中文
Focus

Introduction to Establishing Information Security Inspection Mechanisms for Securities Firms

Elliot Liu
Senior Associate at TWSE

<中文版>

Preface

In the digital age today, securities firms’ information security development has become particularly important. With the increasing proportion of electronic securities trading and the digitization of customer data, securities firms are facing more and more network threats and data leakage risks, and inadequate information security protection may lead to service interruptions and the leakage of important customer data, thus disrupting market stability and trust.

Currently, securities firms mainly rely on regulations such as “Establishing Information Security Inspection Mechanisms for Securities Firms” to strengthen their information security operations. This article introduces the key points of “Establishing Information Security Inspection Mechanisms for Securities Firms” and how peripheral units may assist securities firms to implement such regulations to enhance the overall information security protection capabilities of the securities market, in a hope that the market will understand the important content of overall information security protection in the securities industry.

I. Establishing Information Security Inspection Mechanisms for Securities Firms

To strengthen the information security protection capabilities of securities firms, the Taiwan Stock Exchange (TWSE) referred to the ISO 27001 framework and internal control system standard specifications, and selectively revised the “Establishing Information Security Inspection Mechanisms for Securities Firms” accordingly. There are a total of 14 control areas, and the relevant key points of each control area are explained below.

  1. Risk Assessment and Management
    • As securities firms identify potential threats through risk assessment and develop corresponding risk management measures, all information assets and their owners within the scope of information security risks shall be identified, and the acceptable level of information security risks for each operation shall be determined. Furthermore, annual information security risk assessments shall be conducted to evaluate the suitability of the core system’s tolerable interruption time, recovery time objectives, and data recovery point objectives (RPOs).
  2. Information Security Policy
    • An information security policy shall be developed to prevent unauthorized access, use, control, leakage, damage, tampering, destruction, or other infringement of information systems or information, so as to ensure confidentiality, integrity, and availability. The information security policy needs to be approved by management before it is officially released and made known to both employees and public and private organizations that connect with the firm, in order to facilitate compliance and obtain maximum benefits.
    • Regarding the firm’s overall implementation of information security in the previous year, the chief information security officer or the highest supervisor responsible for information security, together with the chairman, president and head of audit, shall jointly issue an internal control system statement as stipulated in Article 24 of the “Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets.” The statement shall be submitted to the board of directors for approval within three months after the end of the fiscal year, and the content of the statement shall be disclosed on the declaration website designated by the competent authority.
    • Matters required for the tiered protection of information security shall be handled in accordance with the “Establishing Information Security Inspection Mechanisms for Securities Firms – Schedule for Required Measures under Tiered Protection.”
  3. Security Organization
    • To achieve the goals of the information security policy, relevant resources need to be prepared to facilitate the promotion of information security operations, and in accordance with regulations, appropriate information security personnel shall be deployed who are responsible for planning, monitoring, and executing information security management operations. Information security personnel shall obtain and maintain the required professional information security licenses, and the list of professional information security licenses issued by the Ministry of Digital Affairs may be referred to for the list of such professional information security licenses required. Information security personnel and supervisors shall regularly participate in professional information security courses or functional training for at least 15 hours each year and pass evaluations, and other employees who use information systems shall take at least three hours of information security advocacy courses each year to improve their overall quality.
  4. Asset Classification and Control
    • An information asset inventory list shall be compiled to classify the firm’s information systems, and review the appropriateness of the classification at least annually to effectively utilize resources. The retention period shall be standardized for data and files of information assets, and data and files shall be deleted and destroyed after the retention period expires.
  5. Personnel Security
    • Employees shall be required to be responsible for maintaining confidentiality in accordance with relevant laws and regulations to ensure that important and sensitive data is not leaked. To deepen the overall awareness of organizational information security protection, regular employee training as well as information security advocacy workshops shall be conducted every year to enhance the quality of employees. It is also necessary to appoint computer auditors to strengthen internal control and internal audit operations, and implement regulatory requirements.
  6. Physical and Environmental Security
    • Access control and regular review of access control permissions shall be implemented for the computer room, and it shall be ensured that uninterruptable power supplies are included and generators can operate normally.
    • A scrapping operation procedure shall be in place for the scrapping of information equipment. Before scrapping, confidential and sensitive data and authorized software of the relevant equipment shall be removed, and security replication or physical destruction shall be carried out to ensure that the data stored on the scrapped computer hard drive and storage medium cannot be restored. In addition, a scrapping record shall be kept to prevent sensitive data from leaking.
  7. Communication and Operations Management
    • Regular evaluation and patching of security vulnerabilities in the network operating environment and operating system shall be carried out, and the use of End of Life (EOL) related devices shall be avoided. In addition, network segments (operating environment, testing environment, and other environments) shall be segregated based on their purposes, and personal and sensitive data shall be stored in secure network areas. Only necessary services and programs of the system shall be turned on, and unused service functions shall be turned off to avoid attacks.
    • A firewall shall be established for external contact, and dedicated personnel shall be available to control it. Changes to firewall settings shall be approved by the responsible supervisor, and firewall access control rules shall be reviewed regularly every year. The aforementioned rules shall be based on the principles of minimization and positive listing.
    • Encrypted connection shall be adopted for online ordering, and multi-factor authentication shall be used to analyze abnormal login records, in order to prevent external attacks.
    • A certificate delivery procedure shall be in place, and certificate downloads must undergo multi-factor verification to avoid unauthorized access to certificates. Customer transaction identities and user accounts shall be verified on the server side to prevent deliberate disconnection of relevant verification mechanisms.
    • Antivirus software shall be installed on workstations and servers, and programs and virus codes shall be updated in a timely manner. For devices that fail to be updated as scheduled, control measures shall be taken. To avoid downloading malicious programs, an email filtering mechanism and internet access control measures shall be established, and the appropriateness of the filtering mechanism shall be reviewed. To prevent phishing and fraud, detection shall be carried out for phishing websites, malicious website links, and counterfeit apps. Social engineering drills shall be regularly carried out every year, and education shall be given to personnel who accidentally open letters or links, with the education results verified.
    • Defense mechanisms (such as information security threat detection and management mechanisms, intrusion detection and defense mechanisms, application firewalls, advanced persistent threat attack defense measures, and automated program login prevention) shall be established against network attacks, and penetration testing and information security diagnosis shall be regularly conducted to detect security vulnerabilities early and make improvements and corrections accordingly.
    • Account logins and IP anomalies shall be recorded and analyzed, and customers shall be immediately notified and warnings issued if specific criteria are met, in order to reduce the risk of intrusion or credential stuffing.
    • The use of the highest authority account shall be controlled by the highest authority management method; the consent of the responsible supervisor must be obtained before use, and relevant records shall be kept.
    • Regular stress testing of computer system capacity shall be carried out every year, with the scope covering all operations in the front, middle, and back ends, and relevant records shall be kept.
  8. Access Control
    • An account management mechanism shall be established for the information system. Relevant authorizations shall be controlled based on the principle of minimum permission, personnel and program permissions shall be controlled, and the appropriateness of information system accounts and permissions shall be regularly reviewed.
    • High-quality passwords shall be used for system accounts, and default account numbers and simple passwords shall be avoided. For systems which provide services through the Internet, a multi-factor authentication mechanism shall be established to prevent unauthorized logins.
    • Personal data of customers and internal personnel shall be handled properly according to the Personal Data Protection Act, and the audit trail of personal data usage (such as the login account, system function, time, system name, and query instruction or results) or the identification mechanism shall be retained to facilitate the tracking of the use of personal data in case of personal data leakage.
    • For electronic and non-electronic transactions, if the transmission of transaction returns is through email, sensitive information such as names, account numbers, and credit account numbers shall be handled in accordance with the “Principles of the Classification and Concealment of Confidential and Sensitive Information.”
  9. System Development and Maintenance
    • The planning and development lifecycles of information systems shall be controlled to ensure quality.
    • Contracts shall be established for outsourced vendors to facilitate control, and the management of service provider concentration and service quality shall be implemented. After the outsourcing relationship ends, it shall be ensured that the information is destroyed or transferred to the vendors who undertake the information service, and relevant vendors shall be required to continue complying with confidentiality commitments.
    • It shall be ensured that the source codes of information systems are secure, and mobile applications shall be regularly tested and verified by impartial third-party laboratories. For the core system that provides internet ordering services, source code scanning and security testing shall be performed in case of changes, and it shall be ensured that system vulnerabilities have been patched.
  10. Business Continuity Management
    • Fault recovery procedures shall be clearly formulated, periodic testing shall be conducted, and any testing deficiencies shall be immediately reviewed and improved.
    • A business continuity plan shall be formulated, which shall include activation conditions, participating personnel, emergency procedures, backup procedures, maintenance schedule, training, job descriptions, contingency plans for external units, contract suitability, and periodic testing of fault recovery procedures. Backup measures shall be established for trading hosts.
    • An information security reporting mechanism shall be established for the reporting of information security incidents, which shall be handled in accordance with the “Guidelines on Contingency Operations for Securities and Futures Market Related Information Security Incidents” and the “Scope and Reporting Procedures and Other Matters to Be Followed by Securities Firms for Reporting Material Information Security Incidents.” If there is an incident of personal data theft, tampering, damage, loss, or leakage, it shall be immediately reported to the TWSE (or the TPEx or the Securities Association) and forwarded to the competent authority.
    • To enhance the sustainable operations ability, the Distributed Denial of Service (DDoS) defense and response procedures shall be established to ensure that the impact is reduced in the event of an attack. If the original service of the core system is interrupted, it shall be replaced with backup equipment or other means within a tolerable time to ensure continuous operation.
    • As the proportion of outsourced operations is increasing day by day, if information outsourcing operations involve core information systems and services, information service providers shall regularly provide business recovery plans for information systems and services. The business recovery plans may be presented in the form of disaster recovery plans, backup drills, and business continuity plans.
  11. Compliance
    • Information security audits (internally or through external professional organizations) shall be regularly (at least once a year) conducted to ensure the implementation of relevant regulations, and issues in the previous information security audit reports shall be tracked and improved.
  12. Emerging Technology Management
    • If cloud services are used, the risks of using related services shall be evaluated, and inspection measures, backup mechanisms, service levels, recovery time, and service termination measures for such services shall be taken into consideration. For a cloud service provider, relevant security measures shall be established, such as permission control, legal compliance, attribution of rights and responsibilities, and information security protection mechanisms.
    • If social media is used, the name of the securities firm, contact information, permit number, customer complaint contact information, and processing window shall be indicated in such social media in order to distinguish the media from the securities firm’s official social media and avoid confusion among investors. The content posted on the social media shall be controlled, and inappropriate comments and abnormal events shall be reported or handled.
    • If mobile devices are used, their use for official as well as personal purposes shall be controlled. For official mobile devices, the built-in apps shall be cleared, while for personal mobile devices, employees’ access to internal information devices through their own devices and storage of data on the Internet shall be restricted.
    • As the use of IoT is increasing day by day, to strengthen the information security protection of IoT devices, an IoT device management inventory list shall be established and regularly updated. For IoT devices, there shall be a security update mechanism which shall be updated regularly. If there are known vulnerabilities that cannot be updated, compensatory control mechanisms shall be established, such as setting specific closed network segments, and closing unnecessary network connections and services to avoid using publicly available internet locations. When purchasing IoT devices, it is advisable to prioritize those that have obtained the information security seal, and information security training shall be regularly conducted on personnel who use or manage IoT devices to enhance the overall information security awareness.
    • When telecommuting, online devices shall be controlled to prevent malicious or unauthorized connections, and multi-factor authentication of user identity shall be adopted. The principle of minimum permission shall be adopted in setting remote account access rules, and telecommuters’ records of system login, computer device operations, and transactions shall be kept.
    • Given the frequent occurrence of Deepfake in recent years, when images or videos are used for identity verification, verification shall be strengthened together with other verification factors to confirm the customer’s identity. Regular information security training covering Deepfake awareness and prevention issues shall be conducted to enhance relevant information security awareness.
  13. Other
    • Important laws, regulations, and notices shall be immediately communicated to the public. The information provided on the website for external viewing shall be regularly inspected, and any confidential or sensitive content shall be removed immediately.
  14. Host Co-location Service Management
    • The hardware, software, and online use of host co-location services shall be managed and controlled, and relevant equipment shall be checked regularly to comply with regulatory requirements.

II. Promotion Achievements of the TWSE

To promote the implementation of relevant regulations such as “Establishing Information Security Inspection Mechanisms for Securities Firms,” the TWSE tries to understand the implementation of the aforementioned regulations by securities firms through annual security routine audits, case sample audits, and project audits. After the audits are completed, the TWSE summarizes and classifies the deficiencies found in the audits to effectively summarize and analyze the deficiency patterns and understand the information security handling status of individual securities and the overall securities market, and then provides root cause analysis to assist securities firms in improving such deficiencies. To enable securities firms to learn from others’ experiences, important conferences such as regular information security advocacy lectures are held to share common deficiencies and special case contents, in order to strengthen the effectiveness of market information security prevention. After the analysis of security deficiency patterns has been performed in recent years, the frequency of common deficiencies in the past has been decreasing year by year, and the impact of some information security incidents on the market has been controlled due to the strengthening of securities firms’ operational capabilities. All the relevant results show that securities firms’ information security protection capabilities have improved.

III. Epilogue

In the era of rapid changes in digitization and technology today, information security has become an indispensable part of all industries. With the continuous growth of the proportion of electronic orders, securities firms are facing increasing threats to information security which not only affect the asset security of investors, but also may undermine the stability of the entire securities market. Only by implementing information security protection measures to prevent the leakage of important data and external attacks, can we stabilize the securities market. The TWSE has also revised relevant regulations in response to the current situation, completed regulatory contents, and understood the implementation of relevant regulations by securities firms, in order to provide guidance to securities firms to improve their protection deficiencies, and jointly maintain the trust and stability of the overall capital market.

Top