I. Foreword
As global digitalization and networking continue to advance, information security is no longer a technical issue but rather a critical governance challenge involving national security, industrial development, and financial stability. The Global Risks Report 2025 by the World Economic Forum highlights the “cybercrime and cybersecurity crises” as a top-tier, critical risk to global stability over the next two years. This indicates that cybersecurity risk has become a key factor affecting the functionality of economies and societies.
Since the financial sector handles vast amounts of sensitive customer data and transaction information and its cash flow systems are highly concentrated, it has long been a target of international hacker organizations and cybercrime syndicates. More recently, incidents involving ransomware, supply chain breaches, zero-day exploits, and distributed denial-of-service (DDoS) attacks have become more frequent. This indicates that the threats faced by financial institutions are becoming increasingly diverse and complex. A major cybersecurity incident may result in adverse effects on business operations, regulatory compliance, and market confidence.
Amid complex geopolitical circumstances and the rapid development of the digital economy, the overall level of risk exposure to Taiwan continues to rise. During COVID-19, the rapid adoption of non-face-to-face financial services, remote work, and cloud applications significantly changed the system architecture and operating models of financial institutions. This has simultaneously expanded potential attack surfaces, highlighting the urgent need for the financial sector to strengthen its cybersecurity defenses and risk management.
The Financial Supervisory Commission (FSC) relentlessly promotes the establishment of vigorous cybersecurity governance systems of financial institutions as per regulatory requirements and supervisory measures, ensuring the stable operation of the financial system.
Within the financial sector, the securities industry has rapidly evolved alongside digital trading models and fintech applications. Information systems have been deeply integrated with transaction platforms, customer service, back-office operations, and external supply chain environments. This allows for the continuous expansion of the scope of cybersecurity protection. Cybersecurity incidents could potentially affect investor rights, market order, and overall financial stability; meaning that information security has become a critical cornerstone for maintaining investor confidence and ensuring stable operations in the securities market.
In order to continue strengthening the regulatory oversight effectiveness of the securities market while enhancing overall cybersecurity resilience, the FSC re-conducted the “Comprehensive Cybersecurity Assessment for the Securities Industry” project in 2025. The FSC engaged a third-party professional institution to comprehensively identify the current information security status and potential risks to Taiwan’s securities industry. The assessment was carried out in accordance with international standards and applicable laws and regulations. The assessment scope covered organizational governance, operational management processes, and technical safeguard mechanisms. Multi-faceted approaches such as institutional self-assessment questionnaires and technical exposure scans were also combined. By doing so, the cybersecurity protection capabilities and the overall risk posture of each assessed securities firm were objectively reviewed.
The assessment findings helped identify both the strengths and areas needing improvement in the securities industry’s cybersecurity defenses. Furthermore, the specific recommendations proposed served as a crucial basis for subsequent regulatory oversight, industry guidance, and risk management enhancement. The aim of this assessment was to continuously reinforce overall cybersecurity resilience, maintain stable market operations, and safeguard investors’ rights and interests.
II. Project Implementation Method
This comprehensive cybersecurity assessment gained an insight into the current cybersecurity status of evaluated securities firms from multiple perspectives. Not only were the organizational management areas covered, but the assessment also encompassed a detailed analysis of these firms’ technical aspects. Through questionnaire assessments and exposure scans, the cybersecurity management and level of each securities firm were separately assessed in order to grasp their control capabilities regarding cybersecurity. The specific implementation methods are divided into the following two key components:
(I) Questionnaire Assessment
Data on each securities firm’s cybersecurity management systems, operational processes and control measures was collected from self-assessment questionnaires. A comprehensive inventory and comparative analysis through systematic analysis and induction was also conducted to understand the current cybersecurity status and management degree.
The questionnaire was designed on par with international information security standards and regulations, as well as practical guidelines related to the domestic and international securities industries, such as ISO/IEC 27001, the NIST Cybersecurity Framework (CSF), Self-Discipline Standards for Information System Security Protection, Self-Discipline Guidelines for Network Security Protection, the Financial Cybersecurity Action Plan 2.0, and international cybersecurity practice guidelines for the securities industry. The industrial experience of the consultant team and their methodologies were also integrated into the structural and content design. The questionnaire comprised seven key categories, covering core risk issues spanning governance, technical and operational domains, as detailed below:
1. Risks associated with AI and emerging technology adoption
Review the company’s adoption of AI or emerging technologies; evaluate their management and control mechanisms in information security and personal data protection.
2. Business continuity management
Assess the completeness and effectiveness of the company’s continuity management mechanisms, including notification mechanisms and recovery strategies, business continuity plan development, testing of disaster recovery procedures, establishment of backup centers for core information systems, and implementation of the ISO 22301 Business Continuity Management System.
3. Personal data protection
Assess the company’s implementation of the personal data protection system, including regulatory compliance; internal policies and operating procedures; management mechanisms for personal data collection, processing, and utilization; response measures for personal data breaches; and control mechanisms for storage media (e.g. USB) and external data transmission. Additionally, evaluate the procedures for destroying or deleting personal data upon expiration of the retention period.
4. Network security protection
Assess the security measures for the company’s information systems and network environment, including physical environment security; management systems and operating procedures; hardware, equipment, and firewalls; IoT device protection mechanisms; network connection security management; account and privilege controls; as well as computer audit log retention and monitoring mechanisms.
5. Supplier management
Assess the company’s risk management mechanisms for third-party service providers, including supplier selection and risk assessment procedures, remote access control policies, outsourced personnel management for accounts and privileges, the establishment of cybersecurity clauses in contracts, and regular audit and monitoring mechanisms.
6. Program change management
Assess the integrity and traceability of the company’s system development and change management systems, including the setup of development and testing environments, retention of system development documentation, code security testing mechanisms, version control processes, mobile application spoofing detection and device tampering detection mechanisms, and overall system development life cycle (SDLC) management.
7. Identity authentication management
Assess the identity authentication management and account protection mechanisms for the company’s online trading system, including account login authentication mechanisms, account lockout mechanisms, authenticated encryption, transaction activity verification, and account protection mechanisms.
(II) Exposure Scan
Securities firms may have formulated comprehensive cybersecurity policies, operating procedures, and management mechanisms in compliance with relevant laws and regulations; however, due to configuration discrepancies, management gaps, or environmental changes, potential risk exposures may still arise at the technical implementation and system configuration levels. Most conventional cybersecurity assessments rely on questionnaires, self-assessments, or internal audits. Although they help examine the integrity of systems and documentation, they are less effective at identifying substantive risks hidden within technical details and external attack surfaces.
Given the above considerations, we continue to adopt the “exposure scan” approach, with assessment frameworks adjusted and improved compared to previous exposure scans. Through external observation and risk analysis mechanisms, the deficiencies of conventional institutional assessments in identifying technical risk exposures are addressed. This allows the assessment findings to be more aligned with actual threat scenarios while enhancing the completeness and objectivity of overall security posture management.
An exposure scan takes a non-intrusive detection approach from an external perspective—continuous security monitoring is carried out without disrupting the securities firm’s existing system operations or external services. This approach primarily involves collecting and analyzing information and digital footprints disclosed by securities firms in public online environments. The relevant security performance indicators – including potential technical vulnerabilities, signs of malware infection, and suspected system breaches – are then measured. Subsequently, an exposure score is calculated.
Based on real-time data for dynamic analysis, the scoring mechanism reflects changes in the current security posture. Simultaneously, by benchmarking against industry peers, securities firms can understand their relative security level within the industry. Additionally, the assessment incorporates historical trend analysis to track whether each securities firm’s security status has improved or deteriorated over time. This approach generates an overall rating that balances real-time conditions and long-term observations, offering a more comprehensive view of each securities firm’s network security status and level of risk exposure.
The assessment framework covers four core domains – “detection of known malicious activities,” “cybersecurity configuration compliance,” “user behavior risks,” and “public information exposure risks.” Depending on its risk attributes, each domain is further subdivided into multiple quantifiable technical indicators for evaluation. Through this multi-layered risk assessment framework, the level of cybersecurity protection and the potential exposure scenarios of each securities firm are systematically examined from an externally observable technical perspective. This serves as the foundation for the overall security posture analysis.
1. Detection of known malicious activities
This domain primarily assesses abnormal activities, such as malicious software programs, botnet activity, or unauthorized software operations. This is to determine whether the existing securities control measures are effectively blocking malicious activities. This type of risk may lead to disruption in daily business activities and increase the risk of data breaches and lateral movement.
2. Cybersecurity configuration compliance
This domain involves collecting and analyzing publicly available technical information to evaluate the degree of implementation of the technical protection measures adopted by the company to prevent external attacks. This includes network service security configurations, system maintenance updates, and communication security protections. This is to measure whether security configurations align with industry security standards and best practices, thereby reflecting the overall security posture and level of protection.
3. User behavior risks
This domain focuses on high-risk online activities potentially carried out by company employees, such as unauthorized file sharing, compromised credentials, or password reuse. Not properly managed, these behaviors may become entry points for malware intrusion or social engineering attacks, potentially triggering cybersecurity incidents or risk of sensitive data breaches.
4. Public information exposure risks
This domain primarily evaluates the company’s public information for risks of improper access or exploitation. This includes past data breaches, general security incidents, and other publicly disclosed content that may expose company vulnerabilities or sensitive information.
(III) Calculation of Assessment Findings and Scoring Mechanism
1. Calculation method for questionnaire assessment findings
(1) The final assessment score of each securities firm is calculated by weighting the scores across all categories in order to reflect the importance of different areas. Standardized scores ensure their comparability, reflecting each firm’s relative level of control.
(2) Based on the overall scores, the assessment findings are categorized into three levels: “Excellent,” “Satisfactory,” and “Improvement Required” – facilitating the clear presentation of the cybersecurity management level of each securities firm.
(3) With respect to the seven key categories covered in the questionnaire, statistical analysis methods are employed. The dispersion indicators, such as the mean and standard deviation, and the differences in control levels across the seven key categories are compared. This enables benchmarking against industry peers and identifies key categories where control gaps are particularly significant.
2. Scoring for exposure scans
An exposure scan quantitatively analyzes technical protective status. The results are converted into comparable scores through standardization and weighting mechanisms, reflecting the level of external technical exposure.
Based on the final scoring results, the overall level of cybersecurity protection is categorized into: “Basic,” “Good,” and “Excellent.” The aforementioned levels are used to represent the relative technical protection levels of each securities firm.
3. Composite scoring method for cybersecurity control levels
To comprehensively and objectively evaluate each securities firm’s cybersecurity control level, this project adopts a comprehensive assessment model – combining scores from two key areas – “questionnaire assessment” and the “exposure scan.” The overall cybersecurity control level of each securities firm is calculated through quantitative weighting.
Statistical analysis methods are simultaneously employed to grasp the distribution and dispersion of the overall industry-wide cybersecurity protection levels, so as to assess the overall risk posture of the industry.
For securities firms unable to undergo an exposure scan, their composite scoring will be based solely on their questionnaire assessment findings, which will serve as the primary measure of cybersecurity control levels.
4. Scoring calculation method
This assessment adopts a weighted composite scoring system, calculated as follows:
The standardized “questionnaire assessment scores” and “cybersecurity exposure scan scores” are each multiplied by their respective weights, generating the comprehensive cybersecurity control score for each assessed securities firm.
The weighting allocation principle takes into consideration that the cybersecurity management system forms the foundation of the overall protection system, integrated with observations of external technical risk exposure. Standardized data processing eliminates measurement discrepancies between different detection tools. This ensures that the assessment findings objectively reflect the relative protection level of each firm in the industry.
5. Classification criteria of assessment levels
This assessment adopts the percentile method based on the overall score of the cybersecurity control level achieved by each securities firm. All assessed securities firms are ranked by score and divided into three levels, clearly presenting the relative cybersecurity protection level of each securities firm in the industry. Classification criteria of levels are as follows:
- “Excellent”: The overall score of the assessed securities firm significantly outperforms the industry average, demonstrating outstanding control standards.
- “Satisfactory”: The control standards meet the basic requirements with room for improvement.
- “Improvement Required”: Discrepancy between the control standards and the industry-wide distribution pattern; prioritizing relevant enhancement measures is recommended.
6. Significance of Dispersion Analysis
By leveraging the percentile method, not only are we able to understand the relative positioning of each securities firm in the industry, but we can also further analyze the dispersion of cybersecurity control levels across the securities industry as a whole. A more concentrated score distribution indicates that the industry-wide cybersecurity standards are consistent; a more dispersed distribution, on the other hand, indicates significant disparities in cybersecurity capabilities among securities firms. This dispersion analysis helps in understanding the overall risk posture. For areas with larger cybersecurity capability gaps, a dispersion analysis facilitates the formulation of appropriate guidance measures and resource allocation strategies. This approach contributes to enhancing cybersecurity resilience across the industry and narrowing the protection disparities among securities firms.
III. Analysis of Assessment Findings
In summary, the results of the comprehensive cybersecurity assessment show that Taiwan’s securities industry has a robust foundation of protection. Questionnaires and technical inspections corroborate each other: The cybersecurity systems (management) of securities firms have matured; however, there is room for improvement in the refined management of external attack surfaces.
(I) Questionnaire assessment findings
1. Overall cybersecurity control performance
Based on the questionnaire analysis results, the assessment across seven key categories reveals that approximately 90% of the assessed securities firms have achieved a cybersecurity control level of “Satisfactory” or above. This indicates that most evaluated firms have established relatively mature and stable cybersecurity management systems. The performance of the assessed securities firms across the seven key categories is relatively balanced; there is no significant lag in any specific category. This indicates that the overall level of cybersecurity management has achieved a certain degree of maturity.
However, a small number of the assessed securities firms were classified as “Improvement Required,” indicating that there is significant room for improvement in cybersecurity management and implementation for some firms. These firms must prioritize allocating resources for improvement to prevent management deficiencies from undermining the effectiveness of technical safeguard measures, thereby further increasing overall exposure to cybersecurity risks.
2. Performance analysis across seven key categories
Statistical analysis across seven key categories (including risks associated with AI and emerging technology adoption, business continuity management, personal data protection, network security protection, supply management, program change management, and identity authentication management) shows that the performance of the control levels of the assessed securities firms across all categories is relatively consistent; there is no significant lag in any specific category.
This outcome indicates that the cybersecurity management systems established by the securities industry are able to cover different risk areas, without disproportionately emphasizing any particular area.
However, the performance across all categories is consistent – indicating that the securities industry as a whole still has room for improvement in terms of the depth of controls across all areas; there is no significant differentiation in maturity levels. Securities firms are advised to deepen management and strengthen technology across critical categories based on their business models, level of digitalization, and actual risk exposure, while maintaining balanced development. This approach will enhance the overall depth of cybersecurity protection and improve operational resilience.
(II) Exposure scan results
This assessment covered all securities firms, with approximately 76% of them completing the exposure scan. The remaining firms could not be assessed due to the fact that they had insufficient online footprints or did not have systems providing external services.
1. Performance of overall technical safeguard capabilities
Based on the exposure scan results, assessable securities firms were classified into three levels: “Excellent,” “Good,” and “Basic.” The findings indicate that the majority of these assessable securities firms achieved the “Excellent” level, with the remainder classified as “Good” and no firms were classified as “Basic.”
This distribution reveals that the assessed securities firms have achieved a certain degree of maturity in their technical cybersecurity protection capabilities and external exposure management. They are able to effectively reduce externally detectable risks and potential attack surfaces. This reflects a solid level of implementation in fundamental technical safeguards and external exposure management.
However, despite the overall strong performance, attention must be given to the maturity gap between firms in the “Good” and “Excellent” levels. These securities firms are advised to refer to the best industry practices to continuously improve their technical safeguard measures to enhance the overall cybersecurity defense standards across the securities industry.
2. Risk distribution across four key technical detection categories
The four core areas (including detection of known malicious activities, cybersecurity configuration compliance, user behavior risks, and public information exposure risks) were further analyzed. The results show that some observations relate to cybersecurity configuration management, suggesting there is room for improvement in external service management. Despite most securities firms receiving favorable ratings, these common issues fall within the scope of basic cybersecurity protection rather than systemic vulnerabilities. Securities firms are advised to review and optimize their measures to ensure the security of data transmission.
3. Recommendations for improvement and assessment for detection tools
The comprehensive analysis indicates that most risks fall under the category of externally observable security hygiene issues. Without requiring intrusion testing or internal penetration, these risks can be detected using external scoring or scanning mechanisms. This suggests that some securities firms have room for improvement in basic protection implementation and configuration management mechanisms.
The analysis also reveals that current detection mechanisms have room for improvement in the depth of coverage of certain externally observable technical risks. Failing to do so may result in related risks remaining unidentified or unaddressed in a timely manner over the long term.
Securities firms are advised to evaluate the possibility of implementing or enhancing their cybersecurity exposure detection mechanisms. Scans and assessments of publicly accessible network services from an external perspective should be conducted on a regular basis to improve the ability to identify and monitor potential external threats.
(III) Comprehensive assessment findings
1. Distribution of overall assessment findings
This cybersecurity control assessment comprehensively evaluates the two key areas – questionnaire assessment and exposure scan. Based on the composite scoring formula, the final overall score gained by each securities firm is calculated. Based on percentile classification criteria, the assessment findings are categorized into three levels: “Excellent,” “Satisfactory,” and “Improvement Required.” Classification criteria are as follows:
- “Excellent”: The final overall score is at or above the 90th percentile (top 10% performers).
- “Satisfactory”: The final overall score is between the 11th and 89th percentile (middle 80% range).
- “Improvement Required”: The final overall score is at or below the 10th percentile (bottom 10% relatively weaker performers).
2. Statistical analysis of evaluation results
The results of the comprehensive assessment covering all securities firms are distributed as follows:
(1) Excellent (approximately 10%)
This level of securities firms encompasses firms of various scales. Securities firms with this rating demonstrate relatively mature performance in establishing cybersecurity management systems and implementing technical safeguard measures. Their security control measures reflect more mature practical experience and can serve as industry benchmarks.
(2) Satisfactory (approximately 80%)
This level of securities firms encompasses the majority of securities firms in the industry. Securities firms with this rating maintain their cybersecurity controls at the industry standard level. They have basic protection capabilities and management mechanisms. However, there is room for improvement in system deepening, technological advancement, and continuous improvement processes.
(3) “Improvement Required” (approximately 10%)
Securities firms with this rating are those with relatively limited resources, accounting for 10% of all securities firms. These firms require ongoing improvements in cybersecurity management and technical safeguards. Their level of security control lags behind the industry average. They are advised to prioritize resource allocation in order to address critical weaknesses and reduce potential cyber risks.
3. Analysis of assessment findings
(1) Correlation between resource allocation and control maturity
Based on the assessment findings, firms with adequate resource allocation and more comprehensive cybersecurity management systems exhibit better overall control levels. A company’s level of emphasis on cybersecurity issues, the effectiveness of resource allocation, and the decision to establish continuous improvement processes remain key factors affecting the efficiency of cybersecurity protection.
However, the assessment findings also reveal that despite firms with more adequate resources performing better overall, some larger-scale firms still fall within the “Satisfactory” level – not all achieved the “Excellent” level. This phenomenon suggests that while adequate resources form a crucial foundation, truly enhancing the level of cybersecurity controls depends more on the decision-making quality of the company’s management, the effective implementation of management measures, and the deepening of the company’s internal continuous improvement culture. With these elements in place, resource investments can be translated into tangible protective capabilities.
(2) Performance characteristics of securities firms subject to multiple regulatory frameworks
Based on the assessment findings, certain securities firms with group resources or those simultaneously subject to multiple regulatory frameworks have relatively rigorous cybersecurity management frameworks, as they must meet higher compliance requirements. They generally outperform other securities firms of a similar scale.
This phenomenon reflects that the intensity of regulatory requirements and the ability to integrate group resources positively impact on cybersecurity controls. The institutional pressure created by a multi-regulatory environment also helps prompt securities firms to establish more structured and standardized cybersecurity management mechanisms.
(3) Cybersecurity challenges faced by smaller securities firms
Based on the assessment findings, securities firms with the “Improvement Required” rating are primarily concentrated in those with smaller resource scales. This indicates that some small securities firms face significant challenges in cybersecurity management and technical safeguard practices, including limited resources, insufficient cybersecurity personnel, and relatively low institutional maturity.
These challenges place smaller firms under greater defensive pressure while increasing their exposure to potential cybersecurity risks within the industry’s overall cybersecurity protection system. Targeted guidance and support will be required to help these smaller firms gradually enhance their control capabilities in order to strengthen the industry’s overall cybersecurity resilience.
(IV) Subsequent improvement recommendations and supervisory strategies
1. Specialized guidance for securities firms rated “Improvement Required”
For securities firms rated “Improvement Required,” with final assessment scores falling below the 10th percentile, appropriate tiered guidance and improvement mechanisms will be developed based on the overall risk posture. By setting clear improvement targets, these securities firms are assisted in enhancing their cybersecurity protection levels within a reasonable timeframe, reducing the risk of becoming vulnerabilities in the industry’s overall defense gap.
2. Strategic directions for reinforcing industry-wide cybersecurity resilience
The findings of the cybersecurity control assessment provide a clear overview of the overall distribution of information security intensity within the securities industry. These findings serve as an important reference for subsequent cybersecurity oversight planning. Future directions are as follows:
- Focus on high-risk areas: Provide specialized guidance to securities firms rated “Improvement Required”; prioritize resource allocation to correct industry-wide weaknesses identified during assessment.
- Deepen cybersecurity intelligence sharing: Continue to reinforce the securities industry’s cybersecurity intelligence-sharing mechanisms to facilitate the exchange of threat intelligence, incident experiences, and best practices, enhancing the industry’s overall threat awareness and collaborative defense capabilities.
- Ongoing promotion of cybersecurity awareness enhancement: Education and training, drills, and case studies are leveraged to reinforce the importance of cybersecurity governance among industry-wide personnel and management, fostering a top-down cybersecurity culture.
The promotion and implementation of the above strategies will help reinforce the overall cybersecurity protection capabilities of the securities market, enhance the industry’s resilience, maintain stable market operations, and safeguard investors’ rights and interests.
IV. Conclusion
This comprehensive cybersecurity assessment provides a quantitative picture of the current protection status of Taiwan’s securities industry. The assessment not only identifies industry-wide strengths but also precisely outlines key directions for future regulatory oversight and guidance. Based on the assessment findings, the entire securities industry has established a solid foundation in cybersecurity control levels. Most securities firms have achieved a satisfactory level of control in cybersecurity management and technical safeguards. Overall compliance with information security-related regulations remains stable.
However, the assessment findings also indicate disparities in cybersecurity controls among different securities firms. These disparities are highly correlated with each firm’s capital scale, resource allocation, and the intensity of the regulatory requirements to which they are subject. For securities firms with relatively limited resources, there is room for improvement in deepening their cybersecurity management systems, implementing management measures and establishing continuous improvement processes.
Based on the findings of the technical exposure assessment, the overall externally visible technical protection capabilities of securities firms are considered good. However, exposure risks are primarily concentrated in the basic security configurations of publicly accessible network services. This indicates that some securities firms have room for improvement in basic cybersecurity configuration management and routine review processes. There is also room for reinforcement in the current internal detection and management mechanisms for certain externally observable technical risks.
By combining institutional self-assessment questionnaires and technical exposure scans, this comprehensive cybersecurity assessment presents the current state of cybersecurity protection in the securities industry from both internal and external perspectives. The assessment complements the limitations of conventional assessment methods in identifying external technical exposures and serves as an important reference for subsequent cybersecurity oversight planning, tiered management, and the design of guidance measures.
Overall, the securities industry has established a solid foundation for the future of cybersecurity. Regulatory focus will gradually shift from “regulatory compliance” to a “risk-oriented” approach to ensure the optimization of protection effectiveness. Strengthening the implementation of fundamental cybersecurity measures and improving industry-wide consistency will be ongoing to address the constantly evolving landscape of cybersecurity threats. By jointly strengthening the foundation of market trust and risk defense capabilities with securities firms, we aim to maintain stable market operations and safeguard investors’ rights and interests.
This comprehensive cybersecurity assessment does not intend to rank securities firms. Instead, it helps them identify potential risks and directions for optimization through objective data and technical observations. The assessment also aims to jointly build a more resilient market defense system with all securities firms, ensuring that, amid the digital wave, Taiwan’s capital markets remain the most trusted trading environment for investors.