive professional information security courses every year, and encourage and subsidize colleagues to obtain international information security certificates. Currently, the Bank's employees hold a total of 70 information security certificates*, which accounts for 2.41% of our total assets.
      *Note: The recognition of "information security certificates" is based on the "list of information security professional certifications" published by the Executive Yuan, including ISO 27001 Information Security Management System Auditor/ Lead Auditor, ISO 22301 Business Continuity Management System Auditor/Lead Auditor, ISO 27701 Privacy Information Management System Lead Auditor, Certified Cloud Security Professional(CCSP), Certified Ethical Hacker(CEH), Certified Information Security Manager(CISM), Certified Information Systems Security Professional(CISSP), Certified Information Systems Auditor (CISA), and Offensive Security Certified Professional(OSCP), etc.

Implementation Status

    1. In 2023, the Bank had no major security incidents related to information equipment and network systems, and the number of customers affected by security incidents was 0.
    2. The Bank completed the process of applying for information security insurance in 2023.
    3. In 2023, the Bank has been awarded the "Outstanding Performance in Financial Security Attack and Defense Drills" in the financial security attack and defense drills of the Financial Supervisory Commission (FSC).
    4. In 2023, the Bank has received "Gold Award for Digital Information Security" (1st place) by Commercial Times. 
    5. In 2023, the Bank has been awarded the "Best Financial Security Hacking Defense Team Award" (1st place) in the financial security attack and defense evaluations of the Financial Supervisory Commission (FSC). 
    6. In 2023, the Bank has been awarded "2022 F-ISAC Outstanding Institution Award for Members' Performance in Information Sharing" (1st place), and the annual settlement result of the F-ISAC membership information sharing points for 2023 saw us retain our excellent first-place performance. 
    7. The first bank in Taiwan to successfully complete the British Standards Institution (BSI) Information Security Management System (ISO 27001:2022) upgrade assurance was honored with the "Excellence in Information Resilience Award."

Information Security Policy