TWSE Market Insights

＜中文版＞

With the rapid advancement of digital technology, the business model of the securities industry is undergoing an unprecedented transformation. Traditional manual order placements and physical branch services are gradually being replaced by electronic trading platforms and mobile device-based order systems. While these new technologies have significantly improved trading efficiency and market participation, they have also exposed securities firms to a broader and more complex array of cyber threats. The authentication of identities, transaction instructions, and personal data involved in the securities trading process, if compromised by cyberattacks, can lead to significant financial losses and reputational damage for securities firms and may even jeopardize the stability of the securities market.

To address these risks, securities firms have continuously strengthened their information and communication security measures. In addition to supporting the regulatory authority’s recent initiatives – namely the “Financial Cybersecurity Action Plans” 1.0 and 2.0, which aim to establish a cybersecurity-conscious organizational culture, enhance governance capabilities and level, and ensure system resilience and data security – firms have also actively cooperated with our company’s guidance. Securities firms have been diligently implementing various enhanced measures under the “Establishing Information Security Inspection Mechanisms for Securities Firms,” including vulnerability scanning, penetration testing, and cybersecurity health checks, thereby gradually strengthening their overall cyber defense capabilities. However, recent cases have shown that even with basic cybersecurity protections in place, firms may still suffer damage from cyberattacks if they lack integrated risk management and real-time response capabilities. Therefore, identifying potential risks and conducting repeated drills are essential for effectively responding to various forms of attacks.

This article primarily analyzes the main sources of cyberattacks targeting securities firms, including various attack types originating from hacker groups, fraud syndicates, internal personnel errors, and cybersecurity vulnerabilities in third-party service providers. It further outlines response strategies from technical, organizational, and regulatory compliance perspectives. Additionally, real-world case studies are referenced, along with a summary of our company’s key cybersecurity initiatives in recent years, aimed at serving as a practical reference for securities firms and cybersecurity professionals.

With the rapid development of digital services, securities firms are increasingly exposed to various cyber threats. Based on past data and the analysis in this article, the main cybersecurity risks faced by securities firms can generally be classified into three major categories: attacks on websites and systems; identity and transaction impersonation attacks; and risks stemming from third-party service providers. These threats may result in service disruptions and data breaches, potentially compromising the overall stability of the securities market. 

Website and system attacks

• DDoS Attacks: Overwhelming traffic can cripple securities firms’ websites and trading platforms. Hackers use large-scale botnets to launch traffic attacks on trading websites or API servers, preventing legitimate users from connecting or placing orders. This type of attack not only paralyzes the system but can also be used to cover up other infiltration activities. In 2017, domestic securities firms were collectively targeted by a DDoS attack, with the maximum attack traffic reaching 2 to 3 Gbps. The attack lasted approximately 20 to 60 minutes, causing disruptions to the trading platform services of multiple securities firms. In September 2024, multiple TWSE listed companies also suffered DDoS attacks, indicating that these types of denial-of-service attacks continue to frequently impact the services of various organizations. Therefore, system availability has become a primary defense priority.
• SQL injection and XSS: Web vulnerabilities may allow malicious commands to be implanted, leading to data theft or damage. Hackers use unfiltered SQL statements or JavaScript inputs to infiltrate databases and steal user credentials, transaction records, and other information. User login interfaces and order placement modules, in particular, are easily targeted by attacks if input validation and WAF protection are not implemented. In recent times, many systems still suffer from these types of attacks. Conducting source code reviews and vulnerability scans can effectively reduce the occurrence of such attacks.

Identity and transaction impersonation attacks

• Phishing attacks: Forged websites or messages may deceive users into entering their account credentials. Hackers can impersonate securities firms by sending SMS messages or emails containing links that trick users into entering their account credentials and one time passwords (OTPs). Recent international news reports have revealed that several Japanese brokerage clients have had their account passwords stolen by fake websites, resulting in their accounts being hacked and their stocks being sold without their consent. The hackers then purchased low-value or illiquid stocks, drove up the prices, and earned huge profits from the price differences. Such attacks do not have a specific pattern, making it difficult to completely prevent them. Only by continuously educating investors about such fraud can we reduce the risk of them falling victim to fraud and phishing. For example, our company recently launched a 5D anti-fraud campaign: “Do not answer unknown calls, do not click on unknown links, do not listen to investment tips, do not be afraid of unknown threats, and do not give out personal information.” This campaign aims to improve cybersecurity and anti-fraud awareness across the entire market. In addition, securities firms use anomaly pattern analysis to detect and prevent unauthorized applications for trading certificates.
• Man-in-the-middle attack: Data may be intercepted during transmission. In an insecure or forged network environment, attackers can intercept data transmissions between users and servers. Without TLS encryption and server certificate verification mechanisms, user accounts and transaction information may be compromised.
• Social engineering: Customers or internal personnel may be deceived into revealing sensitive information. Hackers impersonate customer service personnel or internal engineers and use telephone calls, Line, or chatbots to obtain OTPs and personal information or to guide users into downloading malicious programs. Such attacks are often combined with phishing attempts to achieve fake logins or transactions.

Third-party services and supply chain risks

• API interface risks: Suppliers have not properly verified or encrypted transmissions.
• Outsourced service provider maintenance connection vulnerabilities: Outsourced service providers perform maintenance via remote connections, allowing external threats to infiltrate the securities firm’s internal environment from the provider.

Case 1: In September 2024, a domestic financial holding company suffered DDoS attacks.

Several websites and services operated by subsidiaries of a certain financial holding company experienced connection instability and crashes due to a DDoS attack launched by a hacker group against its financial platform. The attackers flooded the relevant websites with a large number of legitimate web requests, causing the servers to exhaust their processing resources. The attack lasted several days, with durations ranging from tens of minutes to a few hours. The attackers launched the attack via a botnet, using multiple IP sources to reduce the effectiveness of single-point blocking and increase the difficulty of defense. After analyzing this type of attack pattern, we can see that the disruption method targets services. Attacks are no longer the single-pattern kind seen in the past; they now closely – almost indistinguishably – mimic normal browsing behavior. Identification and filtering of such attacks require the use of a Web Application Firewall (WAF) combined with behavioral analysis techniques.

Case 2: Customer securities accounts hacked in the Japanese market in 2025.

According to foreign media reports, a large number of client securities accounts at Japanese online securities firms were accessed without authorization and used for unauthorized transactions in a cybersecurity incident. Hackers used phishing websites and social engineering to steal users’ account credentials and carry out unauthorized transactions. By continuously updating phishing methods and combining them with social engineering, investors are more easily deceived. After analysis, this type of attack can only be effectively prevented by detecting abnormal behavior patterns and leveraging a collaborative cybersecurity defense.

Case 3: In 2024, insufficient API authentication at a foreign securities firm led to abnormal trading activity.

The Securities firm partnered with a third-party asset management application to offer API access, allowing clients to place orders directly from the app to the brokerage platform. A cybersecurity company discovered that the API lacked client-side authentication and signature requirements. With access to the API parameters and basic account information, attackers could simulate legitimate requests and issue trading commands. This vulnerability was exploited, leading to disorganized transaction records and abnormal account balances for some users. The securities firm immediately suspended the API service, initiated incident reporting, and conducted an internal audit. The incident drew the attention of local regulatory authorities, leading to a revision of the API integration security guidelines. All securities firms were advised to adopt OAuth 2.0, JWT signing, and TLS-encrypted communication. This case highlights that third-party integration services should not focus solely on functional convenience but must also incorporate security architecture and authentication mechanism design.

In the face of increasingly rampant cybersecurity threats, securities firms must integrate technology, management, and regulatory compliance to establish a comprehensive cybersecurity defense system. Cybersecurity is no longer a responsibility confined to a single department; it requires cross-departmental collaboration and must be integrated into overall operational risk management. This chapter will outline practical protection strategies and management approaches from three key perspectives.

Technical aspect

To address the ever-evolving nature of cyberattacks, cybersecurity defenses must be built upon a defense-in-depth architecture. This approach involves integrating multiple layers of security mechanisms to guard against various types of attacks. Even if one layer fails to block an intrusion, other supporting or backup measures can take over. As a result, attackers must overcome each protective layer individually to successfully breach the system.

• Firewalls, IPS, and WAF: Firewalls can block unauthorized access attempts, while intrusion detection and prevention systems actively analyze traffic and match attack signatures to provide early warnings and block threats before abnormal events occur. For example, to defend against DDoS attacks, securities firms can deploy traffic filtering and load balancing devices, such as cloud scrubbing services, as frontline protection. WAFs are specifically designed to block web application level attacks such as SQL injection, XSS, and CSRF. They are suitable for trading platforms and open API interfaces and can be combined with log tracing and behavioral analysis to enhance detection efficiency.
• TLS/SSL Encryption: The use of HTTPS (TLS 1.2 or higher) for all trading, login, and query operations to prevent man-in-the-middle attacks and protect data from being leaked during transmission must be enforced.
• Certificates and PKI Architecture: Ensure that investors connect to the legitimate brokerage server – not a phishing site – when logging into the Securities firm’s website.
• MFA (multi-factor authentication to strengthen identity protection): In addition to username and password, additional authentication factors such as OTP (One-Time Password), MID (Mobile Identity Authentication), or biometric verification should be implemented to reduce the risk of impersonation.
• SOC (security operations center) and SIEM (security information and event management): These enable real-time monitoring of abnormal behaviors and cybersecurity incidents. Through centralized monitoring, event correlation analysis, and behavioral modeling, they can detect anomalies early and respond promptly. Large securities firms may implement 24/7 cybersecurity monitoring with tiered alert systems.
• EDR (endpoint detection and response): EDR focus on monitoring, detecting, and responding to suspicious activities and potential threats on endpoint devices like desktops, laptops, and mobile devices. Unlike traditional antivirus software, EDR provides continuous surveillance, behavior analysis, and immediate response capabilities. This enables early detection of abnormal activities during an attack and supports cybersecurity teams in their investigation and incident response.
• DLP (data loss prevention): The purpose is to prevent sensitive data from being leaked, miscommunicated, or disclosed to external environments without authorization. The DLP system can identify, monitor, and protect critical data within an organization (such as personal data, financial information, and trade secrets), and block or alert based on policy rules to prevent data from being leaked through email, USB devices, cloud services, or other transmission channels.
• Zero Trust architecture: Trust is not assumed for any internal or external devices or accounts. All internal and external network requests must be authenticated based on the device, identity, and behavior. Segmentation strategies can be used to enhance internal network control and reduce the risk of lateral movement.
• Continuous operation management: Through standbys, backups, and BCP, uninterrupted service can be ensured, and systems can be quickly restored in the event of damage or ransomware attacks.

Management aspect

Having only technology and equipment, but lacking sound management systems, may render all mechanisms ineffective. After all, personnel management is often the most critical factor among all defense strategies. Therefore, strengthening cybersecurity governance for securities firm employees and clients can enable cybersecurity measures to function more effectively.

• Principle of least privilege: Accounts for hosts and applications, as well as firewall rules, should be configured according to the principle of least privilege to ensure that attackers cannot easily obtain high-privilege accounts for access.
• Vulnerability scanning and penetration testing: System vulnerabilities should be regularly detected through automated scans across multiple points, such as web applications, mobile apps, and internal management systems. Additionally, external teams should periodically conduct simulated penetration testing to help identify any unnoticed security flaws.
• Training and education: Training and education can strengthen cybersecurity awareness among employees and clients. For example, phishing email simulations, social engineering tests, and cybersecurity assessments can be conducted for internal employees, and information security can be regularly disseminated to clients to enhance the overall cybersecurity culture.
• Information security contingency drills and reporting mechanisms: Information security incident reporting mechanisms: By setting up reporting and contingency processes, incidents can be handled and reported in a timely manner.
• Regular monitoring of abnormal behavior: Instances such as multiple IPs logging into a single account or a single IP logging into multiple accounts should be recorded and analyzed.
• Cultivating an organizational culture that prioritizes cybersecurity: Cybersecurity-related responsible officers are appointed to coordinate the promotion of cybersecurity policies and allocate resources. Additionally, professionals are included to participate in management operations, effectively integrating cybersecurity risks into business decision-making and fostering an organizational culture that values cybersecurity.

Regulatory aspect

In addition to management and technical integration, compliance with regulations can further enhance the overall synergy of various information security measures. The implementation of regulations is not limited to compliance; rather, it involves the integration of joint prevention across the entire industry. The cybersecurity-related regulations that securities firms must currently comply with, as well as the key points of our company’s guidance for securities firms in implementing various cybersecurity policies, are described below:

• Cybersecurity-related regulations that securities firms must comply with:
  • Setting up cybersecurity inspection systems for securities firms: To enhance the overall cybersecurity protection of securities firms, they should identify critical information assets, regularly assess potential risks, strengthen account management, and clearly classify system permissions to prevent unauthorized access. They shall also regularly conduct system vulnerability scans to quickly address known vulnerabilities. Securities firms should implement monitoring systems to detect abnormal behaviors and potential attacks early and enforce cybersecurity incident reporting mechanisms to ensure the timely handling and reporting of incidents, thereby strengthening the overall synergy of collaborative cybersecurity defense. They should enhance outsourcing and supply chain management to effectively reduce external threat risks. Additionally, securities firms should improve employee cybersecurity awareness, conduct regular internal audits, and implement continuous improvements to reinforce the organization’s overall cybersecurity protection.
  • Self-regulatory guidelines for cybersecurity protection of securities firms: These guidelines are established to strengthen the network and information security of securities firms. They cover various areas including network equipment management, network security protection, electronic trading security, and personal data protection. The purpose is to ensure the security of the securities firms’ network environment, safeguard clients’ rights and personal data, and enhance the overall information security level of the securities market.
  • Self-regulatory guidelines for information system security protection for securities firms: These guidelines are established to strengthen the security protection of information systems, thereby ensuring the safety of customer data and transaction activities. The scope of the guidelines includes account access control, identity authentication, IT auditing, network security, data protection, incident reporting, system and service availability, and business continuity management. Securities firms are required to perform regular security assessments and vulnerability remediation.
  • Self-regulatory guidelines for risk management of information systems and service supply chains for securities firms: These guidelines are established to enhance securities firms’ risk management in the selection, management, termination, and disengagement of information service providers related to their information systems. The guidelines cover multiple aspects, including contract signing, supplier evaluation, security standards, responses to cybersecurity incidents, and management of outsourcing relationships.
  • Self-regulatory guidelines for cybersecurity in emerging technologies: These guidelines are established to enhance cybersecurity management when securities firms adopt emerging technologies, in order to ensure the protection of client data and transaction security. The guidelines cover areas, such as cloud services, social media security controls, mobile application management, IoT device security, phishing prevention, client identity authentication, and defense against deepfakes, aiming to mitigate the risks introduced by emerging technologies.
  • Guidelines for information operation resilience: To help securities firms effectively implement contingency measures and minimize damage to an acceptable level in the event of a core system interruption. These guidelines cover information resilience management organizations, operational impact analysis, operational continuity management and operational continuity plan exercises, standbys and backups, emergency response measures, drills, and training.
• Key focus areas of our company’s initiatives: In response to various cybersecurity policies issued by regulatory authorities in recent years – such as the Financial Cybersecurity Action Plan and the Directions for Operations Outsourcing by Securities Firms – our company has actively aligned with these directives and provides guidance to help securities firms implement the relevant cybersecurity measures. Through the following key areas, we aim to strengthen the overall cybersecurity resilience of the securities market. The specific areas are described as follows:
  • Timely revision and promotion of relevant regulations: We have established tiered protection requirements for securities firms and promoted the adoption of international standards, such as the ISO 27001 Information Security Management System, to strengthen the cybersecurity governance capabilities of these firms.
  • Assisting securities firms in regulatory compliance: Through annual routine audits and selected case audits, our company helps securities firms implement cybersecurity regulatory requirements, with the goal of strengthening cybersecurity supervision.
  • Implementing cybersecurity incident reporting and strengthening collaborative defense: We assist securities firms in implementing effective cybersecurity incident reporting mechanisms to ensure timely access to threat intelligence. This facilitates rapid coordination and joint defense among industry peers, thereby enhancing overall cybersecurity protection capabilities.
  • Deepening cybersecurity education and training: We hold cybersecurity-related seminars every year to raise awareness and response capabilities within the industry. We also encourage employees of securities firms to participate in ISO 27001 lead auditor training courses to cultivate cybersecurity governance talent within these firms.
  • Promotion of Zero Trust architecture: Our company actively promotes the adoption of a financial Zero Trust architecture among securities firms and has conducted multiple briefing sessions. The stock exchange encourages participants in the securities industry to implement Zero Trust, aiming to enhance the overall cybersecurity level of the securities market and ensure business continuity and security.

Facing increasingly severe cybersecurity challenges and constantly evolving threat techniques, securities firms should understand that cybersecurity is not merely about compliance but about enhancing operational resilience. Therefore, they must not only continuously strengthen existing defense measures but also proactively deploy future cybersecurity defenses.

Through a comprehensive observation of current cybersecurity developments in the capital markets, it is clear that securities firms, as key participants, are under constant threat from a wide range of cyberattacks. From phishing scams to system outages, from API vulnerabilities to supply chain infiltrations, each cybersecurity incident can cause not only financial losses but also erode customer trust, destabilize the market, and even lead to regulatory liabilities and damage to brand reputation.

Regarding common cyberattack methods, this article provides securities firms with reference approaches for building defense mechanisms, cybersecurity governance, and regulatory compliance. It also offers an analysis of real-world cases and presents multiple concrete pieces of advice. It is recommended that securities firms establish multi-layered technical measures in their cybersecurity defense architecture and strengthen organizational governance, as well as reporting and response processes in their management, to continuously comply with and implement international standards and regulatory requirements. 

Cybersecurity is an endless battle against risk and the cornerstone of sustainable business operations. Securities firms should adopt a “zero tolerance for cybersecurity” philosophy, embedding the core concept of cybersecurity awareness into their organizational culture and management practices. By integrating technical, managerial, and regulatory compliance aspects, they can truly achieve the sustainable goal of delivering secure, convenient, and uninterrupted financial services.