Information Security
We have established an information security policy and information security management system to ensure the confidentiality, completeness, and availability of information assets, and also aims to achieve compliance of information operations and services by implementing information security risk management. In response to the expansion and diversity of the insurance business, we made information security internal controls and related regulations applicable to the entire company. As such, business units not only play the role of user, but also play the role of responsible unit and maintenance unit, which further enhances the Company's overall information security management.
The Company implemented a management system according to the international information security management framework to ensure solid information security. We have also maintained the effectiveness of our ISO 27001 Information Security Management System certification, and improved our protection for customers' rights and interests.
The immediate reporting of information security incidents will significantly improve the effectiveness of subsequent tracking, response, and handling, properly handling information security incidents to reduce the hazard.
The websites of government agencies and important livelihood services are often the target of Distributed Denial of Service (DDoS) attacks launched by hacker organizations, resulting in the websites of some agencies going offline. To strengthen defense and response capabilities for DDoS attacks, the Company conducted DDoS drills in 2023 to verify the ability of its website or servers to withstand DDoS attacks, and verify the effectiveness of defense plans.
For current suppliers, the Company periodically evaluates services provided by the supplier and further introduced the Security ScoreCard mechanism in 2021, which examines the information security maturity of the supplier's external systems, and includes them as evaluation items to make supplier attach greater importance to information security. We also periodically supervise and audit contractors every year (which includes information security review matters), to verify the overall service abilities and standards of contractors, which serves as the basis for subsequent contractor selection.
KGI Life continues to strengthen mechanisms for protection of customers' personal data, rights, and interests, and introduced the personal information management system (PIMS) in 2017 according to BS 10012:2017 Personal Information Management System Standard, embedding personal information protection and management into its corporate culture. KGI Life expanded the scope of verification to all units in 2020, and completed an applicability evaluation mechanism for the European Union's General Data Protection Regulation (GDPR). We continued to hire external verification institution each year and passed the review for the BS 10012 certification in 2023. This shows the Company's spirit of continuously improving PIMS.
KGI Life has established a Personal Information Management Committee with the president as the convener. The committee meets every six months and the overall operating status of personal information protection is reported to committee members. Contents of the meetings include the implementation of personal data protection, technology development, management system supervision and review, and personal information incident management. The meetings discussed private and information security issues, and aim to continue promoting, managing, and supervising the effective operation of PIMS.
Furthermore, the Company established a Personal Data Protection Working Group that examines if personal data management, management procedures, and safety management mechanisms are implemented according to plans; personnel who have the PIMS Lead Auditor certificate assist with internal audits of personal data protection.
KGI Life established procedures for responding to and reporting personal information incidents, so that it can promptly respond to and properly handle personal information incidents. KGI Life also has a Personal Information Incident Emergency Response Team that carries out reporting procedures and response measures based on the responsibilities of each member and the level of the incident. The team implements damage control and engages in review discussion of corrective and preventive measures after handling an incident. In addition, if a personal information incident occurs and a customer is involved, the Company will notify the customer in accordance with the Personal Data Protection Act. Contents of the notification include the facts of the incident and the response measures taken by the company, and provide a consulting service hotline for customers to call for consultation and assistance. The Company has a system for the parties involved to exercise their rights and file complaints. When customers exercise their rights or file complaints, the Company will properly handle the situation and reply to the customer within the time limit specified by the law.