Jump to main content
For the best experience, change the screen to portrait mode.

For the best experience, change the screen to portrait mode.


Information Security Reminder

  1. Make sure your computer, smartphone or tablet is secure by updating operating systems, web browsers and other software. And also install antivirus software from a trusted company to ensure your device is protected from malicious activity.
  2. Never click on links, attachments or download files, install software from unknown sources. And be aware of unsolicited emails that contain links to websites urging you to provide confidential or financial information. If you receive one of these emails, don’t reply or click on a link. Instead, contact the company using a phone number you know is genuine.
  3. For secure connections, the CHANG HWA BANK APPs are available on the App Store® and Google Play™. Do not download APP from other sources.

Information Security and Business Continuity Statement

  1. CHANG HWA BANK understands that the information security and business continuity are important to you. To assist us in offering banking services in a secure manner, we employ a number of measures, which are described below.
  1. The information security and business continuity management objectives and plans are consistent with the Bank’s objectives.
  2. Clearly define the responsibilities and obligations of employee in information security and business continuity management, and assign relevant management roles to responsible for direction and oversight.
  3. Employs controls through enforcement of policies and procedures covering information security.
  4.  A set of policies and procedures are published and comminuted to employees and related external parties.
  5. Regularly identify interested parties and their requirement to determine the scope of information security and business continuity management system. And maintain and continually improve the information security and business continuity management system.
  6. Workstations and laptops have anti-virus software, update virus pattern and check/scan files automatically. All device is forbidden to install software without authorization.
  7. Regular evaluate risk assessment of information assets and adopt appropriate control and treatment to eliminate or reduce information security risks.
  8. Establish and implement business disaster recovery plan and incident response plan. Regular exercise and test to reduce business impact and ensure that are consistent with bank’s business continuity objectives.
  9. When the Bank's important information services suffer from force majeure disasters or other man-made damages, the Bank will minimize the duration of incident, reduce the impact of disruption, and enable the information services to be restored to an acceptable service level in the shortest possible time.
  10. CHB provide sufficient resources needed for the establishment, implementation, maintenance and continual improvement of information security and business continuity management system.

Information Security Policy

  1. To strengthen information security management, ensure the confidentiality, integrity and availability of information system, the reliability of information equipment and network, and ensures that the above resources are protected from any interference, destruction, intrusion, or any unfavorable behavior, thus we implement and maintain “information security policy”.Download the full text of Information Security Policy.

Information Security Risk Model

  1. The Bank has established a dedicated information security unit and appointed a Chief Information Security Officer (CISO) at the Executive Vice President level is responsible for the information security policy promotion and resource allocation.
  2. To ensure the effectiveness of information security risk management framework, CHB adopts “Three lines of defense” to assure on the effective management of information security risk. The first line of defense includes all departments and the IT Division being responsible for executing information security operations. The second line of defense is the Information Security Division monitoring the executing status of the Information Security Policy and the deriving security risks. The third line of defense is the Internal Auditing Division, which checks the operations.
  3. Regularly review and amendment the Information Security Policy, and take effect upon approval by the Board of Directors.
  4. Regularly report information security risk and management to Risk Management Committee, and report at least annually to the Board of Directors.

Information Security Management Methodology

  1. CHB adopts the PDCA cycle (Plan-Do-Check-Act) as the foundation, used to continually improve the suitability, adequacy and effectiveness of the information security management system. 
  2. Continue to improve the information security management system, regularly review and revise information security regulations; through information security risk assessment and information security testing, identify and improve information security weaknesses to strengthen the CHB's information security.
  3. Conduct risk assessment operations every year to review the information security implementation status of each risk project, and evaluate the Cybersecurity Maturity Level.
  4. Has joined F-ISAC and TWCERT/CC to improve cybersecurity through cyber security information sharing.

Information Security Incident Response

  1. If an information security incident occurs, the Bank will immediately grasp the information security incident of the bank through the Information Security Event Reporting Management System, so that personnel at all levels can immediately identify, assess and control the scope of the impact of the information security incident, and immediately take appropriate contingency measures to reduce accident damage.

Invest Resources in Information Security Management

  1. Implementation results of information security measures.
          I. Information security protection
  1. Prepare a cybersecurity budget every year, and plan about 37% of annual IT budget on cybersecurity in 2023. 
  2. Continue to introduce and expand information security defense equipment, such as firewall, anti-virus, IPS, information security log management system, database audit monitoring system, malware endpoint detection system, and replace the expired equipment.
  3. Continue to improve the information security and business continuity management system, and implement compliance operations as required by the competent authority, to ensure the effectiveness of information security management.
  4. Regularly perform information security assessment and various information security tests, such as penetration test, vulnerability scanning, malicious program detection and mobile application security testing, etc.
  5. Regularly conduct information security training, social engineering drills, emergency response drills and system backup drills, to improve the information security response capabilities of colleagues.
  6. Continue to conduct information security joint defense and make good use of information security intelligence, to strengthen the ability to prevent malicious attacks and detect threats.
  7. There are about 19 employees in our Information Security Division, and the Bank employees have obtained relevant international information security certificates, such as CISM, CISSP, CISA, OSCP, CEH.
  8. Report to the Risk Management Committee on the information security risk and management every month.
  9. ISO 27001 and ISO 22301 Management Reviews are held twice a year.
          II. International Standard Certification
  1. The Bank complies with the ISO 27001 standard and has received certification valid from November 8, 2023 until November 7, 2026. In September 2023, the Bank successfully passed the transition audit to meet the new requirements of ISO 27001:2022 version.
  2. The Bank's IT Division and Information Security Division complies with the BS 10012 standard and has received certification valid from March 31, 2022 until March 30, 2025.
  3. The Bank's IT Division and Information Security Division have introduced the ISO 22301 standard, and some systems of the IT Division complies with the ISO 22301 standard and has received certification valid from April 24, 2024 until April 23, 2027.