Preface
In an environment where digitalization and mobile technology are rapidly proliferating, cybersecurity has become a core component of corporate governance and operational resilience for securities firms. From mobile ordering and electronic certificates to API transactions and the supply chain, any lapse in these processes can be exploited by attackers, potentially leading to service disruptions, personal data breaches, reputational damage, or significant regulatory penalties. Securities trading services encompass market quotes, order execution, and the settlement of funds and securities. Due to this complex chain, the attack surface is broader, and the opportunities for exploitation are greater than in typical industries, making the associated risks higher. Facing threats such as ransomware, phishing and social engineering, fraudulent certificate applications, zero-day vulnerabilities, and supply chain management, regulatory authorities have promoted initiatives like the Financial Cyber Security Action Plan and other improvement measures. Through strategies such as strengthening cybersecurity supervision, deepening cybersecurity governance, enhancing cybersecurity resilience, and leveraging collaborative cybersecurity defense strategies, cybersecurity is embedded in the daily operations of organizations, thereby fostering a cybersecurity-conscious organizational culture, improving cybersecurity governance capabilities and standards, and ensuring continuous system operation and data protection. As a result, risks are significantly reduced, enabling the pursuit of secure, convenient, and uninterrupted financial services.
Lessons learned from external experiences can serve as valuable references. By studying existing cybersecurity incident cases, we can more effectively identify gaps in protection and better focus our resource allocation on critical areas. This article provides a concise overview of our audit focus areas and summarizes regulatory authorities’ penalty cases, common deficiency patterns, associated risks, and recommended improvements, with the aim of helping firms strengthen their cybersecurity defenses and enhance operational resilience.
Our company’s audit
Institutionalization and continuous improvement are essential components of strengthening cybersecurity protection. To assist securities firms in establishing policies and complying with regulatory requirements, our company not only helps them develop internal frameworks and implement relevant regulations but also supports them in enhancing cybersecurity governance and internal controls through audit and advisory mechanisms. The primary audit focus areas are as follows:
[Establishing a Cybersecurity Inspection Mechanism for Securities Firms]
The inspection scope covers the following control domains: risk assessment and management, information security policies, security organization, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, system development and maintenance, business continuity management, compliance, emerging technology management, colocation services for servers, and other supplemental matters. Through relevant audits and advisory practice, the cybersecurity governance framework can be effectively strengthened, building a robust defense-in-depth architecture.
[Required Actions for Tiered Security] Considering risk and the effective use of resources, regulatory authorities classify securities firms into four tiers based on criteria such as paid-in capital, and specify the protection measures that should be implemented for each tier. The current inspection procedures aim to assess the status of securities firms’ cybersecurity management according to their assigned level. For example, whether firms required to appoint a Chief Information Security Officer have established offsite backup data centers for trading servers, and whether securities firms at each level have appropriately allocated cybersecurity personnel.
[Personal Data Protection in Cyber Operations] To strengthen the management of personal data by securities firms, they currently implement controls in accordance with the “Regulations on the Security Maintenance of Personal Data Files by Non-Governmental Organizations Designated by the Financial Supervisory Commission.” Our company refers to these regulations to examine whether securities firms have properly conducted personal data inventories, implemented maintenance plans, and applied technical and managerial control measures.
[Co-Location Hosting Services] Verification is conducted to determine whether securities firms comply with co-location management regulations and usage principles, and meet relevant standards, in order to ensure cybersecurity protection and the fair treatment of clients.
[Outsourcing Management Operations] The review examines whether securities firms have established relevant risk management mechanisms for outsourcing, and whether contracts explicitly define the responsibilities and authority of entrusted institutions, as well as clauses for client information protection, in order to strengthen supply chain management, enhance operational resilience, and reduce the risk of business interruptions.
Description of Cybersecurity Deficiencies
Based on an overall review of recent enforcement actions issued by the competent authority against securities firms for cybersecurity deficiencies, as well as deficiencies disclosed by related institutions, the most common issues among securities firms stem from the inadequate implementation of internal procedures. The following sections outline the types of deficiencies, associated risks, and recommended improvements for securities firms.
[Inadequate Execution of Network System Vulnerability Scans]
Deficiency pattern: While some securities firms conduct vulnerability scans, issues persist, including insufficient scanning frequency, incomplete coverage, failure to track and remediate findings, and lack of verification records.
Risk impact: Inadequate vulnerability scanning leaves system weaknesses exposed for extended periods, increasing the likelihood of hacker intrusions and data breaches.
Improvement suggestion: Procedures for vulnerability scanning should be established, and the scan frequency should be specified as at least once every six months or conducted after major system changes. In addition, the scan scope should cover internal and external networks, as well as all outward-facing services. Mechanisms should be established to track remediation and perform rescans, with complete reports and audit records retained to ensure traceability.
[Inadequate Implementation of Network Segmentation Mechanisms]
Deficiency pattern: Some securities firms have not effectively separated internal and external networks, have mixed testing and production environments, or have poorly designed firewalls and related rules, resulting in unintended cross-zone connectivity.
Risk impact: If an attacker penetrates the internal network, they may move laterally across network segments and further compromise trading hosts or database systems, increasing the likelihood of data leakage.
Improvement suggestion: Network segments should be divided based on risk and purpose, following the principle of least privilege. Firewall rules and change records should be reviewed regularly, and automated network segmentation testing and communication monitoring tools should be implemented to strengthen the detection of abnormal traffic.
[Inadequate Account Privilege Control and Management]
Deficiency pattern: Account management serves as the first line of defense against internal abuse and external intrusion. Effective account management and control can significantly prevent the occurrence of network attack chains. However, some securities firms face issues such as the use of shared accounts, failure to promptly disable the accounts of departed employees, and overly simple passwords.
Risk impact: Poor account management can lead to the misuse of high-privilege accounts, increasing the risk of sensitive data leakage.
Improvement suggestion: Comprehensive procedures for account creation, modification, and deactivation should be established; an automated domain account association mechanism should be implemented; permissions should be reviewed biannually; shared accounts and default passwords should be prohibited; and mandatory password complexity and rotation cycles should be enforced.
[Inadequate Retention of Computer Audit Logs and Digital Evidence]
Deficiency pattern: Audit logs serve as a crucial basis for investigating and tracking cybersecurity incidents. Some companies have not enabled full audit functionality, retain logs for insufficient periods, fail to centralize log management, or lack anti-tampering mechanisms, making it impossible to fully record system activities or analyze anomalous events.
Risk impact: Improper log management makes it difficult to trace the root cause of incidents and prevents an accurate assessment of actual losses.
Improvement suggestion: All systems and devices should record logins, changes, and anomalous activities; data should be centralized and analyzed through a SIEM platform; critical logs should be retained for at least 6 to 12 months with anti-tampering measures; and log retention and retrieval processes should be reviewed regularly.
[Inadequate Management of Application Programming Interfaces (APIs)]
Deficiency pattern: Some securities firms have not properly inventoried their APIs or implemented appropriate protections such as vulnerability scanning.
Risk impact: If the API inventory is incomplete or APIs are not included in vulnerability scans, they could become entry points for attacks, potentially leading to exposure of sensitive data or misuse of systems.
Improvement suggestion: A comprehensive inventory of all API assets should be compiled, including all APIs within the scope of vulnerability scanning and penetration testing. Key and access permissions must be rigorously controlled, and API traffic should be monitored for anomalous behavior.
[Inadequate Application Security Change Management]
Deficiency pattern: Some securities firms have deficiencies such as missing approval documents, launching without prior validation in a test environment, or failing to reconfirm the launch outcome after launching.
Risk impact: Application changes that are not subjected to security review or code vulnerability scanning may introduce new vulnerabilities.
Improvement suggestion: A change management process should be established with integrated security review checkpoints. All versions should undergo code inspection and remediation of identified vulnerabilities before launching. Complete approval and testing records should be retained, and after major version launches, security validation reports and regression testing should be conducted.
[Inadequate Management of Firewalls and Network Devices]
Deficiency pattern: Some securities firms do not regularly verify firewall management and control rules or apply the principle of least privilege.
Risk impact: If firewall rules are overly permissive, improperly designed, not regularly reviewed, or configuration files are not backed up, the system may be exposed to external attacks.
Improvement suggestion: A change management system should be established for firewalls and network devices. The rationality of the rules should be reviewed every six months, and redundant items should be removed. Configuration files should be backed up periodically, and firmware update records should be verified. All modifications should undergo an approval and sign-off procedure.
[Inadequate Outsourcing Management Controls]
Deficiency pattern: Some securities firms have not properly implemented outsourcing management, for example, contracts may not require information audit rights or specify service level requirements.
Risk Impact: If contract terms do not clearly define cybersecurity responsibilities and service levels, or lack audit and supervision mechanisms, achieving effective outsourcing control will be difficult.
Improvement suggestion: A system to manage outsourcing arrangements and a risk assessment process should be established; Contracts should explicitly stipulate information security responsibilities, audit rights, and data protection clauses; Regular information security audits and report reviews should be conducted on outsourced businesses.
[Inadequate Implementation of Tiered Security Protection Measures]
Deficiency pattern: Regulatory authorities require securities firms to implement security measures at different tiers based on their size and business characteristics. Some firms have not complied with their assigned security tier; for example, they have not properly assigned cybersecurity personnel according to their tier or conducted regular backup simulations.
Risk impact: Security tiers are established based on the size of the securities firm. Failure to comply with these requirements may result in significant impacts on the securities market in the event of a cybersecurity incident.
Improvement suggestion: The requirements for tiered security protection should be put into practice, and a professionally certified Chief Information Security Officer should be appointed with cybersecurity personnel properly assigned; regular off-site backup simulation exercises should be conducted, and reports of these exercises should be retained. Additionally, the operation of cross-departmental emergency response teams and notification simulation exercises should be strengthened.
Company Implementation Results
With proactive cooperation from securities firms and continuous guidance from our company, intrusion prevention systems/intrusion detection systems (IPS/IDS) and web application firewalls (WAF) have been gradually implemented in recent years. The tiered security protection requirements have been gradually completed each year. External defenses have been established by securities firms through the implementation of network firewalls, application firewalls, and intrusion detection and prevention mechanisms, while internal cybersecurity management has been strengthened through the adoption of an ISMS framework. As the saying goes, “accumulating earth makes a mountain; accumulating water makes a deep pool” – the improvements in cybersecurity protection are the result of long-term investment and sustained effort. However, progress will not stop. Our company will continue to guide securities firms in implementing a zero-trust architecture and promoting cybersecurity assessments, while strengthening their operational resilience to ensure secure, convenient, and uninterrupted financial services.
Conclusion
The essence of cyber security lies in preventing problems early and preparing before risks materialize. Securities firms can only remain resilient in the rapidly evolving digital market by establishing robust systems, continuously conducting audits, and implementing timely improvements. Firms should develop cybersecurity from both management and technical perspectives, with regulatory compliance at the core, gradually implementing governance mechanisms, and strengthening monitoring and reporting processes to ensure both information security and customer trust. As the ancient saying goes: “In times of safety, do not forget danger; in times of survival, do not forget extinction; in governance, do not forget disorder.” Only through constant vigilance and continuous improvement can sustainable operations and the stability of the securities market be ensured.