A Global Shift in the Cybersecurity Landscape
With the explosive growth of fintech, Cloud computing becoming mainstream, and the normalization of hybrid and remote work models, the perimeter defenses model relied upon by traditional financial institutions is facing unprecedented challenges. The traditional defense mindset, centered on a “castle and moat” model, assumes that the internal network can be trusted by default. However, once hackers breach perimeter defenses or internal threat actors intentionally launch attacks, they can perform extensive lateral movement within their enterprise networks. This can lead to catastrophic customer data breaches, transaction system paralysis, or widespread ransomware proliferation. To address increasingly sophisticated advanced persistent threats (APTs), highly organized cybercrimes, and cyberattacks targeting critical infrastructure, the global financial cybersecurity defense system is shifting to Zero Trust Architecture (ZTA).
ZTA is based on a simple idea—never trust, always verify. The philosophy centers on three key concepts and assumptions:
- Assume a hostile environment: Malicious attacks and potential threats exist both internally and externally. The organization takes a rigorous approach by treating every user, device, and application as untrusted by default.
- Assume a security breach has already occurred: Assume that a malicious activity already exists within the organization’s environment and that the system or network has already been compromised. This approach reinforces real-time scrutiny of every access and authorization decision to minimize risk.
- Continuous authentication and explicit authentication: Every device, user, application, and data flow must adhere to the Principle of Least Privilege. Identity authentication and explicit authentication are performed through continuous and versatile authentication methods. All access is conditional to establish attribute-based access control (static or dynamic indicators). Access can be revoked, restricted, or alerted in real time based on trust levels.
Global Regulatory Trends and Key Case Studies for Zero Trust
Amid the wave of cybersecurity defense, Zero Trust has evolved from an initial technical concept into a strictly enforced policy mandate globally. Regulatory bodies in advanced regions, such as North America and Europe, are deploying the adoption of Zero Trust frameworks across financial institutions and critical infrastructure operators through a two-pronged approach accelerated by top-down government mandates and operational resilience regulations.
Firstly, the United States is a global leader in advancing Zero Trust policies. In 2021, the White House issued an executive order titled “Improving National Cybersecurity”, explicitly requiring federal agencies to accelerate their transition to a ZTA. In January 2022, the Office of Management and Budget (OMB) issued Memorandum M-22-09.
This order sets forth a federal ZTA strategy, requiring agencies to meet specific standards of the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model (ZTMM) by the end of FY 2024. The M-22-09 strategy places significant emphasis on (1) stronger enterprise internal identity and access management; (2) full implementation of anti-phishing multi-factor authentication (MFA); (3) treating all applications as directly accessible from the internet (removing reliance on traditional VPNs); (4) implementing continuous asset monitoring; and (5) promoting data classification and encrypted transmission. This standardized framework has directly become a key technological benchmark for architectural transformation of global financial institutions and large multinational enterprises.
Rather than issuing direct directives mandating a Zero Trust policy like the United States, Europe adopted an indirect, operational-resilience-driven approach. The EU's recently promulgated Digital Operational Resilience Act and the Bank of England's regulations on operational resilience for financial institutions do not explicitly mandate the full implementation of a ZTA in their provisions. However, these regulations require strict compliance with the containment of cybersecurity incidents, comprehensive encryption of information systems, advanced network micro-segmentation, and dynamic principles of least privilege. As a result, ZTA is widely regarded - in both academic and technical circles—as the optimal framework for meeting European financial compliance and digital resilience requirements.
However, the Asia-Pacific region accelerated its progress after the pandemic, with regulatory authorities globally successively introducing relevant regulations and designating ZTA as a key defensive practice.
Judging from the ZTA implementation cases of leading international and multinational financial institutions, dynamic conditional access based on device health and user behavioral baselines can be introduced. Academic and industry research confirms that by implementing identity/device micro-segmentation and role-based network access control, unauthorized access within financial institutions is minimized, which creates a Zero Trust environment. This approach has significantly lowered unauthorized access as well as internal threats caused by employee/operational staff oversights. At the same time, security breaches originating from third-party supply chains or outsourced vendors have also dropped significantly. Finally, integrating modern Security Information and Event Management (SIEM) systems with User and Entity Behavior Analytics (UEBA) shortens the response time for detecting and automatically blocking malicious lateral movement from weeks to minutes, substantially mitigating the impact of Advanced Persistent Threats (APTs) on core databases.
Current Landscape and Survey on the Adoption of Zero Trust in Taiwan’s Financial and Securities Sectors
In alignment with global Zero Trust trends and to enhance the digital cybersecurity resilience of Taiwan's financial system, the Financial Supervisory Commission (FSC) officially issued the “Financial Sector Zero Trust Architecture Implementation Reference Guide” on July 15, 2024. This Guide serves as core administrative guidance for domestic financial institutions in initiating their cybersecurity transformation. The Taiwan Stock Exchange (TWSE) launched a series of cybersecurity initiatives to help securities firms implement ZTA. In 2025, the TWSE conducted a survey on the progress of ZTA implementation and organized multiple practical briefings.
Based on the TWSE's statistics, Taiwanese securities firms exhibit a polarized or multi-tiered approach in their transition toward ZTA. Most large securities firms have already launched pilot programs and have accumulated preliminary implementation experience in high-risk areas, such as remote work and privileged-account maintenance management. On the other hand, small- and medium-sized securities firms face significant technical hurdles, leading to a cautious wait-and-see approach toward Zero Trust transformation. Common challenges include: highly heterogeneous and largely outdated legacy information systems; insufficient dedicated cybersecurity personnel; excessively high costs for customized modifications; and difficulty in striking an appropriate balance between resource investment and operational risk.
To address this, the regulatory body emphasizes that the Guide is intended as administrative guidance, encouraging financial institutions to take into account their existing circumstances, resources, and personnel as they transition toward a ZTA, rather than being constrained by a single rigid requirement. The authority will also conduct regular surveys to track financial institutions’ adoption progress and assist them in overcoming sector-wide barriers.
The financial guidelines and survey findings have repeatedly pointed out that the adoption of Zero Trust is by no means an overnight success. Blindly pushing for core transaction system overhauls poses significant business disruption risks. Due to this, when transitioning toward a ZTA, firms must adopt a low-impact, high-priority strategy for rollout and deployment. They should start with areas where security risks are highest but the impact on daily core business operations is lowest in the event of system changes.
Following a comprehensive inventory of all company systems, securities firms should - in accordance with the Guide - divide their cybersecurity systems into the following six core areas for screening and classification:
- Remote work environments involve network access from outside the organization's network perimeter and are highly exposed to external network threats, with employees, internal maintenance personnel, or external developers accessing networks remotely. Due to their blurred perimeters and large attack surfaces, these environments are classified as high-risk but low core-business-impact areas, and it is strongly recommended that they serve as the primary areas to effectively reinforce baseline security.
- Cloud access environments encompass both multi-cloud and hybrid-cloud architectures. As the financial sector has loosened cloud policies, digital identity has gradually replaced physical network perimeters, making this a high-priority area.
- System maintenance and management environments encompass internal IT staff and external contractors performing remote or on-site maintenance on servers, databases, and network equipment. These environments involve extensive “privileged accounts.” Compromising these accounts will result in a significant impact on lateral movement. Therefore, these environments are classified as extremely high-risk and should be designated as a benchmark system pilot for deep Zero Trust implementation.
- Application management environments encompass both internal and external application systems. Due to the varying degrees of customization across systems, these environments are the most heterogeneous. A gradual and long-term transformation strategy is recommended to be executed in progressive stages.
- Service-provider environments encompass the channel vendors and supply-chain partners that use their systems to access internal resources. These environments have become a primary target of supply chain attacks in recent years and are classified as a high-risk area requiring strict control.
- Cross-organizational collaboration environments encompass data exchange and authorization between financial institutions, industry associations, and related entities, requiring alignment with the construction of the overall industry trust chain.
Five Core Pillars of Zero Trust
Based on the U.S. CISA Zero Trust Maturity Model (ZTMM) and Taiwan's Financial Sector Zero Trust Architecture Implementation Reference Guide, the technical implementation of a Zero Trust architecture is built on five core pillars that provide comprehensive defense. When transitioning to a ZTA, financial institutions must gradually upgrade from traditional models to overcome technical hurdles:
(I) The identity authentication pillar serves as the first line of defense in a Zero Trust architecture. It is recommended to implement single sign-on (SSO), integrating all internal, cloud-based, and external application systems into a unified identity and access management (IAM) system, and fully adopting strong authentication mechanisms. Based on login time, geographic location, and behavioral anomalies, a real-time risk assessment is conducted. A common challenge is that legacy systems often lack native support for SSO protocols such as OIDC or SAML. The current recommended approach is to design “compensating controls” for these systems, such as requiring access only through “privileged jump servers” or “virtual desktop infrastructures (VDI)” that incorporate strong authentication. Senior management must proactively intervene in this pillar to establish clear “principles of least privilege and exceptional authorization standards,” preventing departments from granting excessive permissions for convenience. At the same time, financial institutions should promote oversight and regular reviews to be incorporated into their internal audit systems. In addition to recording logins, the identity log must ensure data integrity, consistency, and traceability to achieve the visibility audit.
(II) The equipment management pillar emphasizes that no asset can connect to the network without verified security compliance. This breaks the old mindset that assumed “any laptop issued by the company is inherently secure.” Financial institutions should establish a comprehensive and automated asset inventory management system to ensure that all hardware, software, and firmware are under control, and fully deploy Endpoint Detection and Response (EDR) mechanisms alongside mobile device management (MDM) or unified endpoint management (UEM). Financial institutions should deploy remote agents to execute patching and configuration commands, and establish measures to continuously monitor compliance with device policies (such as checking in real time whether antivirus definitions are up to date, whether there are unpatched medium- or high-risk software vulnerabilities in the operating system, and whether corporate security configuration group policy objects (GPOs) have been tampered with). For non-compliant devices, the system must have the dynamic control capability to enforce isolation or immediately block access to core systems. In addition, financial institutions should assess the risk impact of vulnerability scan results and give priority to addressing medium- and high-risk issues. They should establish a security vulnerability management process, and EDR anomaly alerts should be integrated in real time with the internal SIEM or SOC platforms to achieve automated incident handling.
(III) The network security pillar requires treating all physical and virtual networks as open and untrusted communication channels. This approach completely shifts to application-centric micro-segmentation controls and comprehensively implements end-to-end encryption, upgrading from traditional broad-range segmentation to micro-segmentation while dividing the network into small, independent, and strictly controlled logical protection zones. Faced with the significant challenge posed by legacy applications, devices, or browsers that do not support HTTPS systems, temporary technical alternatives may be employed, such as deploying reverse proxies or application-layer proxies, or requiring access utilizing remote desktop gateways that support HTTPS systems. Consequently, a legacy phase-out plan must be formulated in the future.
The recommended phased implementation sequence is: 1. Implement basic network segmentation and traffic monitoring; 2. Fully inventory assets and classify these assets by their business roles; 3. Utilize Network Traffic Analysis (NTA) to map out a “dependency graph” between application systems and components to establish relationships among configuration items (CIs); and 4. Deploy a software-defined networking (SDN) or micro-segmentation solution and integrate it with the SOC to achieve automated alerting and isolation.
(IV) The application protection pillar aims to secure information systems and services running in local, mobile, or cloud environments by decoupling them from the underlying network architecture. This ensures that applications are protected (e.g., through the deployment of a WAF) and prevents the direct exposure of physical IP addresses to external parties, while automating the integration of security monitoring into development and deployment processes. Many organizations mistakenly believe that deploying tools such as GitLab CI/CD or Jenkins inherently creates a Zero Trust environment. In reality, CI/CD automation under a Zero Trust framework must actually encompass five core considerations—automated build and testing processes, environment isolation and change control, automated deployment and rollback mechanisms, permission and review systems, and security and audit integration.
(V) The data protection pillar is the core of a financial institution's digital assets and the ultimate target for hackers and internal leakers. Implementing full-lifecycle data protection - encompassing at-rest and in-transit encryption, data masking, and data leakage prevention (DLP)—is essential. Without automation, relying solely on manual classification can lead to incorrect data labeling and ineffective enforcement of the principle of least privilege. Financial institutions should address the following key areas: 1. Deploy automated data discovery and classification tools to continuously scan databases and file servers; 2. Apply data labels and bind them to IAM’s RBAC/ABAC policies to ensure precise authorization; and 3. establish a continuously updated data catalog. Regarding “data availability” in backup operations, financial institutions are strongly advised to implement the 3-2-1 backup principle (at least three copies, two different media types, and one copy stored off-site or offline); deploy immutable backups or WORM technology to prevent ransomware tampering; perform regular disaster recovery (DR) drills; and enforce multi-factor authentication (MFA) along with behavioral monitoring for all backup access.
Recommendations and Conclusions
Taking into account the current landscape of domestic securities firms and existing environmental constraints, the adoption of a phased, three-stage implementation strategy is recommended. The first stage is the pilot and mass adoption phase. We recommend that “remote-work environments reaching Level I” should be established as the company-wide baseline for cybersecurity. All remote-access vulnerabilities must be thoroughly identified, and organizations or departments that do not meet this standard must immediately implement basic identity and device authentication measures to establish a reliable minimum defense threshold for the most common perimeter. The second stage is the deepening and advancement phase. Given the highly heterogeneous and customized application systems, a phased, incentivized strategy should be adopted. A successful existing system should be utilized as a template to guide and assist organizations in long-term, continuous transformation, driving other systems to progressively adopt dynamic attribute validation and reach Level II maturity, rapidly and steadily elevating the overall level of information security. The third stage is the comprehensive defense phase. A ZTA will be fully rolled out across all applicable environments (including cloud, cross-organizational collaboration, and supplier management), achieving uniform overall maturity.
In conclusion, implementing a Zero Trust architecture in the financial sector means more than simply deploying specific professional cybersecurity software or a one-off IT upgrade project; instead, it is a long-term undertaking involving corporate security culture, high-level organizational governance, internal operational processes, privilege auditing systems, and an overall information backbone architecture. From the strict federal timelines in the U.S. to the operational resilience—driven approach in the EU, and even the Reference Guidelines from Taiwan’s FSC and the TWSE’s audit guidance, domestic and international trends clearly indicate that Zero Trust has become an irreversible international cybersecurity standard. As financial institutions navigate the wave of digital transformation, they must recognize that the risks of not undertaking cybersecurity transformation are likely to exceed the costs of technical adaptation.
Financial and securities firms should employ the “high-risk, low-impact” approach and follow a three-phase strategy to progressively implement the five core pillars—identity authentication, device management, network security, application protection, and data protection. Only by building a strictly enforced ZTA capable of dynamic content awareness, continuous verification, and collaborative automated responses with the SOC can the financial sector build an unbreakable barrier of digital operational resilience against increasingly severe threats to digital security. This approach ensures the absolute safety of the national critical financial infrastructure and customer assets.