Information and Cybersecurity Governance Framework
SinoPac Securities has established a comprehensive information and cybersecurity governance framework. The Board of Directors serves as the highest authority responsible for supervising the Group’s information security strategies. In December 2021, the Board approved the establishment of the position of Chief Information Security Officer, held by a Vice President.
To effectively implement information security initiatives, the Company has set up an Information Security Committee, convened by the head of the Information Security Dept., Committee members are designated from the Risk Management Division, Legal & Compliance Division, General Affairs Dept., Human Resources Dept., and various Business Divisions. The Audit Division may also be notified to appoint a representative to attend meetings.
Furthermore, the overall annual implementation of information security is included in the Statement on Internal Control System, which is jointly signed by the Chairman, President, Audit Supervisor, and Chief Information Security Officer of the Company.
| Unit | Responsibilities |
|---|---|
| Board of Directors |
Serves as the highest authority responsible for supervising the Company’s information security strategies. |
| Information Security Committee |
Responsible for proposing information security policies, promoting the implementation of the information security management system, enhancing information security awareness, formulating education and training plans, evaluating the infrastructure of the information security management system, and reviewing and assessing its legality and appropriateness. |
| Information Security Dept. |
Oversees the development of information security strategies, plans for information protection, and is responsible for executing and monitoring information security management tasks. |
| Information Technology Division |
Responsible for planning the Company’s information technology development strategies, integrating IT resources, and managing software and hardware investments. |
SinoPac Securities has established an Information Security Policy to strengthen the Company’s information security management, build a secure and reliable information system, ensure the security of system equipment and networks, enhance employees’ awareness of information security, protect customer rights, and comply with relevant laws and regulations. The policy is reviewed annually, and any revisions are required to be submitted to the Board of Directors for approval.
In addition, the Company conducts annual reviews of the Information Security Policy and the incident response procedures to ensure that they align with the current operational environment and regulatory requirements. The Company also evaluates major information security issues and analyzes internal cybersecurity risks and vulnerabilities.
Cybersecurity Incident Reporting Procedures
According to SinoPac Securities’ Information Security Policy, in the event of an information security incident, each unit must immediately follow the Company’s Emergency Response Guidelines for reporting and managing the incident. The Information Security Department is responsible for assessing the impact scope, formulating a response plan, and reporting to the convener of the Information Security Committee for necessary decision-making and coordination of tasks. To ensure uninterrupted operations, the Company conducts annual tests of its Business Continuity Plan (BCP) and emergency response procedures. These tests help determine the recovery priorities of various operations and serve as the basis for resource allocation strategies, thereby strengthening the operational mechanisms of business continuity management, reducing information operation risks, and safeguarding customer interests. In 2024, the Company did not incur any fines or financial losses due to information security incidents that caused damage to its information systems or equipment.
Professional Training and Education Programs
To strengthen internal information security awareness, SinoPac Securities conducts annual online cybersecurity training for all employees. The training courses cover fundamental concepts of information security, emerging trends in cybersecurity, an introduction to social engineering techniques, promotion of internal regulations, awareness of deepfake technologies, and the cultivation of information security consciousness. Compliance with information security requirements has also been included into the employee performance evaluation criteria.
2024 Cybersecurity Training Implementation Status
| Recipients | Results of training programs |
|---|---|
| Dedicated information security personnel |
The personnel completed at least 15 hours of professional information security training courses in accordance with the Criteria Governing Internal Control Systems of Securities Firms, passing the evaluation, and receiving 15 professional certificates and 22 certificates of attendance. |
| Regular employees |
Personnel who are users of the information systems completed at least 3 hours of information security training in accordance with the Criteria Governing Internal Control Systems for Securities Firms. The passing rate of social engineering exercises was 98.88%. Employees who fail to pass the exercise shall receive enhanced training and additional tests to ensure they pass. |
Resources Invested in Cybersecurity Management
The Company’s IT-related units (including the Information Security Dept.) provide services such as system management, application software development, outsourced management, database management, network management, information security management, and maintenance of related infrastructure. All activities comply with ISO 27001 standards and have obtained relevant certification.
In addition, the Company continues to enhance its cybersecurity protection mechanisms and strengthen its personal data protection management. Key improvement areas include Advanced Persistent Threat (APT) defense systems, Network Detection and Response (NDR) solutions, DDoS attack prevention, email content filtering, malware detection, website and app vulnerability scanning, and security inspections. For high-risk systems (such as electronic trading platforms and accounting systems), the Company implements architecture isolation and system hardening measures.
In 2024, the Company’s cybersecurity-related expenditures—including software and hardware licensing fees and personnel training costs—accounted for 8.02% of the total IT budget.