TWSE Market Insights

＜中文版＞

Driven by the wave of digital finance, the widespread adoption of remote operations and cloud services has rendered the cybersecurity perimeter of Securities Firms increasingly fluid. The once-prevailing notion that 'anything inside the firewall is safe' has long become obsolete. In its place stands a resilience governance framework centered on Zero Trust principles and continuous verification. Faced with novel threats arising from artificial intelligence (AI) and the risks of supply chain infiltration, Securities Firms must build a multi-layered, defense-in-depth security posture to respond effectively.

A review of recent inspection findings from affiliated institutions reveals that common deficiencies tend to cluster around inadequate network security assessments, lapses in outsourced vendor management, incomplete security controls over network devices, and improper account and password management. Notably, the vulnerabilities created by these deficiencies are precisely the entry points most frequently targeted by external attackers, posing risks to the overall cybersecurity posture of Securities Firms that cannot be ignored.

Against this backdrop, a single regulation is no longer sufficient to address the increasingly complex cybersecurity threat landscape. In recent years, the Securities and Futures Bureau, affiliated institutions, and the Taiwan Securities Association have progressively established a comprehensive regulatory framework. In the areas of cybersecurity incident reporting and outsourcing management, the Securities and Futures Bureau has issued the 「Operational Guidelines for Circulating Reports on the Information and Communication Security Related Events Occur in Securities and Futures Markets」 and 「Directions for Operations Outsourcing by Securities Firms」 to Be Attended to When Entrusting Others to Handle Operations. For the inspection and enforcement of overall cybersecurity protection, TWSE and affiliated institutions conduct periodic reviews of each dealer's cybersecurity practices based on the " Establishing Information Security Inspection Mechanisms for Securities Firms" To support firms in proactively strengthening their baseline cybersecurity posture, Taiwan Securities Association has issued multiple self-regulatory cybersecurity rules providing concrete compliance guidelines.

For a detailed overview of the " Establishing Information Security Inspection Mechanisms for Securities Firms," readers may refer to the earlier edition of the Viewpoints column. This article focuses on explaining the key provisions of Taiwan Securities Association's cybersecurity self-regulatory rules and draws on the PDCA (Plan-Do-Check-Act) cycle from ISO 27001 to illustrate the complementary and dynamic relationship between these self-regulatory rules and the aforementioned inspection mechanism — with the aim of offering the public a more complete understanding of the securities industry's overall cybersecurity framework.

The following is a summary of the key provisions of each self-regulatory rule:

1. Account and Access Control

• Prohibition on Shared Accounts: IT systems must support unique user identification; account sharing among multiple users is strictly prohibited to ensure accountability.
• Multi-Factor Authentication (MFA): Logging into systems via the internet must use MFA (e.g., password + mobile OTP or digital certificate).
• Access Review: Account and permission appropriateness must be reviewed on a regular basis (at least semi-annually); inactive accounts must be disabled.
• Password Policy: Password complexity requirements are mandatory; passwords may not repeat the previous three; default passwords must be changed immediately upon first login.

2. System Development and Lifecycle Security

• Requirements and Risk Assessment: Security requirements (confidentiality, availability, integrity) must be identified at the requirements analysis stage of system development, with risk assessments conducted based on core functions.
• Network and Environment Segregation: Production environments must be isolated from development and testing environments to prevent in-development vulnerabilities from affecting live trading systems.
• Security Testing:
  • Source Code Scanning: Core systems (e.g., online trading systems) must undergo source code scanning before go-live and upon major updates.
  • Vulnerability Scanning: IT systems must undergo vulnerability scanning on a regular basis (at least semi-annually).
• Version Control: Strict version control and change management procedures must be enforced during the operations and maintenance phase.

3. Audit Trail and Monitoring

• Log Retention: Computer audit logs for core systems must record specified events and be retained for at least the prescribed retention period.
• Anomaly Detection: Core systems must be continuously monitored to detect attacks and unauthorized connections in real time.
• Incident Response: Upon detection of intrusion indicators, immediate notification must be made to the responsible personnel for action.

4. Data Security and Communication Protection

• Encrypted Transmission: IT systems must not transmit authentication credentials in plaintext; sensitive data must be encrypted using appropriate techniques during storage and transmission.
• Remote Access Management:
  • Remote connections must be authorized in advance and documented.
  • Remote connections must be encrypted and permitted only through company-approved access points.
  • Remote connections must enforce MFA.

5. Business Continuity and Backup Management

• RPO/RTO Requirements: Core systems must define a Maximum Tolerable Period of Disruption (MTPD) for data loss and a Recovery Time Objective (RTO) for service restoration.
• Backup Verification: The recoverability of backup data must be tested regularly to confirm backup integrity.
• Drills and Tests: Core system backup and recovery operations must be incorporated into the business continuity plan and tested through periodic drills.

1. Network Architecture and Zone Protection

• Comprehensive Network Architecture Documentation: Network diagrams must clearly depict key components such as firewalls, routers, switches, system devices, circuit configurations, servers and services, and wireless networks.
• Network Segmentation: Networks must be segmented according to business operations, with strict access controls enforced between different segments.
• Wireless Network Controls: Wireless access must use currently secure protocols with no known vulnerabilities (e.g., WPA3), and password strength standards must be established.
• External Device Access Management: Use of non-company-issued devices to access internal networks must be strictly controlled, requiring prior application and authorization with restricted access scope.

2. Network Device Security Management

• Device Lifecycle Monitoring: Use of devices that have reached End of Support (EOS) or End of Life (EOL) is prohibited; decommissioning and upgrade plans must be prepared in advance.
• Principle of Least Privilege: Network access and firewall rules must adopt an allowlist approach and must be reviewed at least annually; DMZ firewall rules must be reviewed semi-annually.

3. Network Transmission and Remote Connectivity

• High-Assurance Authentication for Remote Operations: Vendors or employees requiring remote internet access to internal systems for maintenance must enforce MFA.
• Secure Encryption Algorithms: All network transmission encryption must prioritize algorithms validated by internationally recognized bodies that remain uncompromised.

4. Network Attack Protection (DDoS and Application Layer Defense)

• DDoS Mitigation: Securities Firms offering online trading services or maintaining official websites must implement Distributed Denial-of-Service (DDoS) protection mechanisms to prevent system outages during periods of market volatility.
• Web Application Firewall (WAF): IT systems with internet-facing services must deploy a WAF to defend against common web attacks such as SQL Injection and Cross-Site Scripting (XSS).

5. Security Assessments

• Penetration Testing and Security Diagnostics: Securities Firms' IT systems must undergo periodic penetration testing and comprehensive security diagnostics (including reviews of malicious network activity and firewall configurations).
• Timely Vulnerability Patching: Network vulnerabilities must be patched on a regular schedule, with remediation timelines defined according to risk severity (e.g., high-risk vulnerabilities must be patched within one month).
• Log Retention: Network device access logs must be retained for at least three years and kept confidential to prevent unauthorized access.

1. Risk Assessment and Pre-Engagement Review

• Outsourcing Feasibility Assessment: Prior to signing contracts with vendors, firms must analyze the scope of impact of the outsourced items (including information assets, business processes, and operational environments) and conduct risk assessments of the vendor's operational capability, financial condition, and concentration risk.
• Vendor Selection Criteria:
  • Tier-1 Securities Firms: Vendors must have robust cybersecurity management measures in place.
  • Cloud Vendors: Third-party cybersecurity certification must be required.

2. Contract Management and Mandatory Provisions

• Service Level Agreements (SLA): For maintenance or outsourcing contracts of one year or more, vendors must submit regular service level reports.

• Cybersecurity Incident Notification: Vendors must be contractually required to immediately notify the dealer and take remedial action upon becoming aware of potential threats (e.g., a major incident occurring at another client).

• Subcontracting Management: Vendors must obtain prior written consent from the securities dealer before subcontracting any work; the same applies to any subsequent changes.

• Audit Rights Clause: Contracts must expressly state that the securities dealer (or an authorized third party) has the right to conduct cybersecurity audits of the vendor.

3. Enhanced Management of Core Systems

• Core System Recovery Plans: Outsourced vendors must regularly provide recovery plans for core IT systems and services to ensure rapid restoration in the event of a disaster.
• Stress Testing: Core system vendors are obligated to cooperate with Securities Firms in conducting stress tests and to adjust service load capacity when market trading volume surges.

4. Continuous Monitoring and Auditing

• Annual Audit: Securities Firms must conduct cybersecurity oversight or on-site audits of IT service vendors at least once a year (or as necessary).
• Security Testing Requirements: Vendors must be required to complete comprehensive testing before applications go live; updates that may affect system stability are prohibited before market open or during trading hours.
• Exit Management: Procedures must be established for the termination or dissolution of outsourcing relationships, including data deletion and immediate revocation of access rights.

1. Definitions and Scope of Application

• Cloud Service Definition: Encompasses elastic and scalable services delivered via the internet, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
• Scope of Application: Applies to Securities Firms that outsource operations related to licensed business activities or customer information and involve the use of cloud service providers.

2. Governance Framework and Risk Management

• Risk-Based Approach (RBA): A risk-based approach must be used to identify, assess, and understand the risks associated with cloud service adoption; enhanced controls must be implemented for high-risk scenarios.
• Governance Framework: A cloud service governance framework must be established, including clearly defined approval processes, accountability structures, and internal control systems.

3. Cloud Service Provider Selection and Due Diligence

• Operational Capability Review: Cloud service providers must be evaluated on their service levels, cybersecurity capabilities, and business continuity and disaster recovery capabilities.
• Periodic Review: Regular audits of cloud service providers must be conducted; professional third parties may be engaged to assist with oversight as needed.

4. Technical Security and Data Controls

• Data Storage Location Restrictions:
  • Securities Firms retain the right to designate the location for data processing and storage.
  • Customer data for IT systems involving significant natural person client business must, in principle, be stored within the territory of the ROC; if stored offshore, unless otherwise approved by the Securities and Futures Bureau, critical customer data must be backed up domestically.
• Encryption and Key Management:
  • Transmission of sensitive data must use encryption protocols (e.g., HTTPS, SFTP).
  • Encryption tools and keys must be stored in an isolated and secure network environment.
• Environment Isolation: Use of live production data for cloud service testing and validation is strictly prohibited.

5. Business Continuity and Exit Management

• Business Impact Analysis: The resilience and recoverability of IT systems using cloud services must be assessed, factoring in the recovery capabilities offered by cloud providers when developing business continuity management plans.
• Joint Drills: For significant cloud outsourcing operations, business continuity tests must be conducted periodically based on risk considerations; joint drills with vendors may be held.
• Migration Strategy (Exit Plan): Prior to adopting cloud services, a migration strategy and plan must be established to ensure that operations can be smoothly transferred to another cloud service provider or brought back in-house upon contract expiry or in the event of an incident.
• Data Deletion Obligation: Upon contract termination, the cloud service provider must be required to completely delete all relevant data (including virtual machine images, caches, and backups), and a certificate of complete deletion must be obtained from the provider.

1. Mobile Application (App) Security Management

• Publication Review: Apps must be published through trusted app stores. Initial publication or changes to permissions (e.g., access to photo library or location) require joint approval from cybersecurity and legal compliance units, with records retained.
• Counterfeit Detection: Mechanisms must be established to detect counterfeit apps, preventing hackers from deceiving customers with fraudulent imitations.
• Endpoint Detection: Upon launch, apps must detect whether the mobile device has been compromised (e.g., rooted, jailbroken, or with USB debugging enabled) and proactively alert users to the risk.

2. Electronic Trading Identity Verification
The login security design for electronic trading must incorporate any two of the following three authentication factors:

• Knowledge Factor: Such as a static password, pattern lock, or gesture.
• Possession Factor: Such as a mobile device or certificate token; the securities dealer must confirm that the device is a pre-registered and authorized device.
• Inherence Factor: Biometrics (fingerprint, facial recognition, etc.). Indirect verification (delegated to the mobile device) is permissible, but the securities dealer must evaluate the effectiveness of the customer identity verification mechanism in advance.

3. Deepfake and Phishing Prevention

• Enhanced Video Verification: If video-based identity verification is used, enhanced authentication mechanisms must be in place to guard against AI-based face-swapping (Deepfake) fraud.
• Awareness Training: Securities Firms must regularly conduct cybersecurity training covering Deepfake awareness and prevention.
• Proactive Detection: Phishing websites and malicious links must be actively monitored, with timely alerts issued to customers.

4. Social Media and Internet of Things (IoT) Management

• Social Media Controls: Policies governing employees' use of social media must be established, delineating boundaries between official and personal use, and a review mechanism for official account content must be put in place.
• IoT Security: IoT devices used within Securities Firms must be inventoried; products with cybersecurity certification marks should be prioritized; device access permissions and connection controls must be enforced.

1. Building an IT Operational Resilience Management Organization

• Critical Business Identification: Core businesses and their corresponding core systems must be identified as the foundation for subsequent resilience planning.
• Impact Tolerance: Recovery Time Objective (RTO) and Recovery Point Objective (RPO) must be defined for core systems, clearly delineating the acceptable scope of disruption.

2. Backup and Redundancy Mechanisms and Data Center Planning

• Backup and Redundancy Mechanisms: Data backups should follow the 3-2-1 principle — at least three copies, stored on two different types of storage media, with at least one copy stored offsite.
• Data Center Planning and Site Selection: Securities Firms meeting specified criteria must establish an offsite backup data center; site selection must consider geographic locations that would not be affected by the same disaster or failure event.

3. Disaster Response and IT Operational Resilience Training

• Disaster Response: Potential service disruption scenarios must be identified, and corresponding response measures planned accordingly.
• Training and Drills: A dedicated task force for strengthening IT operational resilience must be established, and regular IT operational drills must be conducted to ensure personnel readiness.

1. Scope of Application and Definitions

• Scope of Application: These rules apply when AI directly interacts with customers, provides financial product recommendations, affects trading rights or interests, or has a significant impact on operations.
• Definition of Direct Interaction: Refers to AI analyzing inquiries and generating non-predetermined responses without human intervention.
• Definition of Significant Impact: Follows the materiality definition set forth in the Directions for Securities Firms Regarding Matters to Be Attended to When Entrusting Others to Handle Operations.

2. Governance Framework and Accountability

• Senior Management Designation: A senior executive or committee must be designated to oversee and manage AI-related matters.
• Talent Development: Appropriate personnel training must be provided; personnel using generative AI must understand how the technology operates and ensure that AI-generated outputs are consistent with the underlying prediction and decision-making logic.
• Third-Party Oversight: If third-party AI technology is used, due diligence must be conducted and the third-party provider must be required to retain complete computational audit trails for subsequent review.

3. Transparency and Customer Rights

• Mandatory Disclosure: When interacting with customers, it must be proactively disclosed that the service is completed using AI automation, along with its applicable scenarios and purposes.
• Option to Opt Out: Customers should be given the option to choose whether to use AI-based services, and alternative options should be made available.
• Explainability Requirement: When using AI to provide services, the interpretability of the model must be enhanced to ensure effective oversight of AI operations.

4. Fairness and Algorithmic Ethics

• Data Diversity: Diverse and representative datasets should be used for model training to reduce systemic bias against specific groups (e.g., based on age, name, or disability status).
• Robustness Enhancement: The safety and stability of AI services must be reviewed on a regular basis, and effective measures must be taken to improve the accuracy and reliability of AI-generated outputs and content.

The seven self-regulatory rules established by Taiwan Securities Association described above form an important normative foundation for cybersecurity protection at Securities Firms. However, the establishment of these rules is only a starting point — effective implementation is the true key.

Affiliated institutions leverage their annual routine cybersecurity inspections, using the " Establishing Information Security Inspection Mechanisms for Securities Firms" as the inspection framework, to conduct a comprehensive review of each dealer's compliance with the aforementioned self-regulatory rules. Upon completion of each inspection, deficiencies are categorized and consolidated, enabling effective analysis of deficiency patterns and providing insight into the cybersecurity practices of individual dealers and the securities market as a whole. Through root cause analysis, tailored remediation guidance is provided to help dealers effectively address protection gaps — forming a complete cycle of 'identifying issues — analyzing root causes — guiding improvement.'

"Many things have a good beginning, but few a good end." In cybersecurity, the hardest part is not in the initial planning — it lies in consistent execution and continuous iterative improvement.

Through the Plan and Do phases embodied in the seven self-regulatory rules above, Securities Firms establish the core framework of their cybersecurity protection. The periodic inspections and guidance conducted by affiliated institutions pursuant to the cybersecurity inspection mechanism serve as the critical Check function. Finally, through affiliated institutions' follow-up on deficiency remediation and the rolling revision of self-regulatory rules in response to evolving threats, the Act phase of the cycle is realized — allowing the governance system to continuously improve, completing a full PDCA governance cycle in which the protection framework spirals upward in tandem with the threat landscape.

Nonetheless, there is no silver bullet in cybersecurity defense. Only through constant vigilance and the timely updating of protective measures in step with the evolving threat environment can a securities market be built that is secure, trustworthy, and sustainably innovative.