Focus

Purpose and Benefits of Establishing the “Declaration Section for Securities Firms’ Information Security Protection Items”

Chang Hung Chen
Senior Associate at TWSE

<中文版>

The security protection capability of securities firms is the most important part of maintaining information security in the securities market. In addition to relying on securities firms to enhance their own information security awareness and defense capabilities, the Intermediaries Service Department of the Taiwan Stock Exchange Corporation (hereinafter referred to as TWSE), as the supervisory unit, also constantly pays attention to the overall information security protection status of the securities market, provides timely guidance and care, and revises information security regulations in accordance with the instructions of the Financial Supervisory Commission (hereinafter referred to as the FSC) to provide guidance and standards for securities firms’ security in the constantly updating trend of the internet and information technology.

Mastering the current situation of information security protection in the securities market not only allows TWSE to constantly understand the overall market protection capacity, but also strengthens its guidance for individual securities firms. Under the current supervision mechanism, TWSE conducts routine annual information security inspections on securities firms, and combines them with project inspections to guide securities firms in implementing information security standards. In order to have a more real-time and effective understanding of securities firms’ compliance with regulations and implementation of information security protection, TWSE has established a “Declaration Section for Securities Firms’ Information Security Protection Items” for securities firms to regularly submit electronic data declarations. At the same time, in accordance with the FSC’s Financial Cyber Security Action Plan 2.0, TWSE is promoting and encouraging securities firms to introduce international certification (ISO 27001 Information Security Management System), increase the number of information security personnel, and obtain international information security licenses. This section has incorporated the handling status of the items above in the scope of data for the initial declaration to grasp the current situation of market information security protection, in order to have the requirements in the “Establishment of Securities Firms’ Cybersecurity Checking Mechanism” and “Checklist for Graded Information Security Protection” implemented.

This section was launched in July, and an advocacy conference on “Declaration Section for Securities Firms’ Information Security Protection Items – Operating Instructions” was held on July 3, 2024, and about 130 participants, including securities firms’ information security supervisors, information security specialists, and delegates from the Taipei Exchange and the Taiwan Securities Association were invited to attend the conference. In the conference, the person in charge of the section provided a detailed explanation of the items to be declared, and assisted securities firms’ information security personnel in understanding the purpose and operation of the section.

The declaration path of the section is to log in from the “Single Window for Securities Firms’ Declaration (BRK)” website and enter the “Declaration Section for Securities Firms’ Information Security Protection Items.” On the design concept of the declaration process, a minimalist style is adopted where only key necessary fields need to be filled in, with supporting attachments uploaded and remarks provided to complete the declaration process. The purpose is to design a simple and easy-to-use information declaration platform.

In terms of declaration frequency, it is currently planned to occur once every quarter, and the system opening period is the first ten working days of the current quarter. In case the competent authority requires the latest data for supervision from time to time, the system will be flexibly opened, and securities firms will be requested to update the data online and have the declaration operation carried out by their security personnel.

In the selection of items to be declared, the principle is to first promote items under “To Be Regularly Declared” and “Whether the Quantification Meets the Standard.” The following is an explanation of the degree of regulatory requirements for each item to be declared, and the latest processing status of securities firms at the time of completing the initial declaration:

  1. Information Security Policy Statement
    • Legal basis:Establishment of Securities Firms’ Cybersecurity Checking Mechanism

    • Reference clause:CC-12000 Information Security Policy

    • Regulatory explanation:Information security policies and information operation’s safety level should be formulated in accordance with relevant laws and regulations as well as the company’s business needs.

    • Current status of handling:All 70 supervised securities firms have completed their declarations, which will help the supervisory unit understand whether the securities firms’ information security policies are regularly evaluated and updated to reflect the latest development of laws, regulations, technology, and business, in order to ensure the effectiveness of information security practices, and track the correctness of the information security policies.

  2. Information Security Management System Certificate (certified by ISO 27001 or CNS 27001)

    • Legal basis:Establishment of Securities Firms’ Cybersecurity Checking Mechanism

    • Reference clause:CC-12000 Information Security Policy

    • Regulatory explanation:Each firm shall import the information security management system into its core system in accordance with its own information security level, and pass the verification of an impartial third party and continuously maintain the validity of the verification. In addition, according to the “Checklist for Graded Information Security Protection,” first and second-tier securities firms shall pass the verification by the end of January 2023, and third-tier securities firms shall pass the verification by the end of December 2023.

    • Current status of handling:There are a total of 18 first to third-tier securities firms, all of which have obtained and uploaded ISO 27001 information security management system certificates. They have established and continuously maintained the effectiveness of the Information Security Management System (ISMS) to protect securities firms’ information assets through a systematic framework, thus ensuring the confidentiality, integrity and availability, and reducing information security risks.

  3. Appointment of a Chief Information Security Officer

    • Legal basis:Establishment of Securities Firms’ Cybersecurity Checking Mechanism

    • Reference clause:CC-13000 Security Organization

    • Regulatory explanation:Each firm shall designate a deputy general manager or senior management personnel to oversee the promotion of information security policies and resource scheduling affairs, and may establish a cross-departmental “Information Security Implementation Team” as necessary. If the firm meets the conditions set by the competent authority, it shall designate a person at or above the level of deputy general manager or with equivalent responsibilities to concurrently serve as the chief information security officer to handle the above-mentioned business.

    • Current status of handling:For the first to third-tier securities firms and those with a high proportion of electronic orders, they have completed the establishment of an information security officer in accordance with the regulations of the competent authority before June 2024, with a total of 19 officers in the entire market, and uploaded supporting data, such as material information announcement records of personnel orders and the internal control system statement. This measure is helpful for promoting the overall information security protection and operation supervision of securities firms.

  4. Number of Information Security Personnel Allocated
    • Legal basis:Establishment of Securities Firms’ Cybersecurity Checking Mechanism

    • Reference clause:CC-13000 Security Organization

    • Regulatory explanation:Each firm shall designate a dedicated person or unit to be responsible for planning and implementing information security work based on its information security management needs and its information security level. Current situation of handling: Information security personnel are the most important assets in the information security protection system. The competent authority attaches great importance to them, and released by letter (Jin-Guan-Zheng-Chuan-Zi No. 1110384596) on November 3, 2022 the “Order on Article 36-2 and Article 37 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets,” which stipulated that each service enterprise should allocate appropriate human resources and equipment to be responsible for the planning, monitoring, and execution of information security management operations. The provisions for allocating appropriate human resources are as follows:

      • (1) Securities firms, futures firms, securities finance companies, securities investment trust enterprises, securities investment consulting enterprises, and credit rating companies with a paid-in capital of over NT$20 billion should establish a dedicated information security unit, which should have a responsible supervisor and at least three dedicated personnel to be responsible for information security related work or positions, and they shall not concurrently handle information or other businesses which have conflicting interests with their responsibilities.

      • (2) Securities firms, futures firms, securities finance companies, securities investment trust enterprises, securities investment consulting enterprises, and credit rating companies with a paid-in capital of less than NT$20 billion:

        1. If the paid-in capital exceeds NT$10 billion but does not reach NT$20 billion, an information security supervisor and at least three information security personnel should be appointed. But for those which have established a dedicated information security unit, a dedicated supervisor and two dedicated personnel may be appointed.

        2. If the paid-in capital exceeds NT$4 billion but does not reach NT$10 billion, an information security supervisor and at least two information security personnel should be appointed.

        3. For those with a paid-in capital of less than NT$4 billion, at least one information security personnel should be appointed.

      • In order to effectively grasp the overall allocation and operational capacity of information security personnel in the securities market which may serve as a reference for policy promotion evaluation and regulatory revision scheduling, the organizing unit has actively encouraged securities firms during the advocacy conference to truthfully and in detail declare their security personnel allocation.

    • The analysis of the initial declaration completed shows that:

      The first-tier securities firms have a total of 21 information security personnel, and the personnel number of each firm significantly exceeds the regulatory requirement of 3. On average, each firm has more than 10 information security personnel, indicating that while meeting the regulatory requirements of the competent authority, the first-tier securities firms also consider their own system security needs and have allocated sufficient information security personnel to maintain their information security protection capabilities.

      The second-tier securities firms have a total of 42 information security personnel, and the personnel number of each firm significantly exceeds the regulatory requirement (2–3). On average, each firm has more than 6 information security personnel, and the top three firms even have 11, 8, and 7 respectively, indicating their level of emphasis on information security protection.
    • Among the third-tier securities firms, the regulations require that each firm should have 2 information security personnel. However, the data shows that they have a total of 35 information security personnel. Except for one firm with 2, the other eight securities firms have more than 2 information security personnel, with an average of nearly 4 per firm. The top firm has as many as 8 information security personnel, indicating that the securities firm has regarded information security personnel as important assets.
    • For the fourth-tier securities firms (including foreign securities firms, bank-operated securities operations, futures firm-operated securities operations, and securities firms signed up by the Securities Associations), the regulations require that each firm should have one information security personnel. The data shows that the fourth-tier securities firms have a total of 71 information security personnel; all of them meet the regulatory requirement, and the top firm has as many as 5 information security personnel. On average, nearly 30% of the fourth-tier securities firms have more than 2 information security personnel, and it is expected that the number of their information security personnel will continue to grow in the future.
  5. Professional Cybersecurity Licenses for Information Security Personnel
    • Legal basis:Establishment of Securities Firms’ Cybersecurity Checking Mechanism

    • Reference clause:CC-13000 Security Organization

    • Regulatory explanation:Each firm shall require its information security personnel to obtain and maintain the required professional cybersecurity licenses in accordance with their respective information security classification requirements.

    • Current situation:While the regulatory authorities require securities firms to appoint sufficient information security personnel, they also attach great importance to their professional capabilities in the field of information security. Therefore, the “Checklist for Graded Information Security Protection” specifies that securities firms at all levels should obtain sufficient professional cybersecurity licenses and maintain their validity. The list of recognized information security licenses comes from the “Professional Cybersecurity License List” announced by the “Administration for Cyber Security,” on February 14, 2023 after inviting relevant scholars and experts to jointly review the operation process and update the list of licenses. It also requires all agencies to handle the issuance of professional cybersecurity licenses for agency personnel in accordance with the attached table of the Cybersecurity Responsibility Level Classification Measures. The list includes 12 professional cybersecurity licenses issued by issuing agencies, which can be divided into “management licenses” and “technical licenses,” and specifies the rules for determining the validity of the licenses.

The analysis of the initial declaration completed shows that:

The first-tier securities firms have obtained a total of 35 professional cybersecurity certificates, with each firm’s number of certificates significantly exceeding the regulatory requirement of 4. On average, each firm has more than 17 certificates, including mainstream “management certificates” such as:

  • ISO 27001 Information Security Management System (ISMS) Lead Auditor Certification
  • ISO 27701 Privacy Information Management System (PIMS) Lead Auditor Certification
  • ISO 22301 Business Continuity Management System (BCMS) Lead Auditor Certification

Securities firms can maintain the operational sustainability of their core trading systems while focusing on information security protection, and at the same time obtain 15 advanced “technical certificates,” such as:

  • “CSA (Certified SOC Analyst)”:Proactively detect potential network threats and attack events and respond quickly, serving as the first-line defender.
  • “CEH (Certificated Ethical Hacker)”:Learn how to face and prevent hacker attacks, and understand and cultivate hacker attack and defense skills.
  • “CTIA Certified Threat Intelligence Analyst)”:Analyze and construct effective threat intelligence, in order to respond and handle attacks promptly and reduce security risks.

Through the acquisition of technical licenses and maintenance of their validity, securities firms can significantly enhance their professional information security capabilities in defending against cyber attacks.

The second-tier securities firms have obtained a total of 58 professional cybersecurity licenses, and each securities firm owns more than 3 licenses, exceeding the number required by regulations. On average, each firm has more than 8 licenses, and the top four have 15, 14, 9, and 9 licenses respectively. In addition to the 3 management and 3 technology licenses to be obtained by first-tier securities firms, there are 6 more types of technology licenses, including:

  • CySA+ (CompTIA Cybersecurity Analyst)
  • CHFI (International Council of Electronic Commerce Consultants)
  • ECIH (EC-Council Certified Incident Handler)
  • CISM (Certified Information Security Manager)
  • CISA (Certified Information Systems Auditor)

As well as the internationally recognized most authoritative certification for information security professionals:

CISSP (Certified Information Systems Security Professional)

The data shows that second-tier securities firms have a wide range of choices in obtaining technical-type professional information security licenses, with a total of 22 licenses obtained, and information security authentication and computer auditing licenses are included.

For the third-tier securities firms, the regulations require that each firm should obtain 2 professional cybersecurity certificates. However, the data shows that a total of 51 certificates were obtained by third-tier securities firms, with 7 securities firms owning more than 2 certificates. On average, each firm owns more than 5 certificates, and the top two even have as many as 16 and 9 certificates respectively, including 2 certificates that were not obtained by the first and second-tier securities firms:

  • ECSA (EC-Council Certified Security Analyst)
  • ISO/IEC 29100 Privacy Framework Lead Auditor Course

Overall, nearly half of the third-tier securities firms have obtained technical-type professional cybersecurity licenses, with a total of 12 licenses, covering a wide range of fields.

For the fourth-tier securities firms (including foreign securities firms, bank-operated securities operations, futures firm-operated securities operations, and securities firms signed up by the Securities Associations), the regulations require that each firm should obtain one professional cybersecurity license by the end of December 2024. TWSE has provided incentive subsidies this year to assist fourth-tier securities firms in attending certification courses in Taipei and Kaohsiung. After obtaining the license, they may apply for fee subsidies from TWSE. As of mid-September, a total of 28 securities firms have obtained the “ISO 27001 Information Security Management System (ISMS) Lead Auditor Certification” and received subsidies.

The data shows that the fourth-tier securities firms have obtained a total of 78 professional cybersecurity licenses, with the top three securities firms owning 12, 5, and 5 licenses respectively. A total of 49 fourth-tier securities firms (94%) have obtained one or more licenses in accordance with the regulations; 20 of the licenses are technical licenses, including one license not obtained by the first to third-tier securities firms:

  • CND (Certified Network Defender)

In the overall analysis of the professional cybersecurity licenses obtained by securities firms at all levels, the percentages of “management licenses” and “technical licenses” are as follows:

  • First-tier securities firms: Management licenses account for 57%, and technical licenses 43%.
  • Second-tier securities firms: Management licenses account for 38%, and technical licenses 62%.
  • Third-tier securities firms: Management licenses account for 76%, and technical licenses 24%.
  • Fourth-tier securities firms: Management licenses account for 74%, and technical licenses 26%.

This data can be provided to regulatory authorities as an evaluation indicator for future policy implementation, or plans can be made accordingly to require third and fourth-tier securities firms to gradually increase the proportion of technology type licenses to a certain level, which is beneficial for making more comprehensive response strategies for information security defense in the face of internet threats and attacks.

After this declaration, it is found that securities firms have sufficient willingness to provide the current real situation to the competent authorities for supervision purposes. Through data analysis, the results can further become a reference for regulatory formulation and policy advocacy, and can effectively grasp the current situation of information security protection and human resources, which is of great help.

The benefit of establishing this section is to help the understanding of the current status of securities firms’ information security protection, which can serve as a security supervision tool. The section can also be combined with the digital audit system of the Department to synchronize information security verification and inventory taking operations, simplify the data collection process, replace the email back-and-forth process with online input, regularly require securities firms to update their information security protection procedures online, save the data waiting time during on-site audits, improve audit efficiency, and optimize the supervision mechanism.

After the advocacy conference, the organizer held enthusiastic discussions in person and by phone with several legal compliance supervisors of securities firms who praised the detailed explanations of legal compliance and declaration details during the conference, and agreed with the design concept of the declaration section. During the discussions, the organizer also suggested that this declaration operation be included in the quarterly self-check items of securities firms for the internal audit unit to regularly review the processing status.

The design of this declaration section is still being continuously updated, and it is expected that all the items under “To Be Regularly Declared” and “Whether the Quantification Meets the Standard” in the “Checklist for Graded Information Security Protection” will be gradually included in the section by 2025. Currently, the priority items planned for the next stage include “Business Continuity Drill Records,” “Intrusion Detection and Defense Mechanism Monitoring Records,” “Application Firewall Monitoring Records,” and “Cybersecurity Clinic Handling Status.” It is expected that more information security protection aspects will be included in the future to build a more comprehensive and accurate securities market information security protective net.

Top