TWSE Market Insights

＜中文版＞

In the digital age today, the development of securities firms’ information security has become particularly important. With the increasing proportion of electronic securities trading and the digitization of customer data, securities firms are facing more and more network threats and data leakage risks, and inadequate information security protection may lead to service interruptions and the leakage of important customer data, thus disrupting market stability and trust. In September 2020, the Presidential Office announced the “Information Security is National Security” information security strategy report, and elevated information security to the national security level, with the aim of creating a national information security mechanism to ensure digital national security, establishing a national security system to accelerate the development of the digital economy, and promoting independent research and development of national defense information security and enhancing industrial growth. Therefore, strengthening information security has become a key focus of national development. As the securities industry bears the heavy responsibility of ensuring the sound operation of Taiwan’s capital market, how to ensure securities firms’ cybersecurity and provide uninterrupted trading services has become an important goal of the securities industry. However, information security requires continuous investment of resources, but it is difficult to accurately quantify the effectiveness. Therefore, organizations are often constrained by the difficulty of estimating the effectiveness, and unable to allocate appropriate resources to continuously improve information security protection. Besides this, the size of the organization often affects the proportion of market risks. Under these factors, how to accurately use limited resources in information security protection is a major challenge in the promotion of information security protection. In light of this, the Securities and Futures Bureau of the Financial Supervisory Commission (hereinafter referred to as the competent authority) referred to the principle of responsibility classification in the Cyber Security Management Act (hereinafter referred to as the Cybersecurity Act), and classified securities firms into four tiers based on their paid-in capital or assigned working capital. According to the aforementioned conditions, a securities firm with a total such capital of NT$20 billion or more is classified as a tier one securities firm, a securities firm with a total of NT$10 billion or more but less than NT$20 billion is classified as a tier two securities firm, a securities firm with a total of NT$4 billion or more but less than NT$10 billion is classified as a tier three securities firm, and a securities firm with a total of less than NT$4 billion is classified as a tier four securities firm. The Taiwan Stock Exchange then established the “Establishing the Information Security Inspection Mechanism for Securities Firms – Annex: Matters to Be Completed by Tier” for each tier to ensure that securities firms of all tiers can implement regulatory requirements and achieve maximum synergy in information security protection. This article explains the content of the reinforcement measures in the annex for the matters to be completed by tier, and provides relevant recommendations for implementation, in the hope that readers may gain a further understanding of the relevant measures from it.

On August 25, 2020, the Taiwan Stock Exchange established the “Establishing Information Security Inspection Mechanisms for Securities Firms – Annex: Matters to Be Completed by Tier” based on the proposals in the “Research Report on Information Security Protection Standards for Securities and Futures Firms – Based on the Cyber Security Management Act” and a reference to the “Regulations on Classification of Cyber Security Responsibility Levels” of the “Cyber Security Management Act.” The scope of the relevant strengthening measures and explanations are as follows：

• I. Introduction of an Information Security Management System and Verification by an Impartial Third Party：

This is applicable to first to third tier securities firms. These securities firms shall import an Information Security Management System (ISMS) and pass the verification of an impartial third party. The scope of import is the core system; if the core system is to be imported after the firm’s tier is approved for the first time or within two years of a tier change, the firm shall complete the import of CNS 27001 or ISO 27001 Information Security Management System Standards, or other systems or standards with equivalent or higher effects, or other standards independently developed by government agencies and recognized by the competent authority; besides, an impartial third-party verification shall be completed within three years and its validity maintained continuously. The key points of this measure are as follows：

1. 1. Completing the risk assessment：
      • Analyze the risks faced by the organization, identify external threat sources and internal vulnerabilities, clarify security control points to reduce risks, conduct impact analysis, and calculate and determine the acceptable risk level.
      • Recommend the risk management mechanism (e.g. reduction, transferring, avoidance, or acceptance), determine appropriate safety control objectives and control points, complete the risk management plan, and pass the organizational review.
   2. Establishing four-level documents for the ISMS：Meet the requirements of the ISO 27001 Information Security Management System standard according to the planned schedule, comply with the relevant four-level documents of the internal control system, and fully pass the organizational audit.
   3. Internal audit：Revise the ISMS internal audit system, establish an annual audit plan, and continuously improve the ISMS process.
   4. Entrusting a third party for verification and making improvements to the deficiencies identified：Ensure that the ISMS operation of the organization’s core system complies with the ISO 27001 standard, commission an impartial third party for verification, and conduct follow-up audits for the following two years.

• II. Information Security Personnel Obtaining Professional Cybersecurity Licenses (refer to the list of cybersecurity professional licenses in the Cyber Security Management Act, including management and technical categories)：

This is applicable to all securities firms. If the firm’s tier is approved for the first time or a tier change is made within a year, the information security personnel shall obtain the licenses on the Professional Cybersecurity License List of the Ministry of Digital Affairs according to the firm’s tier. The focus of this measure is to strengthen the overall information security protection capacity of the securities market, and to strengthen the specific measures of information security talent cultivation in response to the aspect of information security deepening under the Financial Cyber Security Action Plan, in order to facilitate the comprehensive protection of information security in the securities market, and perfect the necessary functions required for various information security operations in the organization.

• III. Classification of Information Systems：

This is applicable to all securities firms. If the firm’s tier is approved for the first time or a tier change is made within a year, the grading of the information system independently developed or outsourced shall be completed, and subsequently the suitability of the information system grading shall be reviewed at least once a year. This measure is based on risk considerations, and in order to ensure the effective use of resources in important systems, currently securities firms often use a dichotomy approach to distinguish between core and non-core systems, and focus on resource allocation for core systems and formulate relevant information security control measures to enhance operational resilience and strengthen information security protection.

• IV. Building a Network Firewall：

This is applicable to all securities firms. The organization should develop network protection strategies to reduce the risk of malicious attacks and avoid significant damage to its information system. The method of building a network firewall is as follows：

1. 1. Plan and organize the network architecture.
   2. Select appropriate firewall network devices.
   3. Determine the location of the firewall based on the organizational network architecture.
   4. Set the rules for the firewall.
   5. Check if the firewall functions properly.

There are the following types of network firewalls: network layer packet filtering, state detection firewall, proxy server firewall, unified threat management (UTM) firewall, and next-generation firewall (NGFW).Considering the protective capability, it is recommended to include the following functions：

1. 1. The rules can be set in a blacklist or whitelist format.
   2. Capable of storing usage and configuration records, and supporting remote storage functionality. Instant alarm function and VPN function must be provided.
   3. Can identify applications and protect encrypted traffic.

• V. Importing Antivirus Software：

This is applicable to all securities firms. The organization should develop antivirus strategies to reduce the risk of malicious attacks and avoid significant damage to important systems. Additionally, it is recommended that antivirus software should be automatically updated and deployed on various devices, and evaluated by antivirus software evaluation agencies such as AV-Test, AV-Comparatives, and Virus Bulletin. It should be able to detect viruses, worms, Trojan programs, spyware, adware, bots, Zero Day attack threats, Rootkits, and other malicious programs to ensure its protection capabilities. Additionally, the operation mode is recommended as follows：

1. 1. Develop organizational antivirus software specifications.
   2. Control all incoming and outgoing connections.
   3. Establish a blacklist of malicious websites.
   4. Set up an independent dedicated media scanning device.
   5. Strengthen employee information security awareness.

• VI. Email Filtering Mechanism：

This is applicable to all securities firms. As there have been frequent cases of phishing and social engineering attacks in recent years, in addition to personnel training and management, the strengthening of the monitoring of email systems can reduce the frequency of attacks mentioned above on the organization. It is recommended that an email filtering mechanism include the following functions：

1. 1. A mechanism that can filter spam emails, malicious threat letters, advanced threat specific letters, virus attack letters, and social engineering letters to prevent the intrusion of inappropriate external letters such as those on the blacklist.
   2. It has functions such as email record backup, attachment control, remote access, password strength detection, anti-counterfeiting detection, and advanced defense.
   3. It can provide comprehensive identification logs for subsequent audits.

• VII. System Penetration Test：

This is applicable to first to third tier securities firms. A penetration testing should be conducted regularly according to the respective information security level, with a cycle of 1 to 2 years. Penetration testing simulates the attack mode of specific parties to test the security strength of systems, networks, and related connected devices, in order to identify information security vulnerabilities, provide improvement suggestions, and assist in repairing related vulnerabilities. Retesting needs to be carried out to confirm the completion of repair operations and effectively reduce information security risks. This measure should be tested for the following categories of items:

1. 1. Operating system category：remote services and local services.
   2. Website service category：settings management, user authentication, online management, user authorization, logical vulnerabilities, input verification, web service and ajax.
   3. Application category: email service module, website service module, file transfer module, remote online service module, and network service module.
   4. Password cracking category：password strength testing.
   5. Wireless service category：wireless service vulnerability testing.

In addition, personnel involved in performing system penetration testing should have received training and hold professional certifications such as CEH, CPENT, CompTIA PenTest+, CPSA, OSCP, or other information security related certifications. The recommended operation process is as follows：

1. 1. Confirm the scope and duration of the testing.
   2. Confirm the testing method and use relevant tools.
   3. Gather information and scan vulnerabilities.
   4. Obtain and enhance system permissions.
   5. Analyze the attack results and issue a test report.
   6. Repair and test the report results.

• VIII. Cybersecurity Diagnosis：

This is applicable to first to third tier securities firms, and should be performed regularly according to their information security level, with a cycle of 1 to 2 years. Through professional procedures, it checks and evaluates the information security status of the organization, attempts to discover potential information security risks, and analyzes the identified risks to develop relevant protective measures or adjust the configuration architecture, in order to strengthen the overall information security of the organization. It is recommended that the cybersecurity diagnosis include the following items：

1. 1. Network architecture review.
   2. Inspection of malicious internet activities.
   3. User side computer inspection.
   4. Server host inspection.
   5. Inspection of directory server settings.
   6. Firewall connection configuration inspection.

• IX. Establishment of a threat detection and management mechanism for cybersecurity：

This is applicable to first to third tier securities firms. The cybersecurity threat detection and management mechanism, commonly known as the Security Operation Center (SOC), aims to establish a platform to consolidate information security information from various platforms or devices within the organization. The information collection scope includes the entire organizational environment to provide early warning on threats, real-time alerts on threats during events, analysis results on threats after events, and recommended strengthening measures to effectively manage various information security alerts. Through the integrated platform’s information security monitoring, the organization can instantly understand internal and external information security threats, identify potential information security risks, and respond to information security incidents in a timely manner to minimize the damage. The recommended operation mode for establishing a cybersecurity threat detection and management mechanism is as follows: set up an event collector host to manage information security devices, important systems, and operating system logs including firewall, intrusion prevention system (IDS/IPS), website application firewall (WAF), antivirus system, endpoint protection (EDR/MDR), data leakage prevention (DLP), etc., analyze them and perform correlation analysis to determine whether there are potential information security threats.

• X. Establishment of an intrusion detection and protection mechanism：

This is applicable to all securities firms that provide online order placement services. It refers to the establishment of an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) by securities firms. IDS is an information security protection system that can detect intrusions, issue alerts, and record intrusion information, while IPS is also an information security protection system that can not only detect intrusions, but also block them from further attacks. This measure is to establish the protection mechanism mentioned above by monitoring the network data transmission behavior of the network or network devices, so when abnormal or aggressive network data transmission behavior is detected, appropriate defense measures can be taken to avoid the impact of malicious attacks. The recommended operation mode for establishing intrusion detection and protection mechanisms is as follows：

1. 1. Build the ability to collect host information and related network connection information, operating system information, application information, and network characteristic information.
   2. Build the ability to identify the types of incidents, such as blocking service attacks, backdoors, policy violations, port scans, malware (such as worms, Trojans, and malware), and unauthorized applications/protocols, such as P2P usage.
   3. Establish mechanisms for performing analysis, confirming the correctness of alarms, and linking events and event records, including timestamps, event types, event sources and processing methods, as well as corresponding CVE numbers and impact levels, in order to modify policy settings such as changing whitelists, blacklists, thresholds, and other security capabilities.

• XI. Building an Application Firewall：

This is applicable to securities firms providing web-based order placement services. A web application firewall is a type of firewall specifically designed to protect web pages and websites, suitable for securities firms that provide online order placement services. Unlike general firewalls, it mainly detects and prevents various attacks on web applications, such as common SQL injection, cross site scripting attacks (XSS), and blocking attacks (DDoS) which are commonly seen. This measure is to introduce the information security protection system mentioned above to protect websites and web pages from malicious attacks. Recommended functions for application firewall are as follows：

1. 1. Able to detect and intercept the top 10 attacks of the latest version of OWASP.
   2. Compliant with the PCI DSS standard of the International Credit Card Organization.
   3. Able to prevent or reduce DoS/DDoS attacks.
   4. Capable of identifying sensitive data leaks, such as ID numbers and cardholder data.

• XII. Establishing advanced persistent threat attack protection measures：

This is applicable to first tier securities firms and is a strategy and technique in response to advanced persistent threat (APT) attacks and penetrations which are carried out through carefully planned targeted attacks. Different from traditional feature-code based security mechanisms, they lurk in organization’s systems on a long-term basis to avoid detection, and choose the appropriate time to perform network attacks with advanced persistent threats. APT network attacks can be divided into seven stages: reconnaissance, decoy, redirect, vulnerability attack, downloading files, reporting, and data theft. Organizations must continuously improve their information security protection capabilities to detect and prevent these emerging attacks and continuous penetration. The operation mode is recommended as follows：

1. 1. Enhancing information security awareness：Enhance the information security awareness of all personnel within the organization.
   2. Instant inbound analysis：There should be analytical capabilities for external to internal connections, such as analysis of malicious programs and downloading scans, analysis of dynamic web content, and detection of robot network attacks.
   3. Instant external connection protection, leakage protection, and content analysis：Analyze suspicious files transmitted externally, block hackers from customizing encryption, detect system password leakage, prevent malicious program downloads, and alert abnormal external connections.

• XIII. Directly connected devices of trading-related networks shall not use products that endanger national cybersecurity：

This is applicable to all securities firms. By taking into account the importance of the four-in-one and host co-located service network segment for market trading, and referring to the “Principles for Restricting Various Agencies’ Use of Products that Endanger National Information Security” of the Ministry of Digital Affairs, this measure requires not to use products that endanger national cybersecurity.

• XIV. Business continuity exercises：

This applies to first to third tier securities firms. The scope is the core information system, and the exercise should be performed regularly. To ensure operational resilience and to demonstrate the effectiveness of organizational backup and backup environment operation mechanisms at critical moments, the business continuity exercise should be performed, and continuous adjustments and improvements should be made based on the results of the exercises. The business continuity exercise should include the following: business continuity plan, core system backup measures, personnel responsibilities, contingency operation procedures, fault recovery procedures, resource allocation, and review and improvement of exercise results.

• XV. Monitoring abnormal network activities：

This applies to all securities firms. This measure is for the organization to monitor, analyze, and keep records of abnormal and unknown source IP connections. If any of the following situations are found, a warning mechanism should be in place, and regular reviews should be conducted to confirm the effective operation of the mechanism：

1. 1. The IP of the same source logs into different accounts a certain number of times.
   2. The same account is logged in from different countries within a certain period of time.
   3. It is found that an abnormal source (such as an entity on the blacklist published by the Financial Information Sharing and Analysis Center (F-ISAC) or a foreign IP) attempts to log in.

• XVI. Encryption of important configuration setting files of the core system：

This applies first to third tier securities firms. The organization should encrypt or store in an appropriate way important configuration setting files of the core system and other information with protection requirements. Based on the analysis of information security incidents caused by hacker attacks, it is found that some hackers obtained important or core system accounts by accessing critical configuration setting files, leading to the occurrence of information security incidents.

• XVII. Core system account usage control：

This applies to first to third tier securities firms. This measure requires the organization to establish the idle time or usable period, and the usage and conditions of the core system (such as account type and function restrictions, operation period restrictions, source address restrictions, number of connections and accessible resources). This measure is to prevent the account from being used for external attacks by limiting the idle time and usable period of the account and implementing related measures such as source address restrictions to effectively control the use of the account.

• XVIII. Establishing a remote backup server room for the trading host：

This applies to first to third tier securities firms, the organization’s trading host should establish a remote backup server room. This measure is to strengthen the organization’s resilience in continuous business operation to ensure that the organization can effectively implement contingency measures in the event of a core system interruption, reduce damage to an acceptable range, and achieve the goal of uninterrupted operation. Recommended operation mode：

1. 1. Understand the requirements for remote backup of the computer room.
   2. Develop a strategy for remote backup of the computer room.
   3. Develop and implement a remote backup mechanism for the computer room.
   4. Continuously improve the remote backup mechanism by drills and testing.

In order to assist securities firms in implementing relevant regulations on the classification and protection of information security, the Company continuously provides guidance through rewards and subsidies. We hereby explain the Company’s achievements in technology and management：

• Technical aspect：

In order to optimize the cybersecurity environment of securities firms and examine the scale and resource limitations of fourth-tier securities firms, the Company promotes the establishment of a network information security defense mechanism by fourth-tier securities firms providing online order placement services, in order to supplement the aforementioned two protection measures of establishing an intrusion detection and warning system (IPS/IDS) and web application firewall (WAF), and has been providing a 5-year reward plan since 2023 to securities firms that meet the establishment conditions and have completed the two protection measures mentioned above which are officially operating during this period. It has been three years since the announcement of tiered information security protection measures for securities firms at the end of 2020, and securities firms have gradually completed the required measures and achieved considerable results. Securities firms can establish an external defense line by establishing a network firewall, application firewall, and intrusion detection and protection mechanism, and can prevent malicious programs and spam attacks by establishing a cybersecurity threat detection and management mechanism to integrate event collection and analysis by hosts and network devices to identify risks, build an in-depth information security protection framework, and introduce an email filtering mechanism and antivirus software to prevent malicious programs and spam attacks. To identify internal vulnerable nodes, understand and patch related weaknesses through cybersecurity diagnosis and system penetration testing, in order to comprehensively enhance information security protection capabilities.

• Management aspect：

Guide securities firms to introduce ISMS architecture into their core systems and strengthen information security governance through impartial third-party verification; in compliance with the “Implementation Strategy for the Sustainable Development and Transformation of the Securities and Futures Industry” and the “Financial Cyber Security Action Plan 2.0” issued by the competent authority, strengthen information security measures, and add information security personnel positions to securities firms and assist them in obtaining information security licenses. To this end, the Company plans and offers ISO27001 lead auditor related courses, and rewards and subsidizes the information security personnel of fourth-tier securities firms to obtain relevant information security licenses as well as subsidize the information security personnel of 27 securities firms to obtain international professional information security licenses, in order to achieve the goal of deepening information security governance. To enhance the resilience of market operations, the Company has sent personnel to conduct relevant backup drills with securities firms to implement “business continuity” and “fault recovery procedures” and gain practical understanding of the capacity and rationality of business continuity. We also provided guidance to securities firms in establishing remote backup data centers to reduce the risk of service interruption, and strengthen the operational resilience of the securities market.

Rome was not built in a day, and the emergence of information security risks is caused by the interaction between external threats and internal weaknesses. In recent years, securities firms have been experiencing system anomalies due to DDoS attacks, hacker attacks, and database collision attacks, which have led to trading service interruptions or important data leaks. Information security incidents can often be attributed to insufficient daily protection and failure to implement information security regulations. Therefore, counseling securities firms to implement regulatory requirements and improve their information security protection capabilities can effectively reduce the frequency of information security incidents. However, the improvement in information security protection capabilities is not something that can be achieved overnight, and it requires a sound control system, excellent talents, and advanced tools to complement each other in order to achieve success. In recent years, under the leadership of the regulatory authorities, the Taiwan Stock Exchange has been continuously guiding securities firms to strengthen their information security protection. Relevant regulations and internal control standards have been revised, and five information security guidelines have been completed in collaboration with peripheral units to strengthen aspects including cybersecurity of emerging technology, cybersecurity system security protection standards, network security protection, supply chain risk management, and information operation resilience. In addition, continuous improvement has been made and information security regulations perfected by referring to the content of the guidelines above. We all know that cybersecurity is an indispensable link, but to build an environment free of information security worries, it is necessary to take one step at a time and complete every task required one by one. If we hesitate, we will regret tomorrow that we did not do it today. Information security strengthening is a path that can only move forward. New things and threats will constantly face us alongside the road, and only by continuously strengthening our own protective capabilities and keeping up with changes in the situation, can we stand firm and continue to move forward, and only by complying with regulatory authorities, can we create safe, convenient, and uninterrupted financial information services and a stable capital market.