TWSE Market Insights

＜中文版＞

With the growing trend of digital transformation in enterprises, the application scope of digital technology is expanding and diversifying, and remote work has become the new normal. Access to enterprise applications and infrastructure is gradually migrating to the cloud, and network users, beyond just employees or customers, may also include system service providers or partners. Due to the blurring of various trust boundaries, the scope of trust for cyber threats is becoming increasingly difficult to define, rendering the traditional concept of focusing on protecting clear internal boundaries and assuming external threats as the primary risk ineffective and insecure.

The core of the zero-trust architecture is to redefine network security policies with the principle of “never trust, always verify.” Trust for both internal and external users or devices is no longer predetermined. Instead, is based on strict identity verification and ongoing risk assessment to ensure that all access behaviors are based on a dynamic and verifiable security mechanism.

At present, countries such as the United States and members of the European Union have incorporated the zero-trust architecture into their cyber security strategies, and Taiwan’s “National Cyber Security Development Plan (2021–2024)” has also included zero-trust as a key focus for strengthening government agencies’ information security. In December 2022, the Financial Supervisory Commission (hereinafter referred to as the FSC) issued the “Financial Cyber Security Action Plan 2.0” to explicitly encourage financial institutions to adopt the zero-trust mechanism. The FSC also issued the “Guidelines for the Introduction of Zero Trust Architecture in the Financial Industry” (hereinafter referred to as the Guidelines) in July 2024 for domestic industry participants to refer to and follow. To maintain the sustained stability and security of the securities market, the Taiwan Stock Exchange Corporation (hereinafter referred to as the TWSE) is also launching a series of zero-trust promotion seminars in 2025 to assist securities firms in understanding the zero-trust architecture, enabling them to plan and deploy in advance and work together to establish a better information security defense system.

The zero-trust architecture covers the overall information security defense strategy. The introduction process cannot be achieved overnight but requires a comprehensive assessment and long-term planning by enterprises, and the reinforcement and optimization need to be carried out in multiple stages. However, organizations need not worry excessively. The zero-trust architecture does not require the elimination of all existing information security management mechanisms . Since domestic financial institutions are heavily regulated by the FSC, the existing information security management mechanisms can more or less meet some of the requirements of zero-trust architecture. Therefore, when performing an assessment, it is recommended that enterprises first take stock of their existing information security protection mechanisms, participate in the concept of the zero-trust architecture accordingly for planning, and adopt a step-by-step approach to improve their protection capabilities.

The FSC referred to the maturity model released by the Cybersecurity and Infrastructure Security Agency (CISA) of the United States for the Guidelines, and based on the attributes of Taiwan’s financial industry and information security protective capacity, the control measures are divided into four stages from basic to highly mature, namely the traditional stage, the initial stage, the advanced stage, and the optimal stage. Different import indicators are set for each stage, and static indicators are the focus of the traditional stage. It is recommended to check the integrity of the existing information security protection mechanism and plan the optimization and integration of the defense depth, without making necessary the import of new products and solutions. In the initial stage, dynamic indicators are prioritized, and an Attribute-Based Access Control (ABAC) mechanism is established to include dynamic attributes (such as time, location, compliance, etc.) of each session as authorization review conditions for dynamic revocation, restricted access authorization, or real-time alarms. The important data and resources of the accessed target, as well as the transaction process under consideration, should be identified. In the advanced stage, real-time indicators are used to integrate or accommodate event logs as well as to provide a regular review, detection, alert, and response mechanisms for abnormal behavior. In addition, event logs should include behavior records generated based on dynamic attributes and zero-trust policies specified in the initial stage, and relevant logs can be centrally stored on the SIEM platform and coupled with the information security monitoring mechanism (SOC).In the optimal stage, indicators are integrated and a consistent and automated management mechanism that can be quickly adjusted according to the information security policy is established. Introducing an automation mechanism into control measures at this stage seems an important means of achieving the indicators, to achieve an efficient and accurate response speed.

Based on the access path, the Guidelines propose five pillars of zero-trust which comprehensively cover the dimensions of identity, device, network, application, and data. Each pillar corresponds to the implementation principles of the indicators from the four stages listed above, and the comprehensive protection of the static, dynamic, real-time, and integrated indicators of the five pillars creates a layered and rigorous information security protection. For example, in addition to re-authenticating identities on a regular basis, the identification process must be strengthened, the trust level increased, and dynamic revocation and restriction capabilities implemented. The five pillars’ real-time indicators focus on visibility analysis to combine event logs and construct a regular review and detection mechanism for abnormal behaviors, as well as integration with the information security monitoring mechanism for real-time judgment.

In addition, because securities trading emphasizes speed and stability, and front, mid, and back-office systems must meet highly real-time and accurate requirements when performing data exchange and process linkage, a lack of proper design and assessment due to strengthened access control and security verification of zero-trust control measures may affect overall system operation efficiency and fluency. Therefore, the current promotion of import strategies prioritizes high-risk and low-impact areas and actively encourages all industry participants to implement them. These high-risk areas include remote office, cloud access, system maintenance management, application system management, service providers, and cross-institution collaboration. Industry participants may choose their priorities based on risk-oriented assessment results to avoid impacts on important operations.

To guide industry participants in gaining an in-depth understanding of the key implementation points of the financial zero-trust architecture, the Taiwan Stock Exchange (TWSE) has planned nearly 10 zero-trust–themed explanatory sessions throughout the year. These will include two seminars sharing the implementation experiences of pilot institutions, five explanation meetings focused on recommended implementation functions and principles based on the five core access-path pillars—identity, device, network, application, and data—as well as sessions on the interpretation of reference guidelines and the introduction-status survey questionnaire.

The first seminar of 2025 began on January 3, with FSC officers invited to provide guidance. Also invited were representatives from peripheral units such as the Taipei Stock Exchange and the Taiwan Securities Association, as well as the supervisors and undertakers of all securities firms’ dedicated units for the financial zero-trust architecture. Since the FSC invited representative institutions of various industries to serve as zero-trust demonstration units in 2024, with Yuanta Securities as the pilot institution of the securities industry, the TWSE also invited the Chief Information Security Officer of Yuanta Securities to share the firm’s practical process of implementing zero-trust in the past year and provide an opportunity for mutual exchange and discussion among industry participants at the seminar. Subsequently, two explanation meetings were held in March, including an explanation of the current status survey questionnaire and an introduction to zero-trust. Beginning in May, a monthly in-depth analysis of each access path pillar will be conducted to enable industry participants understand the practical concepts.

To understand the overall situation of the securities industry’s import of the zero-trust architecture and the level of its understanding of the guidelines, this design uses a questionnaire for respondents to fill in the control measures of the five pillars corresponding to their applicable fields to encourage industry participants to first review their current information security architecture and then plan defense strategies that comply with the zero-trust principle. These can also serve as a reference for subsequent policy promotion, resource assistance, and hierarchical management. Based on the findings of the first questionnaire survey, a consolidation is conducted, and the common questions are divided into three categories: clarification of term definitions, application scope of verification mechanisms and log data collected, and differences in identity authentication technologies.

Regarding the definitions of terms, clarification is made mainly on three high-risk fields: “cloud access,” “service providers,” and “cross-institution collaboration.” “Cloud access” refers to systems or services built in public cloud environments (such as AWS, Azure, and GCP); if a system is not built in the cloud, then the system does not fall into this category. “Service provider” means the system allows direct access by employees of the vendor who provides services to the company's information systems, such as operating system maintenance, network equipment maintenance, etc. That is, the systems or devices contain accounts used by the manufacturer's employees. Cross-institution collaboration means the system allows employees of the company’s business partners to use it. That is, the system has accounts used by employees who are not of the same legal entity.

In terms of the application scope of verification mechanisms and log data collected, some industry participants asked that if a high-risk but low-impact information communication system (such as System A) involves login behavior, whether it is necessary to confirm that all nodes implement multi-factor authentication (MFA) in the entire process beginning with logging into the System A’s virtual private network (VPN), and whether all identity verification logs during this period need to be collected. The high risk, low impact approach underpins the design of this questionnaire. VPN/VDI belongs to the remote office area, therefore confirmation is only required for whether MFA is used during the VPN login step. As for the subsequent related systems such as System A, they belong to other fields and will be handled according to their respective categories. Regarding the log data collected, as “visibility analysis” belongs to Level III control which focuses on establishing a comprehensive correlation analysis mechanism, it is recommended to fully include identity verification-related logs for future auditing and event tracing.

Regarding the differences in identity authentication technology, the one-time password (OTP) type excluded in the Guidelines includes SMS, voice, and email. They are not mentioned as mechanisms that meet multi-factor authentication requirements because they are ineffective at defending against phishing. However, the Time-based One-Time Password (TOTP) algorithm is a verification mechanism that may be used in conjunction with physical vehicles and is resistant to phishing attacks. It is one of the MFA implementations recommended by the guidelines. Industry participants may prioritize the adoption of verification mechanisms with security strength based on their information environments and risk assessment results to comply with the principles of information security governance.

As information security threats are complex and ever-changing, the introduction of the zero-trust architecture will become an important trend for future information security protection in the securities market. Although it is not a mandatory policy, securities firms are encouraged to develop internal zero-trust strategies as soon as possible. They are reminded that when planning the deployment strategy, they should conduct an overall assessment and planning at medium- and long-term stage levels, and implement in a step-by-step manner. If they are limited to only meeting the implementation principles of the traditional stage, they are likely to encounter multiple control measures that suit the current stage when selecting a solution but cannot support the implementation principle of the next stage. For continuous promotion, industry participants will face the situation of re-planning and re-procurement, which may incur additional capital expenditures as well as testing and deployment costs, which are not conducive to their long-term development. Therefore, the TWSE is holding a series of zero-trust lectures this year to remind securities firms to respond appropriately to the challenges faced during the introduction process and continues to assist securities firms in deepening their information security protection, to jointly strengthen the information security defense mechanism of the securities market, and to add an extra safeguard to the rights and interests of market participants.