Chang Hwa Bank|Corporate Social Responsibility-Information Security Mechanism

For the best experience, change the screen to portrait mode.

:::

Information Security Mechanism

Policy and Commitment

The Bank has established the "Information Security Policy" which is reviewed and revised regularly every year to ensure the legitimate authorized access, confidentiality, integrity and availability of the Bank's information, to maintain the reliability of information equipment and network systems and the normal operation of business processes in the event of internal and external threats; to make prompt and necessary contingency measures in the event of accidents to minimize possible damage, and to continuously enhance colleagues' awareness of information security through education and training and social drills to provide the most timely, good, stable and safe system services to ensure the quality of goods and services provided and the rights and interests of customers.
Completed information security insurance renewal in 2024 to facilitate information security risk transfer.
The Bank reported 1 information security incident in 2024, with a ratio of 0% (0 cases) for personal data breach incidents, 0 affected customers, and no financial losses.

Information Security Management Framework

In order to effectively implement internal control of information security, the Bank has adopted a management framework with three lines of defense:

The first line of defense: The implementation of information security operations by all units and IT Division across the Bank.
The second line of defense: The Information Security Division is responsible for the monitoring and managing the implementation status of the Information Security Policy and its derived information security risks and reporting to the Risk Management Committee on the status of information security management by monthly, summarizes and reports to the Audit Committee and the Board of Directors on a quarterly basis, and reports to the Board of Directors on the overall implementation and management of information security every year.
The third line of defense: Audits by the Internal Auditing Division.

Set up a Director of Information Security at the executive vice president level to coordinate information security policy promotion and resource allocation. The Director of the Information Security Division serves as the dedicated supervisor of information security. He must have a background in information security. His functional responsibilities are to be responsible for supervising and implementing information security policies and coordination and promoting information security management operations.

The Bank hired an information security consultant to provide professional views and advice on information security management to strengthen the information security governance capacity of the Board of Directors.

Security Reporting Mechanism and Emergency Response

Conduct an operational impact analysis and develop a disaster recovery plan to mitigate the risk of disruptions to the information systems.
For the notification and handling of information security incidents, according to the situation and severity of the incident, follow the "(CHB) Information Security Event Reporting Procedure" and "Chang Hwa Bank Major Contingency Incident Handling Procedures" to notify the affiliated units, through the "Information Security Event Reporting Management System", letters or phone calls for internal communication and reporting. The IT and Information Security Divisions need to eliminate and resolve information security incidents within the target processing time, follow up on the incidents, review improvement plans, and put forth preventive measures to prevent such incidents from recurring.

Security Measures and Management Mechanisms

The Bank uses the PDCA management cycle to conduct information security risk management and addresses and prevents risks posed by new technologies, new products and business process changes. Conduct information security management review meetings every six months.

Management System and Information Security Evaluation

Passed the British Standards Institution (BSI) BS 10012:2017 Personal Information Management System certification renewal audit.
Passed the British Standards Institution (BSI) ISO 27001:2022 Information Security Management Systems certification renewal audit.
Passed the British Standards Institution (BSI) ISO 22301:2019 Business Continuity Management Systems certification three-year re-audit.
Every year, the Bank entrusts an independent third party to conduct computer system information security assessment, SWIFT CSP compliance assessment, and overall information security compliance assessment.
The Bank conducts penetration testing on its mobile application (App) and the benchmark testing by the Digital Development Department every year, and all of them have obtained the "Mobile App Basic Cybersecurity Badge and Certificate."

Multi-Level Security and Surveillance Mechanisms

Utilize multi-layered information security equipment working in coordination to establish protection and monitoring mechanisms in networks, endpoints and databases, servers, and software security, strengthening information security protection operations, and gradually introducing zero-trust network mechanisms in accordance with the "Financial Cyber Security Action Plan 2.0."
Implement two-factor authentication mechanisms and establish privileged account tracking systems for important systems to ensure server security.
Use Security Information and Event Management (SIEM) systems to conduct real-time analysis of various equipment event records for effective threat detection and incident response; utilize automated methods for 24/7 monitoring, detection, and tracking of websites and mobile applications impersonating the Bank, and take necessary responses to counterfeit programs.
Regularly conduct penetration testing, vulnerability scanning, malicious program detection, source code detection, and open-source software detection on information systems to identify vulnerabilities early and perform remediation.
Alternately utilize Distributed Denial of Service (DDoS) attack and defense systems, red-blue team exercises, and intrusion attack simulation drills to verify the effectiveness of information security monitoring and defense, and identify vulnerabilities for improvement.
Establish a new personal data leakage protection system, optimize email release processes, and provide Optical Character Recognition (OCR) detection capabilities to enhance the Bank's personal data leakage protection capabilities.

Integration and Application of Information Security Information
Through Financial Information Sharing and Analysis Center (F-ISAC) and Taiwan Computer Emergency Response Team / Coordination Center(TWCERT/CC), report information security incidents and information sharing, and make good use of diverse information security data to improve the synergy of information security and joint defense.
Information Security Education, Training and Drills

Invite external professional instructors to conduct information security education and training for directors, with all directors participating in courses to enhance the Board of Directors' and senior executives' understanding of information security situations and the latest information security risks.
The Bank holds information security promotion training courses for all employees every year. And regularly through information security information bulletins, social engineering exercises, emergency response exercises and system support exercises, etc., improve the alertness, resilience of colleagues and strengthen employees' awareness toward information security.

Information Security Education and Training in 2024

Course	Target personnel	Total training hours
Information security awareness training in Chinese and English	All employees (including those in overseas branches and excluding general workers and drivers)	19,575 hours
Information security awareness education and training for highrisk personnel	Information and security personnel	314 hours
Business Continuity Management (BCM) Awareness Training	Information and security personnel	157 hours
Courses related to information security	Information security specialists	591hours
SWIFT Education and Training	SWIFT authorized personnel	82 hours

In 2024, at least 24 pieces of information security information will be announced on the bulletin board of the internal website to strengthen the awareness of information security among colleagues at home and abroad.
We conducted social engineering drills every quarter. In 2024, a total of 16 (times), and a total of 115,676 test e-mails were sent. The content of e-mails includes in both Chinese and English. Pass rate exceeds 99.5%, meeting drill objectives.
In 2024, 7 emergency response procedure drills and 104 information system drills were completed to familiarize colleagues with the response procedures for different incident scenarios and the system operation process.

The bank's information security personnel receive professional information security courses every year, and encourage and subsidize colleagues to obtain international information security certificates. Currently, the Bank's employees hold a total of 101 information security certificates* , which accounts for 3.2% of our total assets.
Note: The recognition of "information security certificates" is based on the "list of information security professional certifications" published by the Executive Yuan, including ISO 27001 Information Security Management System Auditor/ Lead Auditor, ISO 22301 Business Continuity Management System Auditor/Lead Auditor, ISO 27701 Privacy Information Management System Lead Auditor, Certified Cloud Security Professional(CCSP), Certified Ethical Hacker(CEH), Certified Information Security Manager(CISM), Certified Information Systems Security Professional(CISSP), Certified Information Systems Auditor (CISA), Offensive Security Certified Professional(OSCP), CPENT (Certified Penetration Testing Professional), and CCISO (Certified Chief Information Security Officer), etc.