TWSE Market Insights

＜中文版＞

With the comprehensive digitization of the securities market, although digitization brings more convenient services, it gives rise to many challenges, among which cybersecurity has become the primary issue faced by securities firms under the trend of digitization. In recent years, there have been numerous types of cyber attacks, frequent incidents of data breaches, and reports of malicious software, ransomware, and system vulnerability attacks. Faced with such a severe environment, securities firms must continuously strengthen their own protective capabilities. The demand for information security health diagnostics therefore has emerged to effectively grasp the enterprise’s information security protection capabilities in order to cope with risks. Through information security diagnostics, securities firms can comprehensively examine their internal systems, processes and protective measures, and are therefore able to identify potential risks and provide specific improvement suggestions. This article explains the current situation and future plans of securities firms in handling information security diagnostics, and briefly introduces the differences in information security diagnostic items between government agencies and the financial and insurance industries, in the hope that information security diagnostics can effectively enhance the overall security protection capabilities of the securities market.

Since 2020, securities firms have been conducting information security diagnostics in accordance with the “Matters to Be Handled for Graded Protection” based on which the cybersecurity inspection system was established for securities firms. The information security diagnostic regulations for government agencies are referenced for most current inspection items. By integrating various information security inspection services, in-depth assessments of systems, processes, and protection mechanisms are conducted to identify weaknesses and propose improvement suggestions aimed at strengthening information system protection capabilities.

The information security diagnostic regulations for government agencies are based on the “Regulations on Classification of Cyber Security Responsibility Levels.” Government agencies of the C level or higher are required to conduct cybersecurity diagnostics, including network architecture, security equipment, user and server-end activities, directory server settings, and firewall connection settings. A brief explanation is provided as follows：

1. Network architecture review: Conduct a vulnerability review of the network architecture diagram of the tested organization, including whether the design logic is reasonable, whether the host location is appropriate, and whether the protective measures are sufficient.

2. Inspection of malicious wired internet activities：

(1) Packet monitoring and analysis

Deploy side recording devices at appropriate locations on the network, observe whether there are abnormal connections or DNS queries, and check whether they are connected to any known malicious IP or command and control (C&C) that has characteristics matching those of malicious network behavior.

(2) Analysis of network device record files

Inspect the records of devices such as firewalls and intrusion detection systems to confirm if there are any abnormal connections.

3. Inspection of user-end malicious computer activities

(1) Inspection of user-end malicious computer programs or files

Scan personal computers for malicious programs, hacking tools, or abnormal accounts and groups.

(2) Inspection of user-end computer updates

Inspect whether the versions of the operating system and commonly used applications are up to date, whether support has been discontinued, and the installation and update status of antivirus software.

4. Inspection of malicious server host activities

(1) Inspection of malicious server host activities or files

Inspect the server host for the presence of malicious programs or files, including active and hidden malicious programs, hacking tools, and abnormal accounts and groups.

(2) Inspection of server host updates

The content is similar to that of the user-end inspection, focusing on the versions and update status of the operating system and applications, the normal operation of antivirus software, and whether inappropriate software has been used.

5. Inspection of directory server settings

The inspection of active directory (AD) server configuration settings in the directory server shall be based on the “Government Configuration Standards” published by the Technical Service Center of the National Information and Communication Security Taskforce, Executive Yuan. If there is no AD server, other directory servers (such as LDAP) or individual user-end computers can be used to complete the security setting review of “Password Setting Principles” and “Account Lockdown Principles.”

6. Inspection of firewall connection settings

Inspect whether there are security vulnerabilities in the connection configuration rules of the firewall (such as external network to internal network, internal network to external network, and internal network to internal network), and confirm the appropriateness of the source and destination IPs and communication port connectivity (including confirmation of firewall detection rules, such as setting “Permit All/Any” and “Deny All/Any”).

The above is the information security diagnostic content set by government agencies. The tested agency can obtain information security improvement suggestions through information security diagnostic services to enhance the security protection capabilities of the government’s network and information systems.

Considering the consistency in the information security protection for financial, insurance, and securities industries, the competent authority requested the Taiwan TWSE (TWSE) to invite the Taipei Exchange (TPEx) and the Taiwan Securities Association (TWSA) to jointly develop consistent information security diagnostic measures suitable for securities firms' characteristics by referring to the “Computer System Information Security Assessment Measures for Financial Institutions” for the financial industry and the “Computer System Information Security Assessment Principles for the Insurance Industry” for the insurance industry.

After reviewing the information security diagnostic practices of the financial and insurance industries, the TWSE categorized internal computer systems into three categories based on their importance, and set assessment cycles for these categories. The general definitions of the categories are as follows：

Category 1：Internet application systems that can be directly connected from the external Internet, or systems that have a significant impact on operations.

Category 2：Systems that store large amounts of customer data (such as file servers, data warehouses, or customer service or sales systems), or systems that directly/indirectly provide customer service.

Category 3：Non-core information systems that have not been in contact with customer information or services, and systems or equipment that have no impact on operations.

Due to the different importance, each category has a corresponding processing frequency, i.e. once a year for category 1, every three years for category 2, and every five years for category 3. If a major information security incident occurs to a single system, the information security assessment should be completed again within three months.

However, the diagnostic methods of the financial and insurance industries are slightly different from that of government agencies. The financial and insurance industries mostly design testing items according to relevant industry regulations, and the information security diagnostic content of the respective industries is formulated from the perspective of financial technology application and regulatory management. A brief explanation is provided as follows:

1. Inspect the information architecture

The emphasis is placed on the maximum impact and risk bearing capacity of single point failures in the network architecture, as well as the appropriateness of measures taken for operation continuity and the use of F-ISAC intelligence.

2. Inspect network activities

Monitor specific network attack patterns and abnormal network activities and behavior, such as malicious IP connections, and inquire about specific patterns of abnormal network connections or abnormal domain name system (DNS) servers, and compare whether they are known malicious IPs or C&Cs, or have characteristics matching those of malicious network behavior.

3. Test network equipment, servers, terminal devices, and IoT devices

Perform vulnerability scanning and patching operations on network equipment, servers, terminal devices, and IoT devices within the tested unit. Also inspect the complexity of system account login passwords as well as the storage protection mechanism and access control of external connection passwords (such as file transfer protocol (FTP) connection, and database connection).

4. Require information security enhancement measures for network devices, servers, and IoT devices that can be directly connected from the external Internet

Conduct penetration testing for external systems, and source code scanning or black box testing for server applications. Inspect the server directory and webpage access permissions, and establish an anti-tampering mechanism for external websites and webpages. Detect whether the system has abnormal authorization connections, abnormal CPU resource consumption, and abnormal data access behavior.

5. Inspect customer-end applications

Conduct security testing for customer-end applications, such as sensitive data protection testing and encryption key protection testing.

6. Inspect security settings

Due to their need for electronic transactions, the financial and insurance industries utilize a wide range of applications for encryption keys. Therefore, the storage protection mechanism and access control of the tested unit’s encryption keys need to be tested.

7.Inspect the information system’s reliability, security, countermeasures against assaults, and compliance

Information security protection involves a wide range of business areas. In addition to basic information security regulations, the financial and insurance industries have a number of regulations for handling specific strengthened requirements of information security. To ensure enforcement of relevant regulations, the compliance of the tested unit with the regulations needs to be inspected.

8. Inspect the drills for distributed denial-of-service (DDOS) attacks and social engineering

Given the multitude of external service systems of financial and insurance systems, the tested unit’s handling of drills for DDOS attacks and social engineering needs to be inspected, for example, the establishment of related response procedures and the strengthening of cybersecurity education.

The above is a brief introduction to the differences between the financial and insurance industries and government agencies. As can be seen from the above, because the financial and insurance industries have many channels for providing external services, and need to consider issues such as operational continuity, transaction security, and data protection, their information security diagnostic items are slightly different from those of government agencies. Given that the business nature of the securities industry is more in line with that of the financial and insurance industries, the planning of information security diagnostics can be reasonably handled in a similar manner.

In the increasingly severe environment of information security threats, the digital transformation of securities businesses and services has brought improvements in operational efficiency and service quality; however, it also significantly increases the risk of attacks on securities firms’ information systems. By conducting regular and systematic information security diagnostics, securities firms can not only detect potential weaknesses in their systems early, but also establish a comprehensive risk management mechanism. From the practical experience of government agencies as well as the financial and insurance industries, it can also be found that information security diagnostics are no longer a one-off operation but should be regarded as one of the long-term and continuous information security management works. In the future, the TWSE will continue to work with the regulatory authorities to develop information security diagnostic contents suitable for securities firms, and guide securities firms in handling information security diagnostics by referring to the graded management and compliance inspection systems, in order to strengthen securities firms’ defense capabilities and resilience in response, ensure the stability of business operations and the security of customer data, and achieve the goal of true enforcement of cybersecurity governance of the securities market.