Information Security
Information Security Policy
Based on the information security policy, KGI Life has established an Information Security Management System to advance our information security practices. The system ensures the confidentiality, integrity, and availability of information assets, as well as the compliance of information operations and services. In response to the expansion and diversity of the insurance business, we made information security internal controls and related regulations applicable to all units of the Company in 2021. As such, the units not only play the role of the user, but also serve as the responsible unit and maintenance unit, which further enhances the Company's overall information security management.
Information Security Measures and Actions
KGI Life increases the relative weight of the information security budget each year to continue improving information security management and overall information security maturity. We also continue to recruit experienced personnel internally and externally. The Information Security Department has 13 dedicated personnel, and there are 49 information security personnel company-wide serving as the contact for each unit. Over the past four years, the budget allocated for information security has grown year over year. In 2024, the information security budget accounted for more than 13% of the total IT budget, demonstrating the Company’s strong commitment to information security.
Participation in Joint Information Security Defense
KGI Life is one of the first official members of the Financial Information Sharing and Analysis Center (F-ISAC), a center promoted by the Financial Supervisory Commission (FSC). We continuously share de-identified detection and blocking intelligence generated by KGI Life's security equipment for F-ISAC's integrated analysis. We also provide security-related intelligence to the Ministry of Justice's Investigation Bureau, expanding the effectiveness of joint financial defense. KGI Life performed outstandingly in the F-ISAC's information security intelligence sharing, and the FSC commended KGI Life for its outstanding performance in intelligence sharing.
We prioritize internal intelligence exchange within the KGI Group and have established a real-time information security intelligence sharing channel. We exchange information monthly with KGIF and its subsidiaries, including its Bank, Securities, and Securities Investment Trust Enterprise subsidiaries. We also proactively share information on KGI Life's overall security implementation status, strengthening cross-company horizontal defense capabilities within the Group.
We prioritize internal intelligence exchange within the KGI Group and have established a real-time information security intelligence sharing channel. We exchange information monthly with KGIF and its subsidiaries, including its Bank, Securities, and Securities Investment Trust Enterprise subsidiaries. We also proactively share information on KGI Life's overall security implementation status, strengthening cross-company horizontal defense capabilities within the Group.
Establish a Security Operation Center (SOC)
KGI Life established the Security Operation Center (SOC) to monitor, detect, and discover information security incidents 24/7, enhancing our information security incident monitoring capabilities. KGI Life integrated the SOC with the information security log, incident management, and analysis system to conduct multi-dimensional association analysis.
The Company also joined the Financial Security Operations Center (F-SOC), integrating with the intelligence-sharing platform and strengthening the joint defense monitoring system to enhance real-time monitoring. The Company also actively participates in F-ISAC intelligence sharing. We began introducing professional third-party vendors to monitor the Company's digital assets and systems exposed to the Internet around the clock.
The Company also joined the Financial Security Operations Center (F-SOC), integrating with the intelligence-sharing platform and strengthening the joint defense monitoring system to enhance real-time monitoring. The Company also actively participates in F-ISAC intelligence sharing. We began introducing professional third-party vendors to monitor the Company's digital assets and systems exposed to the Internet around the clock.
System Backup and Incident Response Drills
To ensure the security of the Company’s IT infrastructure and to protect sensitive data and personal information of customers, KGI Life regularly conducts disaster recovery drills for core IT systems, IT system security assessments, external website penetration testing, and company-wide social engineering exercises.
To prevent distributed denial of service (DDoS) attacks from hacker groups, avoid website downtime, and strengthen DDoS attack defense and response capabilities, KGI Life participated in a live DDoS attack simulation organized by the F-ISAC. The exercise tested the Company’s resilience against various types of DDoS attacks, including HTTP-based, bandwidth exhaustion, and resource depletion attacks. Through this exercise, KGI Life assessed the tolerance of its internal and external service websites and critical servers under DDoS conditions, while also validating the effectiveness of its DDoS defense mechanisms.
To prevent distributed denial of service (DDoS) attacks from hacker groups, avoid website downtime, and strengthen DDoS attack defense and response capabilities, KGI Life participated in a live DDoS attack simulation organized by the F-ISAC. The exercise tested the Company’s resilience against various types of DDoS attacks, including HTTP-based, bandwidth exhaustion, and resource depletion attacks. Through this exercise, KGI Life assessed the tolerance of its internal and external service websites and critical servers under DDoS conditions, while also validating the effectiveness of its DDoS defense mechanisms.
Supplier Information Security Management and Performance
To ensure that the information security standards of third-party partners align with those of the Company, KGI Life conducts information security assessments on vendors and their personnel engaged. In addition to requiring compliance with the Company’s relevant information security policies, KGI Life has established the "Guidelines for Outsourced Information System Operations Management" to regulate each stage of outsourcing, including planning, tendering, contracting, execution, acceptance, warranty, and audit. These measures are in place to safeguard the interests of both the Company and our customers.
Additionally, the Company conducts regular service evaluations on our partners. Since 2021, we have introduced Attack Surface Management (ASM) services. Through professional third-party mechanisms, we assess the information security maturity of suppliers' external systems and incorporate them into evaluation items to encourage suppliers to prioritize information security. Furthermore, KGI Life regularly supervises and reviews suppliers each year, which includes information security reviews to verify the overall service capabilities and quality of suppliers. The results are used as the basis for subsequent supplier selection.
Additionally, the Company conducts regular service evaluations on our partners. Since 2021, we have introduced Attack Surface Management (ASM) services. Through professional third-party mechanisms, we assess the information security maturity of suppliers' external systems and incorporate them into evaluation items to encourage suppliers to prioritize information security. Furthermore, KGI Life regularly supervises and reviews suppliers each year, which includes information security reviews to verify the overall service capabilities and quality of suppliers. The results are used as the basis for subsequent supplier selection.
Information Security Education and Training
Dedicated information security personnel at KGI Life are required to complete at least 15 hours of professional information security training each year. In addition, information security coordinators in each department must participate in a minimum of six hours of information security awareness and operational training annually. For general employees, the Information Security Department plans three hours of information security training annually, provides online information security training for new hires, and periodically conducts company-wide email-based security awareness campaigns. These initiatives aim to continuously enhance the overall information security awareness of all employees; the training completion rate among employees reached 100%.
Together with the Information Security Division of KGIF, KGI Life co-organized events for the Cybersecurity Month, marking the first time a financial group in Taiwan promoted the Information Security Month. We also arranged external information security companies to conduct six information security-related courses for all employees. Through interactive discussions, we aimed to help all employees understand the way information security drives business growth.
Together with the Information Security Division of KGIF, KGI Life co-organized events for the Cybersecurity Month, marking the first time a financial group in Taiwan promoted the Information Security Month. We also arranged external information security companies to conduct six information security-related courses for all employees. Through interactive discussions, we aimed to help all employees understand the way information security drives business growth.
Implementation of the Zero Trust Framework
The Company has adopted a risk and impact assessment methodology centered on high-risk areas as the foundation for implementing the zero trust framework. It has conducted a comprehensive review of access paths to corporate resources (including identity, devices, networks, applications, and data) and developed a strategic framework for implementation. This approach aims to reduce the external attack surface and enhance defense in depth from the outside in, while expanding protection coverage from the inside out. The goal is to progressively meet the maturity requirements for each pillar of the zero trust framework as set by the regulators, thereby strengthening the Company’s information security governance and ensuring the delivery of innovative, secure, convenient, and stable financial and insurance services to customers. KGI Life formulated a zero trust network implementation plan in 2024 and submitted it to the Board of Directors for approval to ensure the smooth operation of the mechanism.
Personal Data Protection and Management System
KGI Life has adopted the Personal Information Management System (PIMS) in accordance with the BS 10012:2017 standard, expanding the scope of verification to cover all units and established an assessment mechanism for the applicability of the EU General Data Protection Regulation (GDPR). The Company also engages external verification bodies to conduct annual audits. Through institutionalized management, the Company integrated personal information protection into its organizational culture to ensure continuous optimization of the management mechanism.
KGI Life has established a Personal Information Management Committee, with the President serving as its convener. The Committee regularly reviews overall operations, covering issues such as personal information protection implementation, technological development, management system oversight and review, and personal information incident management. A "Personal Information Protection Task Force" is also established to oversee internal audits. A personal information incident response and reporting procedure has been established, along with an emergency response team. Annual drills are planned based on actual external cases, enhancing the Company's response and protection capabilities through simulations.
KGI Life has established a Personal Information Management Committee, with the President serving as its convener. The Committee regularly reviews overall operations, covering issues such as personal information protection implementation, technological development, management system oversight and review, and personal information incident management. A "Personal Information Protection Task Force" is also established to oversee internal audits. A personal information incident response and reporting procedure has been established, along with an emergency response team. Annual drills are planned based on actual external cases, enhancing the Company's response and protection capabilities through simulations.