TWSE Market Insights

＜中文版＞

(I) USA：

1. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

(1) Disclosing the significant impacts of cybersecurity incidents:

a. Submit a major incident report within four working days after determining that a cybersecurity incident is a major incident.

b. The significant aspects of the nature, scope, and time of the incident, as well as the significant impact or reasonably possible significant impact on the company must be described in the major incident report.

c. The company shall establish and review existing disclosure controls and procedures related to network security risks or incident disclosures.

(2) Disclosing the risk management and strategy of cybersecurity:

a. Provide a detailed description of the process for evaluating, identifying, and managing significant cybersecurity risks and threats for investors to understand.

b. Describe whether the risks posed by cybersecurity threats (including those caused by any previous cybersecurity incidents) have had a significant impact or are reasonably likely to have a significant impact.

(3) Disclose the management’s and the board’s oversight: Describe the board’s oversight of cybersecurity threats and risks, and the role of the management in evaluating and managing the significant risks of cybersecurity threats.

2. The Cyber Incident Reporting for Critical Infrastructure Act of 2022

(1) Applicable objects: 16 key infrastructure areas, including chemistry, commercial facilities, communication, critical manufacturing, dams, national defense bases, emergency services, energy, financial services, food and agriculture, government facilities, health and public health, information technology, nuclear reactors, materials and waste, transportation systems, and water and wastewater systems.

(2) Content: Demand critical infrastructure entities report to the Cybersecurity and Infrastructure Security Agency (CISA) on major cyber incidents and pay the ransom.

a. Major cyber incidents։

  (a)Definition of major cyber incident։ Any incident that results in a significant loss of confidentiality, integrity, or availability of the information system or network, or has a serious impact on the security and flexibility of the operating system and process.

  (b) Report time։ Within 72 hours after confirming the occurrence of the cyber incident.

b. Payment of ransom։

  (a)Definition of major cyber incident։ Any incident that results in a significant loss of confidentiality, integrity, or availability of the information system or network, or has a serious impact on the security and flexibility of the operating system and process.

  (b) Report time։ Within 72 hours after confirming the occurrence of the cyber incident.

3. NYDFS (New York Department of Financial Services) Cybersecurity Regulation (23 NYCRR (New York Codes, Rules and Regulations) 500).

(1) Applicable objects: All entities authorized, licensed, registered, or regulated by NYDFS, including banks, insurance companies, and other financial service companies.

(2) Contents:

a. Establish a cybersecurity plan։ Each regulated entity must establish and maintain a risk-based cybersecurity plan that covers the following contents.

  (a) Ensure confidentiality, integrity, and availability.

  (b) Identify and respond to cybersecurity incidents.

  (c) Comply with regulations and relevant business requirements.

b. Designated a Chief Information Security Officer (CISO).

  (a) The entity must appoint a CISO responsible for cybersecurity.

  (b) The CISO must submit a report to the board of directors at least annually, detailing cybersecurity risks and improvement plans

c. Training and awareness: The entity needs to implement continuous cybersecurity training to help employees understand relevant risks and compliance responsibilities.

d. Regular risk assessment: A risk assessment must be conducted at least once a year to ensure that the cybersecurity plan is adapted to constantly changing threats.

e. Access control and multi-factor authentication (MFA)

  (a) Implement role-based access control.

  (b) Introduce multi-factor authentication to protect sensitive data and systems.

f. Encrypt data: Require encryption of sensitive data in both static and transmitted states.

g. Incident reporting: Any cybersecurity incident that may have a significant impact on operations, data, or customers must be reported to NYDFS within 72 hours.

4. Comparison of regulations։ Comparison of the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” “Cyber Incident Reporting for Critical Infrastructure Act of 2022,” and “NYDFS Cybersecurity Regulation” is shown in the following table.

Regulation	Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure	Cyber Incident Reporting for Critical Infrastructure Act of 2022	NYDFS Cybersecurity Regulation
Releasing institution	Securities and Exchange Commission	Federal government	New York State Department of Financial Services
Applicable objects	SEC listed companies that comply with the reporting requirements of the Securities Exchange Act of 1934	Critical infrastructure	Entities authorized, licensed, registered, or regulated by the New York State Department of Financial Services, including banks, insurance companies, and other financial service companies.
Report content	(1) Cybersecurity incidents. (2) Cybersecurity risk management and strategy. (3) Oversight by the management and the board of directors.	(1) Major cyber incidents (2) Ransom payment	(1) Cybersecurity incidents
Cut-off date	(1) Report to SEC within 4 working days.	(1) Report to the Cybersecurity and Infrastructure Security Agency within 72 hours. (2) Report to the Cybersecurity and Infrastructure Security Agency within 24 hours.	(1) Report to the New York State Department of Financial Services within 72 hours.

 

(II) European Union：

1. EU Cybersecurity Act

 The act aims to strengthen Europe’s cybersecurity capabilities, establish a unified cybersecurity framework, and promote trust and transparency. It mainly includes the following two core parts:

(1)   Strengthening of European cybersecurity institutions: The European Union Agency for Cybersecurity (ENISA) is granted greater powers and permanent authorization in this act to assist member countries and EU institutions in responding to cybersecurity threats.

The key functions of ENISA are:

a. Technical support: Assist member countries in developing their cybersecurity capabilities and responding to cross-border threats and incidents.

b. Threat management: Establish a threat intelligence exchange platform to promote cross-border cooperation.

c. Standard setting: Assist in developing technical and management standards, and promote the implementation of cybersecurity regulations.

d. Raise awareness: Organize promotional activities to promote awareness of the importance of cybersecurity.

e. Emergency response: Coordinate cybersecurity drills and support the response to major cybersecurity incidents.

(2) EU Cybersecurity certification framework: Create a unified EU cybersecurity certification framework, and establish security standards for Information and Communication Technology (ICT) products, services, and processes to promote trust and transparency in the digital market.

Key points of certification framework:

a. Voluntary to mandatory: Certification is voluntary in most cases, but may become mandatory in specific critical areas (such as IoT devices or critical infrastructure).

b. Certification levels: The certification is divided into three security assurance levels:

  (a) Basic level: Suitable for low-risk environments to prevent basic threats.

  (b) Substantive level: A higher degree of protection is provided for medium risk scenarios.

  (c) Advanced level: Suitable for high-risk scenarios, such as critical infrastructure.

c. Unified standards: The certification standards are effective within the European Union to reduce inconsistencies in cross-border transactions.

2. EU’s NIS (Network and Information Systems) 2 Directive

It is an information security regulatory measure based on the “NIS 2 Directive” released in 2016.

(1) Supervised objects: Medium and large enterprises that have a significant impact on the economy or society.

(2) Targets of notification: Computer Security Incident Response Team (CSIRT) or the competent authority.

(3) Incident response: Initial notification shall be made within 24 hours for major incidents; an incident report shall be provided within 72 hours, and a final report shall be provided within one month.

 

(III) Singapore：

1. Cybersecurity Act

It is intended to protect Singapore’s critical information infrastructure (CII), enhance the country’s cybersecurity protection capabilities, and improve its overall resilience to cyber threats. The Cyber Security Agency of Singapore (CSA) is responsible for the implementation of the act.

The following are the main contents and key points of the Act:

(1) Goals: 

a. Protecting critical information infrastructure (CII): Ensuring the security and stability of Singapore’s core operational systems.

b. Standardizing professional activities in cybersecurity: Setting standards and requirements for cybersecurity services.

c. Responding to and coordinating cybersecurity incidents: Establishing a clear command and management structure.

d. Strengthening threat intelligence sharing: Promoting cooperation between the public and private sectors.

(2) Reporting of cybersecurity incidents and response:

a. Mandatory reporting: Not only applicable to CII, buy all significant cybersecurity incidents.

b. Quick response: When a major incident occurs, CSA is authorized to conduct investigations and can request assistance from relevant parties in responding.

c. Enforcement powers: CSA can issue orders to request data, inspect equipment or systems, and even temporarily take over attacked systems.

(3) The impact on businesses and individuals:

a. Requirements for enterprises:

  (a) Strengthening the cybersecurity infrastructure of the system, especially for the company’s critical departments.

  (b) Establishing an internal cybersecurity policy to ensure that employees receive training.

(c) Actively cooperating with CSA to share threat intelligence.

b. Impact on individuals:

  (a) Cybersecurity professionals need to obtain relevant qualifications and certifications.

  (b) Individuals also need to adhere to a higher level of digital security awareness, and reduce the possibility of personal devices becoming entry points for attacks.

2. Technology Risk Management Guidelines (TRMG)

The Monetary Authority of Singapore (MAS) issued TRMG to regulate the information security systems of financial institutions in Singapore. This guideline aims to promote the adoption of reasonable and reliable practices for managing technological risks.

(1) Goals: 

a. Strengthening technical risk management capabilities: Reducing the impact of technical failures, data leaks, or cyber attacks on financial businesses.

b. Protecting customer data: Ensuring effective management of data privacy and security by financial institutions.

c. Promoting business continuity: Enhancing resilience to major cyber threats or technical incidents. 

d. Ensuring compliance: Providing clear guidance for financial institutions to comply with MAS regulations.

(2) Scope of TRMG application: This Guidelines applies to all financial institutions authorized by MAS, including but not limited to banks, insurance companies, asset management companies, fintech companies, and payment service providers.

(3) Importance of TRMG:

a. Reducing risk exposure: Faced with the rapid advancement of digital transformation, TRMG helps institutions reduce technology-related risks.

b. Enhancing trust: Customer and investor confidence in the financial system can increase through compliance with regulations.

c. Promoting innovation and security: Providing necessary security frameworks in the development of financial technologies such as digital payments and data analytics.

3. Notice 655

Notice 655 on Cyber Hygiene is a mandatory regulation issued by the Monetary Authority of Singapore (MAS) aimed at strengthening the cybersecurity infrastructure of Singapore’s financial institutions. The Notice requires financial institutions to implement minimum cybersecurity measures to reduce the risk of cybersecurity threats.

(1) Scope of Notice 655 application: Applicable to all financial institutions regulated by MAS, including but not limited to: banks, fintech companies, payment service providers, asset management agencies, and insurance companies, which must comply with regulations to protect their IT systems from cyber attacks.

(3) Importance of NOTICE 655:

a. Reducing cyber risks: Helping financial institutions prevent common cyber threats by implementing basic cyber hygiene measures.

b. Enhancing overall resilience: Mandatory regulations ensure that financial institutions can maintain business stability during digital transformation.

c. Ensuring user security: Protecting sensitive data and transaction records of financial institution customers from attacks.

(I) Comparison of regulations – The regulations based on the self-regulatory rules issued by banks and securities industry associations are summarized in the following table.

Category	Securities industry	Banking industry
Self-regulatory rules – Information security protection standards	Self-Regulatory Rules for Information System Security Protection Establishing Information Security Inspection Mechanisms for Securities Firms	Financial Institution Information Security Protection Standards
Emerging technologies	Self-Regulatory Rules for Emerging Technology Information Security Establishing Information Security Inspection Mechanisms for Securities Firms	Operation Rules for Financial Institutions’ Application of Emerging Technologies Operation Rules for Financial Institutions’ Provision of Mobile Device Apps
Supply chain risk management	Self-Regulatory Rules for Supply Chain Risk Management Establishing Information Security Inspection Mechanisms for Securities Firms	Risk Management Rules for Financial Institutions’ Information System and Service Supply Chain
Information operations resilience	Self-Regulatory Rules for Information Operations Resilience Establishing Information Security Inspection Mechanisms for Securities Firms	Rules for Financial Institutions’ Information Operations Resilience
Notification of major information security incidents	Guidelines on the Response Operations for Information Security Incident Notification in Securities and Futures Markets Establishing Information Security Inspection Mechanisms for Securities Firms	Declaration Procedures for Financial Institutions to Report the Scope of Major Unexpected Incidents and Other Matters to Be Followed
Computer security assessment	Self-Regulatory Rules for Information System Security Protection Establishing Information Security	Measures for Financial Institutions to Conduct Computer System Information Security Assessment

(II) Comparison of regulations – Self-Regulatory Rules – Information security protection standards：Comparison of the 13 major categories are shown in the table below.

#	Category		Comparison explanation	Supplementary explanation
I.	Frequency of information security policy review		The regulations on securities firms are more rigorous.	Securities firms must incorporate information security management systems into their core systems, according to their information security level. Furthermore, they must undergo verification by an impartial third party and consistently maintain the verification’s validity.
II.	Requirements for inventory of information assets		Consistent with banking industry standards.
III.	Personnel management and access control requirements	1. Access permissions and account management	Consistent with banking industry standards.
		2. Account permission management	Consistent with banking industry standards.
		3. Identity confirmation	The regulations on the banking industry are more rigorous.	The identity and access permissions of personnel should be confirmed, and if necessary, the machine or network location (IP) they use may be restricted.
		4. Personal computer settings	The regulations on the banking industry are more rigorous.	When a personal computer is not operated for more than 15 minutes, the user shall set a password to start the screen saver or log out of the system.
		5. Personal account management	Consistent with banking industry standards.
		6. Safety configuration settings	Consistent with banking industry standards.
		7. Encryption rules	Consistent with banking industry standards.
		8. Highest-authority account management	The regulations on the banking industry are more rigorous.	If it is a core information system, a daily review of the usage results should be conducted when the account is used.
		9. Dual-factor verification	The regulations on the banking industry are more rigorous.	For servers and AD (domain service) hosts that provide internet services, dual-factor verification should be adopted for the highest-authority account and accounts with special function permission.
		10. Principle of minimum permission	Consistent with banking industry standards.
IV.	Personal data protection requirements		Consistent with banking industry standards.
V.	Sensitive data privacy and key management		Consistent with banking industry standards.
VI.	Operational management requirements	1. Source code management	The regulations on the banking industry are more rigorous.	Avoid installing program source codes in the operating environment, unless the system needs to have the program source code, such as Python, and SQL commands, in order to run in the operating environment.
		2. Continuous holiday information security protection	The regulations on the banking industry are more rigorous.	As the characteristics of the securities market are different from those of the banking industry, there is no issue of ensuring the continuous operation of related systems because the securities market is not open on consecutive holidays. Therefore, it is recommended that no adjustments be made.
VII.	Capacity management requirements		The regulations on the banking industry are more rigorous.
VIII.	Vulnerability management requirements	1. Internet access control measures	Consistent with banking industry standards.
		2. Control of computer viruses and malicious software	Consistent with banking industry standards.
		3. Weakness scanning	Consistent with banking industry standards.
		4. EOS/EOL	Consistent with banking industry standards.
		5. Malicious website detection	Consistent with banking industry standards.
		6. Intrusion detection	Consistent with banking industry standards.
		7. Social Engineering	Consistent with banking industry standards.
		8. DDoS	The regulations on the banking industry are more rigorous.	The securities industry regulations do not require an annual drill.
		9. Firewall	Consistent with banking industry standards.
		10. Web page and program anomaly detection	Consistent with banking industry standards.
		11. Source code scanning	Consistent with banking industry standards.
IX.	Testing environment requirements		The regulations on the banking industry are more rigorous.
X.	Office management requirements	1. Public computer management	The regulations on the banking industry are more rigorous.
		2. Video conferencing	The regulations on the banking industry are more rigorous.
		3. Telecommuting	Consistent with banking industry standards.
		4. Virtual desktop management	The regulations on the banking industry are more rigorous.
XI.	Network management requirements	1. DMZ zone management	Consistent with banking industry standards.
		2. Network services	Consistent with banking industry standards.
		3. Firewall access control	The regulations on the banking industry are more rigorous.	The securities industry regulations do not require regular review of high-risk settings, evaluation of firewall rules with no traffic within six months to assess their necessity and risks, nor the rule of adjustment or disabling of firewalls of offline systems within six months.
XII.	System lifecycle requirements		The regulations on the banking industry are more rigorous.
XIII.	Requirements for information security accidents		Consistent with banking industry standards.	There is no requirement for centralized management of abnormal record analysis in the securities industry.

(III) Comparison of regulations – Emerging technologies: The 5 major categories are compared as in the table below.

#	Category		Comparison explanation	Supplementary explanation
I.	Cloud services	1. Frequency of information security policy review	The regulations on securities firms are more rigorous.
		2. Independent third-party verification	The regulations on securities firms are more rigorous.
		3. Encryption transmission rules	The regulations on securities firms are more rigorous.
		4. Data access	The regulations on securities firms are more rigorous.
		5. Storage location management	The regulations on securities firms are more rigorous.
		6. IaaS or PaaS cloud service mode management	The regulations on securities firms are more rigorous.
		7. Establishing an information security notification procedure	The regulations on securities firms are more rigorous.	The “Guidelines on the Response Operations for Information Security Incident Notification in Securities and Futures Markets” already has requirements for reporting information security incidents.
II.	Social media	1. Frequency of information security policy review	The regulations on the banking industry are more rigorous.
		2. Content monitoring and control	Consistent with banking industry standards.
		3. Emergency response procedures	Consistent with banking industry standards.
		4. Abnormal event notification	The regulations on securities firms are more rigorous.
III.	Mobile devices	1. Management measures	The regulations on securities firms are more rigorous.	The banking regulations require an annual review in the self-carried device management policy.
		2. Register management	The regulations on the banking industry are more rigorous.
		3. Identity and device recognition mechanism	The regulations on the banking industry are more rigorous.
		4. Networking environment standards	The regulations on the banking industry are more rigorous.
		5. Data protection for self-carried devices	The regulations on the banking industry are more rigorous.
IV.	Mobile applications	1. Application publishing location	Consistent with banking industry standards.
		2. Application release procedure	The regulations on the banking industry are more rigorous.
		3. Version control	Consistent with banking industry standards.
		4. Counterfeit monitoring mechanism	Consistent with banking industry standards.
		5. Sensitive data protection	The regulations on securities firms are more rigorous.
		6. Mobile application inspection	Consistent with the rules for the banking industry.
		7. Key management	The regulations on the banking industry are more rigorous.
		8. Over-the-Air Technology (OTA) management	The regulations on the banking industry are more rigorous.
		9. Management of storage media of secure elements (SEs)	The regulations on the banking industry are more rigorous.
		10. Near field communication (NFC) management	The regulations on the banking industry are more rigorous.
V.	IoT devices	1. Equipment inventory	The regulations on the banking industry are more rigorous.
		2. Permission control	The regulations on the banking industry are more rigorous.
		3. Connection control	The regulations on the banking industry are more rigorous.
		4. Supplier management	Consistent with banking industry standards.
		5. Training	The regulations on the banking industry are more rigorous.
		6. Phishing	The regulations on securities firms are more rigorous.
		7. Electronic transactions	The regulations on securities firms are more rigorous.
		8. Deepfake	Consistent with banking industry standards.

(IV) Comparison of regulations – Notification of major information security incidents

Comparison between the banking and securities industries in reporting major information security incidents

	Securities industry	Banking industry
Regulatory requirements for reporting information security incidents	Guidelines on the Response Operations for Information Security Incident Notification in Securities and Futures Markets	Declaration Procedures for Financial Institutions to Report the Scope of Major Unexpected Incidents and Other Matters to Be Followed
Notification deadline	Securities and futures firms shall, within 30 minutes of becoming aware of any information service abnormality or information security incident that affects customer rights or normal operations, report the incident to the reporting system for preliminary notification. If the reason is identified as an error notification, the reason for canceling the notification should be filled in before the notification can be canceled.	Financial institutions shall first notify the Banking Bureau by phone within 30 minutes after confirmation, and then promptly continue processing the notification through the internet declaration system.

 

Comparing the self-regulatory rules for the securities and banking industries – information security protection standards and emerging technologies, the banking industry rules are more rigorous in some categories, while the securities industry rules are more rigorous in some other categories. Regarding the incomplete part of the securities industry rules, part of the reasons are different requirements due to different industry characteristics. For other securities industry rules that can be further strengthened, the TWSE will make regular updates and adjustments based on the latest domestic and international financial industry rules. On the reporting of major information security incidents, banks and securities firms are required to report any incident within 30 minutes to ensure that relevant units can obtain information and take corresponding measures in a timely manner. The real-time reporting mechanism is the key to preventing the situation from worsening. Secondly, these rules provide clear reporting processes and detailed requirements, which help avoid confusion and error reporting. Through standardized procedures, banks and securities firms can report in an orderly manner and ensure the accuracy and consistency of information. This not only helps regulatory authorities make correct decisions, but also enhances market participants’ confidence in the financial system.