I. Preface
In recent years, the global financial industry has faced an increasingly serious threat to information security, especially in the process of digital transformation acceleration due to the COVID-19 pandemic. Taiwan is situated in a complex geopolitical environment, and with the rapid development of its digital economy, information security issues have become a highly concerned focus of various sectors. The Financial Supervisory Commission has repeatedly emphasized the importance of financial institutions’ information security, and actively promoted relevant regulations to ensure the stability and security of the financial system.
With the advancement of digitalization, the information security challenge to Taiwan’s financial industry has become increasingly significant. The pandemic gave rise to the non-face-to-face business model, leading to fundamental changes in the operations of financial institutions. Working from home and remote collaboration have become the norm, and information security protection strategies must also be adjusted accordingly. In the past two years, the global financial information security environment has undergone multiple significant changes, such as frequent incidents of the hacking of the SWIFT cross-border wire transfer system, ATM thefts, and DDoS attacks on financial institutions. These indicate that financial institutions remain the primary targets of attackers.
The challenges Taiwan faces in terms of information security protection should not be underestimated, either. According to reports, Taiwan experiences an average of 30 million cyber attacks per month, highlighting the urgency of network protection and management. Especially after the outbreak of the pandemic, the widespread application of emerging technologies such as remote work, cloud services, and the Internet of Things has further expanded the scope of network risk exposure, making Taiwan’s information security issue a focus of concern for both enterprises and the public.
In this situation, the information security issue of the securities industry becomes particularly critical. With the rapid development of digital finance and online trading, information security in the securities industry has become the cornerstone of market stability and investor trust. The frequent occurrence of information security incidents has intensified the market’s demand for sound cyber security protection, and the securities industry urgently needs to strengthen its defense capabilities to ensure the security of customer data and transactions, as well as business stability.
In order to comprehensively understand the current information security situation of Taiwan’s securities industry and disclose potential risks, we have commissioned PwC Intelligence Risk Management Consulting Co., Ltd. to conduct a comprehensive information security examination and evaluation. This evaluation covers the aspects of organizational management, operational processes, and technical protection of securities firms, and through methods such as questionnaire survey and assessment of information security risk exposure, the information security protection capabilities of each securities firm are analyzed in detail from multiple perspectives. The evaluation results can reveal the strengths and weaknesses of the securities industry in terms of information security protection, and provide specific recommendations to assist the securities industry in enhancing its defense capabilities and strengthening market resilience, in order to ultimately ensure the safety of investors’ assets and enhance the overall market’s defense capabilities.
II. Project Execution Method
This information security general examination provides a comprehensive understanding of the current information security situation of securities firms from multiple perspectives, covering not only organizational management, but also detailed analysis at the technical level. Through a questionnaire survey and the assessment platform for information security risk exposure, the levels of information security management and protection are evaluated respectively, in order to grasp the information security control capabilities of securities firms. The specific execution method can be divided into the following two parts:
(I) Questionnaire Evaluation
This part focuses on organizational information security management, process-oriented execution methods, and control measures. Through self-assessment questionnaires filled out by securities firms, a comprehensive understanding is obtained through filtering and summarization. The questionnaire design is based on international standards for industrial information security, recently updated laws and regulations of Taiwan’s securities industry, and relevant regulations of overseas securities and futures industries, such as: ISO 27001, NIST CSF, the Self-Regulatory Standards for Cyber Security System Protection, the Self-Regulatory Standards for Network Security Protection, the Financial Cyber Security Action Plan 2.0, and the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading. The questionnaire contains seven major dimensions, covering the following areas:
1. Information security organization and manpower allocation: Understand the effectiveness of the organization’s current manpower allocation, resource planning, and information security system operation, including social engineering drills, ISO 27001 Information security management system standards, information personnel training, establishment of an information security related organization with regular meetings, as well as cyber security training for new employees.
2. Business continuity management: Understand the effectiveness of the organization’s business continuity mechanism, including the notification mechanism and recovery strategy, development of the business continuity plan, testing of fault recovery procedures, a backup center for core information systems, and the ISO 22301 Business Continuity Management System.
3. Personal data protection: Understand the current status of personal data protection in the organization, including compliance with laws and regulations, standardized processes and archive protection mechanism, processes for collecting, processing, and utilizing personal data, measures to respond to personal data breaches, USB access control, external transmission filtering mechanism and control measures, as well as control and deletion procedures for expired personal data.
4. Network security protection: Understand organizational information security protection and control measures, including the physical environment, management processes, hardware devices and the firewall, IoT related protection mechanisms, network connection security and computer audit log management, and the account permission control mechanism.
5. Outsourced supplier management: Understand the organization’s management mechanism for third-party service providers, including supplier selection, remote online management program standards, outsourced personnel account supervision and control, contract signing and the audit mechanism.
6. Program change management: Understand the organization’s control measures for program changes, including program environment settings, system development file retention, code security testing, mobile application forgery detection mechanism, mobile application device cracking detection mechanism, system development and maintenance processes, and related change mechanisms.
7. Identity verification management: Understand the organization’s identity verification control measures for the online ordering system, including the account login authentication mechanism, account locking mechanism, verified data protection, transaction activity verification, and account protection mechanism.
(II) Assessment of Information Security Risk Exposure
Although securities firms have developed comprehensive security policies and procedures, there may still be loopholes in their actual technical implementation and configuration. Through information security risk exposure, technical vulnerabilities and risks that cannot be disclosed through questionnaires can be objectively presented from the perspective of attackers. The evaluation of information security exposure is mainly conducted from an external perspective, through non-invasive means and without affecting the services provided by securities firms, by examining public information and digital footprints to understand the external information security exposure, and conducting rating and analysis to assist securities firms in identifying and managing network security risks, thereby strengthening their defense. This evaluation covers five common types of security protection practices, such as external service, web application, email, credential, and cloud security, with over 100 testing items to evaluate the level of information security protection of securities firms.
1. External Service
The public network services provided by securities firms, such as data exchange or remote connection, can easily become channels for hacker intrusion if not managed properly. This project mainly collects the following information for risk assessment:
(1) Remote control: Check if there are any publicly available remote control services, and evaluate if there is any risk of intrusion to such services.
(2) Database: Confirm if there are publicly available database services, and check if there are any known vulnerabilities in the database.
(3) Application services: List all external application services, and identify their vulnerabilities for attacks.
(4) Shortlisting: Through deep web intelligence checks, understand whether the securities firm has been shortlisted as a springboard for malicious attacks due to inadequate protection measures.
2. Web Application
Securities firms’ external websites are important targets for hackers to check their security status. If the security control is loose, hackers will consider them low-cost intrusion targets and will further study intrusion methods. This test mainly collects the following information for risk assessment:
(1) Web server: Confirm all settings on the web server that have no security setting or have insufficient security levels, and check if there are any known vulnerabilities in the server version.
(2) Web application: Detect insecure header settings to prevent users from leaking sensitive information during interactions with the website, and reduce the risk of fraudulent requests.
(3) Voucher: Check the security strength of the certificate encryption suite, and confirm whether the website is using a vulnerable encryption suite.
(4) Domain: List domains that are related to securities firms, and check for malicious domains that may have an impact on the firms.
3. Email
Employees need to interact with the outside world through email services every day, and managing the email exposure of securities firms can effectively reduce the occurrence of hacking incidents in advance. This test mainly collects the following information for risk assessment:
(1) Email service: Check whether the firm has a publicly available email server to avoid security breaches caused by incomplete security settings.
(2) DMARC: Check if the DMARC settings for the firm’s domain are complete. DMARC settings are required for SPF to further enhance the ability of the recipient’s email gateway to handle counterfeit emails.
(3) SPF: Check if the SPF settings for the firm’s domain are complete. SPF settings are used to confirm whether the email is indeed sent by a server authorized by the firm, in order to prevent hackers from impersonating the firm’s domain and sending phishing emails to employees or customers.
4. Credential
With the popularity of social networking sites and cloud services, employees often use internal account passwords for external services. Once external data is leaked, hackers can easily use it to infiltrate or conduct social engineering attacks. This test mainly collects the following information for risk assessment:
(1) Credential breach: Compare the firm’s account with the date in a well-known database.
(2) External service accounts: Check whether the firm’s domain has been registered for commonly used external services; this may be because hackers use the firm’s domain to register for such external services in preparation for social engineering attacks.
(3) Deep web intelligence comparison: Check whether the firm’s domain is mentioned in the deep web; if yes, it indicates that the firm may have vulnerabilities that have been exploited, or that sensitive data has been shared by hackers in the deep web.
5. Cloud Security
(1) Public cloud storage: Check whether the evaluated institution has publicly available cloud storage. Currently, among the top data breach incidents, most of the breach channels are through public cloud storage. Therefore, how to properly manage cloud storage and prevent it from becoming a channel for confidential information breach is one of the important issues in cloud security management.
(2) Publicly available public libraries: Check whether the evaluated institution has publicly available public libraries. The public libraries may contain the code, account passwords, and historical editing records of important services within the organization, which can be further exploited by hackers to find vulnerabilities and attack targets.
(III) Technical Testing Items and the Meaning of Scores
1. Calculation method for questionnaire evaluation results
(1) Classify the questionnaire evaluation results of each securities firm into four levels, with the corresponding score of fully compliant (5 points), partially compliant (3 points), non-compliant (1 point), or not applicable. After calculating the score of each dimension, take the average (rounding all numbers) to obtain the score for each dimension. The rating can correspond to five levels, namely high, medium high, medium, medium low, and low. The lowest rating among the seven dimensions evaluated is the questionnaire evaluation rating of the securities firm.
(2) Use the discrete method to analyze the seven dimensions covered by the questionnaire and calculate the mean and standard deviation for a comparison of the degree of dispersion of the control level of each securities firm in the seven dimensions, in order to grasp the differences in control between the securities firm and its peers.
2. Rating method for information security risk exposure assessment
Systematically summarize information collected from external information security authoritative units, such as the ATT&CK information security framework proposed by MITRE, and the Common Vulnerability Scoring System (CVSS) publicly available from the National Infrastructure Advisory Council (NIAC) of the United States to evaluate the weaknesses, and disclose the corresponding risk level based on the evaluation results. The risk level is assessed based on real-time risk information and external environmental factors, and may change due to different time points; therefore, there may be different ratings at different time points. The risk levels are classified from high to low into five levels, namely A, B, C, D, and F, explained as follows:
| Rating | A | B | C | D | E |
| Information disclosure to external parties | Having extremely limited information disclosure | Having a small amount of disclosed information that may be used for attacks | Having information that can be used for attacks | Having information that is clearly exploitable for attacks | Having a large amount of clearly exploitable information for attacks |
| Motivation for hacker attacks | Almost never triggers an attack motive | Low probability of triggering attack motive | May trigger attack motive | High probability of triggering attack motive | Very high probability of triggering attack motive |
| Probability of successful attacks | Attacks are difficult to succeed | Low probability of successful attacks | Attacks may be successful | Attacks are usually successful | Very high probability of successful attacks |
The higher the rating, the less exposed and vulnerable the securities firm is, indicating that the securities firm’s information security defense is more complete and stable. On the contrary, the lower the rating, the higher the likelihood that hackers can exploit the information and execute the complete attack chain. The final step of the rating method for the information security risk exposure level is to select the lowest risk level obtained from the five technical testing items above to be the risk level for the risk security exposure evaluation of the securities firm.
3. Method for evaluating the current degree of information security control
The results of questionnaire evaluation and information security risk exposure assessment are summarized to comprehensively evaluate the current information security control of securities firms. In the matrix diagram, the vertical axis represents the questionnaire evaluation level, and the horizontal axis represents the level of information security risk exposure. The presentation is made according to different levels of information security control, which enables the reader to intuitively understand the overall distribution of information security intensity of the securities industry. According to the matrix diagram, the degree of security control of securities firms is divided into three levels by color:
- Excellent (green): This indicates that a sound information security control system has been established, which can effectively reduce security risks.
- Acceptable (yellow): This indicates that the security control is acceptable, but there is still room for improvement.
- To be strengthened (red): This indicates a significant lack of security control, and a high security risk exists.
- Excluded from information security risk exposure testing (gray): This means that the securities firm has not established an official website in the Taiwan securities market, or although it has an official website, the domain does not belong to the securities firm (such as being managed by a financial holding company or bank), therefore no testing is conducted and no assessment result of information security risk exposure is generated.
III. Result Analysis
(I) Questionnaire evaluation results
1. According to the analysis of the questionnaire, the comprehensive evaluation of the seven dimensions shows that 76% of securities firms in the securities industry have reached the standard of medium level or above in terms of information security control.24% of securities firms have an acceptable level of security control; if further improvement is needed to enhance the overall security control level of the securities industry, it is necessary to improve and strengthen the security control of securities firms at this level.
2. According to the statistical analysis results of the seven dimensions in the questionnaire (information security organization and manpower allocation, business continuity management, personal data protection, network and system security protection, supplier management, program change management, and identity verification management), the overall performance of securities firms in terms of control is relatively consistent, and there are no particularly outstanding or lagging items among the seven dimensions.
(II) Assessment results of information security risk exposure
1. According to the evaluation results of information security risk exposure, among all the securities firms, the proportion with A-level risk is 10%, and the proportion with B-level risk is 35%; the proportion with C-level risk reaches 55%, indicating that most securities firms have a certain level of information security protection.
2. Among the five risk exposure dimensions, risks are mainly concentrated in the two dimensions of network and email. Network related risks account for 79% of the overall risk, while email related risks account for 19%, indicating that securities firms should prioritize their strengthening of security protection on network and email dimensions to reduce potential risks. In addition, the current testing tools of securities firms may have shortcomings in addressing the two major risk dimensions above. It is recommended to avoid long-term reliance on a single testing tool and adopt multiple testing methods for evaluation, in order to ensure effective prevention of various security threats.
3. Among the risk items identified in the five dimensions, high-risk items account for 6% of the overall risk, medium-risk items account for 56%, and low-risk items account for 38%.Although high-risk items are under a certain degree of mastery, there is still room for improvement, and most potential risks are concentrated in medium- and low-risk items, which require continuous strengthening of protective measures to comprehensively reduce risk exposure.
(III) Comprehensive evaluation results
The results of the comprehensive survey questionnaire evaluation on the current degree of information security control and the assessment of information security exposure risks are presented in a matrix diagram of information security control level, which is divided into four blocks: green (excellent), yellow (acceptable), red (to be strengthened), and gray (excluded from information security risk exposure testing).Among them, the securities firms in the green block account for 21% of the total, the securities firms in the yellow block account for 49%, the securities firms in the red block account for 5%, and the securities firms in the gray block account for 25%.
For securities firms with the evaluation result of “red (to be strengthened)” or “gray (excluded from information security risk exposure testing)” but a questionnaire evaluation rating of “acceptable,” which account for 9% of the total, personalized item-specific reminders and guidance can be planned to assist securities firms in improving their information security protection level.
The matrix diagram of the current degree of information security control intuitively presents the overall distribution of information security intensity in the securities industry. In the future information security supervision plan, priority can be given to high-risk areas to continuously strengthen the overall information security protection capabilities of the securities market.
IV. Conclusion
The comprehensive examination report on information security shows that the securities industry has a certain level of protection foundation in terms of information security. However, security protection in high-risk areas such as network and email still faces challenges, posing potential risks to the operations of securities firms.
Overall, strengthening the security protection of the securities industry is not only an important measure to maintain market stability, but also a link in the enhancement of the overall market resilience. Through continuous information security improvement and strategy adjustments, the securities industry can effectively reduce information security risks, protect investor interests, and promote the long-term stability and healthy development of the securities market.
Looking ahead, with the rapid development of technology, the securities industry will face more complex security challenges. The application of new technologies such as artificial intelligence, cloud computing, and blockchain will bring new opportunities to the securities industry, but will also bring new security risks. Therefore, the securities industry should actively explore new information security technologies and strengthen risk assessment of emerging technologies to ensure competitiveness in the constantly changing environment.