Information Security

Innovation in digital technology, especially FinTech, has brought great changes to people's lives. The emergence of new technologies, such as web applications, mobile applications, digital currency, blockchain, mobile payment, API and biometrics, have facilitated an enormous evolution in the finance industry. The changes have not only created new opportunities but also brought along information security risks. Such risks include: cyberattack, incorrect user authentication, money laundering and fraud, leakage of personal data, etc.

In response properly to risks and opportunities brought by digital technologies, KTB has established a sound management structure and system, enhanced hardware and software strength, and conducted education and training, to take precautions and countermeasures. Achievements in 2022 are as follows:

Information Security Management Framework

The Information Technology Department of KTB is the information security execution unit and the first defense line of information security internal control. The Board of Directors approved the establishment of a dedicated unit of information security "Information Security Section" under the Risk Management Department in August 2015, to serve as the second defense line of information security internal control and to be responsible for the planning, promotion, monitoring and management of the information security management system (ISMS), so as to enhance the information security management. The Auditing Department under the Board of Directors is an independent information security audit unit, which plays the role of the third defense line of information security internal control, and is responsible for information security audits to ensure the implementation of management operations.

In order to improve the Bank's ISMS, respond to all changes in information security regulations, and comply with relevant government laws and regulations, so as to reduce the risks and impacts arising from information security, KTB established the "Information Security Management Committee" in November 2015. The committee is responsible for reviewing the ISMS policy and regulations as well as overall implementation of information security. The dedicated unit of information security - "Information Security Section" under the Risk Management Department, submits the implementation overview to the chairman every year, and then the Auditing Department will report the results to the Board of Directors. The committee has set up a convener, who is acted or designated by the president, and its members are acted or designated by heads of the Risk Management Department, Information Technology Department, Digital Service and Channel Management Department, Compliance Department and department heads of the units designated by the convener. The Auditing Department is a non-voting member at meetings. The committee holds at least one management review meeting on a regular basis every year, or holds meetings irregularly as required. Main task of the meeting is as follows:

(1) Formulate KTB's Information Security Policies.
(2) Promote the Information Security Management System.
(3) Evaluate infrastructure of the Information Security Management System.
(4) Handle and review material information security incident
(5) Determine the major issues or discussion matters regarding information security as proposed by each unit.
(6) Review the overall execution of the annual information security.
(7) Discuss other information security matters.

In addition, to strengthen the information security management framework, KTB set a new position of Information Security Officer on December 21, 2021, to be responsible for integrated information security policy promotion and resource scheduling.

KTB has formulated the "Information Security Policy" to protect the confidentiality, integrity, and availability of KTB's information assets, to prevent risks including, inappropriate use, leakage, alteration, and damage, and to ensure the safety of the collection, handling, transmission, storage, and distribution of information. Moreover, KTB has formulated procedures and manuals in accordance with the "Information Security Policy", to specify the actions of employees, outsourced service providers, and visitors, and report relevant regulations to the Information Security Management Committee.

The Company has obtained the "Information Security Management System (ISMS) ISO/IEC 27001: 2013" Certification (valid to October 31, 2025) in December 2022. The Company will continue to make review and improvement, to conform to the latest development trend of information security related laws, technology, organization and operation. In addition, in accordance with the requirements of the competent authorities, regulations and the Bank's ISMS standards, we implement relevant control measures to build and strengthen all-round information security defense capabilities. The specific management plan is as follows:

(1) Information Security Protection and Inspection Analysis
✔ Establish an information security inspection platform for real-time information monitoring and statistical data presentation.
✔ Establish backup routes and "Distributed Denial-of-Service (DDoS) Attack Monitor and Traffic Cleaning Protection" mechanism for Internet network of major businesses.
✔ Appoint external professional companies to conduct information security evaluation on a regular basis, including information architecture review, network activity detection, security settings review, vulnerability scanning, penetration testing, compliance review, etc., and according to KTB's internal security management standards, incorporate all risk items in the evaluation report into the regular review of the Information Security Management Committee and track their improvement measures to ensure the security of information.
✔ Update information security protection software and hardware regularly to detect and blocks Internet attacks effectively and timely.
✔ Join the Financial Information Sharing and Analysis Center (F-ISAC), to become a member of domestic information security joint defense system, and establish a joint defense system to have instant access to financial security information.

(2) Information Security Emergency Response Drills
In order to minimize the impact on business and resume operation in the shortest time in case of major disasters occurring to the information service, KTB has formulated regulations including, "Business Continuity Management Manual", "Cyber Security Incident Management Procedure", "ATM Cyber Security Emergency Response Procedure", "Information Technology Department Handling of Denial-of-Service Attack Guide", and "Information Technology Department Open System Backup Exercise Plan", etc. Also, KTB conducts annual drills to minimize possible information security impacts through skillful and correct operation procedures.

Resources Invested in Information Security

KTB has been continuously investing in information security related fields. In 2022, KTB invested a total of NT$125,811 thousand in information security, and the projects invested include the improvement of information security and defense equipment, data monitoring and analysis, education training and so on. In terms of information security deployment, there is 1 Information Security Officer, 3 members of information security promotion unit as the 2nd defense line, and 92 members of information security execution unit as the 1st defense line, total 96 members.

However, in terms of education training, the whole company participated in information security test, with a pass rate of 100%. 3,097.5 hours of internal and external courses related to information security were organized, of which 96.9% were internal education training courses and 3.1% were external education training courses. In addition, the information security promotion unit also performs 2 times of information security advocacy education training toward the whole company every year, with the advocacy topics being planned in accordance with laws and regulations as well as both internal and external threatening events at present, and the contents of topics are as follows:

Information Security Incident Reporting Process

KTB has developed the "Cyber Security Incident Management Procedures" to standardize the reporting process, evaluation capability and contingency measures of information security incidents. In the event of an information security incident, the personnel of relevant units being notified shall classify and identify the incident in the first time, and decide whether to form an "emergency response team" according to the incident level, identify the scope of impact within certain time, find out possible causes, eliminate and solve the information security incident, and analyze and produce reports after handling the incident to prevent the incident from happening again. List the loss, possible influence and countermeasures from significant information security incidents in recent year and as of publishing date of the annual report. If it is unable to make estimation reasonably, the fact that can't be reasonably estimated shall be explained: there is no significant security incident in 2022 and by January 2023.