Information Security

Information Security Policy

We have established an information security policy and information security management system to ensure the confidentiality, completeness, and availability of information assets, and also aims to achieve compliance of information operations and services by implementing information security risk management. In response to the expansion and diversity of the insurance business, we made information security internal controls and related regulations applicable to the entire company. As such, business units not only play the role of user, but also play the role of responsible unit and maintenance unit, which further enhances the Company's overall information security management.

The Company implemented a management system according to the international information security management framework to ensure solid information security. We have also maintained the effectiveness of our ISO 27001 Information Security Management System certification, and improved our protection for customers' rights and interests.

Information Security Measures and Actions

Participation in Information Security Joint Defense

The Company actively participates in the joint defense exercises with financial institutions, and submitted an application to join the Financial Information Sharing and Analysis Center (F-ISAC) of the FSC, becoming a member as early as 2017. We continue to share detection and blocking intelligence from our information security equipment after de-identification for the F-ISAC to conduct integrated analysis. This allows us to prevent incidents from occurring, take caution against small matters during incidents, and minimize the damage afterwards. The Company has attended 8 FISAC conferences so far.

Establishing a Security Operation Center (SOC)

The Company established a Security Operation Center (SOC) to monitor, detect, and discover information security incidents 24/7, increasing information security incident monitoring capabilities. We integrated the SOC with the information security log incident management and analysis system to conduct multi-dimensional association analysis. Information security analysts perform the analysis and provide recommendations to achieve precise reporting and warning of information security incidents in real-time.
The immediate reporting of information security incidents will significantly improve the effectiveness of subsequent tracking, response, and handling. By properly handling information security incidents, the level of damage can be reduced.

Red/blue teaming and DDoS drill

We hired external experts for red teaming, in order to examine the effectiveness of defenses and strengthen the Company's response capabilities. The websites of government agencies and important livelihood services are often the target of Distributed Denial of Service (DDoS) attacks launched by hacker organizations, resulting in the websites of some agencies going offline. To strengthen defense and response capabilities for DDoS attacks, we conducted DDoS drills in 2022 to verify the ability of its website or important servers to withstand a DDoS attack, and verify the effectiveness of defense plans against DDoS attacks.

Obtaining the Mobile Application Security (MAS) Mark

To strengthen the ability of mobile apps provided by us to customers in protecting basic information, we carry out computer system information security evaluations every year, conduct tests, and obtain the MAS mark according to the "Mobile App Basic Information Security Testing Standards." This effectively raises information security awareness when developing mobile apps, and also gradually improves the security of mobile apps.

Information security education and training

The Company's dedicated information security personnel receive at least 15 hours of professional information security training each year. Information security personnel of each department must take at least 6 hours of courses on information security communication and operations. For office staff, the Information Security Department plans 3 hours of information security training each year, online information security training for new employees, and irregularly sends company-wide e-mails promoting information security, in order to continue improving the information security literacy of the Company's employees.
All members of the information security audit team have the ISO 27001 Information Security Management System Lead Auditor certificate, and we continue to assist and encourage employees to obtain information security certifications.

Personal Data Protection and Management System

We implemented the personal information management system (PIMS) according to BS 10012: 2017 Personal Information Management System, and embedded personal information protection and management into the corporate culture. We completed an applicability evaluation mechanism for the European Union's General Data Protection Regulation (GDPR).

We have established a Personal Information Management Committee with the president as the convener. The committee meets regularly and the overall operating status of personal information protection. We also have a Personal Data Protection Working Group that examines if personal data management, management procedures, and safety management mechanisms are implemented according to plans.