Information Security

Innovation in digital technology, especially FinTech, has brought great changes to people's lives. The emergence of new technologies, such as web applications, mobile applications, digital currency, blockchain, mobile payment, API and biometrics, have facilitated an enormous evolution in the finance industry. The changes have not only created new opportunities but also brought along information security risks. Such risks include cyberattack, incorrect user authentication, money laundering and fraud, leakage of personal data, etc. In response properly to risks and opportunities brought by digital technologies, KTB has established a sound management structure and system, enhanced hardware and software strength, and conducted education and training, to take precautions and countermeasures. Achievements in 2023 are as follows:

Information Security Management Framework

The Information Technology Department of KTB is the information security execution unit and the first defense line of information security internal control. The Board of Directors approved the establishment of a dedicated unit of information security "Information Security Section" under the Risk Management Department in August 2015, to serve as the second defense line of information security internal control and to be responsible for the planning, promotion, monitoring and management of the information security management system (ISMS), so as to enhance the information security management. The Auditing Department under the Board of Directors is an independent information security audit unit, which plays the role of the third defense line of information security internal control, and is responsible for information security audits to ensure the implementation of management operations.

In order to improve the Bank's ISMS, respond to all changes in information security regulations, and comply with relevant government laws and regulations, so as to reduce the risks and impacts arising from information security, KTB established the "Information Security Management Committee" in November 2015. The committee is responsible for reviewing the ISMS policy and regulations as well as overall implementation of information security. The dedicated unit of information security - "Information Security Section" under the Risk Management Department, submits the implementation overview to the chairman every year, and then the Auditing Department will report the results to the Board of Directors. The committee has set up a convener, who is acted or designated by the president, and its members are acted or designated by heads of the Risk Management Department, Information Technology Department, Digital Service and Channel Management Department, Compliance Department and department heads of the units designated by the convener. The Auditing Department is a non-voting member at meetings. The committee holds at least one management review meeting on a regular basis every year, or holds meetings irregularly as required. Main task of the meeting is as follows:

(1) Formulate KTB's Information Security Policies.
(2) Promote the Information Security Management System.
(3) Evaluate infrastructure of the Information Security Management System.
(4) Handle and review material information security incident.
(5) Determine the major issues or discussion matters regarding information security as proposed by each unit.
(6) Review the overall execution of the annual information security.
(7) Discuss other information security matters.
In addition, to strengthen the information security management framework, KTB set a new position of Information Security Officer on December 21, 2021, to be responsible for integrated information security policy promotion and resource scheduling. And in accordance with the Financial Supervisory Commission's "Financial Cyber Security Action Plan 2.0," which encourages financial institutions to appoint directors, advisors, or establish cybersecurity advisory groups with cybersecurity backgrounds, a "Cybersecurity Advisory Group" was officially established on July 1, 2023. The members include the President, Chief Auditor, Chief Regulatory Compliance Officer, Head of Risk Management, Head of Information
Technology, Chief Information Security Officer, as well as internal and external members appointed by the President. The primary members consist of relevant managers from the Company's three lines of defense in cybersecurity, with responsibilities and qualifications closely related to the overall cybersecurity policy of the institution In order to improve the board members' comprehension of the cybersecurity landscape and successfully integrate cybersecurity risks into business decision-making.

Information Security Management Measures

Information Security Policy
KTB has formulated the "Information Security Policy" to protect the confidentiality, integrity, and availability of KTB's information assets, to prevent risks including, inappropriate use, leakage, alteration, and damage, and to ensure the safety of the collection, handling, transmission, storage, and distribution of information.
Moreover, KTB has formulated procedures and manuals in accordance with the "Information Security Policy," to specify the actions of employees, outsourced service providers, and visitors, and report relevant regulations to theInformation Security Management Committee.

The Company has obtained the "Information Security Management System (ISMS)
ISO/IEC 27001: 2013" Certification (valid to October 31, 2025) in December 2022. The Company will continue to make review and improvement, to conform to the latest development trend of information security related laws, technology, organization and operation. In addition, in accordance with the requirements of the competent authorities, regulations and the Bank's ISMS standards, we implement relevant control measures to build and strengthen all-round information security defense capabilities. The specific management plan is as follows:

(1)Information Security Protection and Inspection Analysis

● Establish an information security inspection platform for real-time information monitoring and statistical data presentation.
● Establish backup routes and "Distributed Denial-of-Service (DDoS) Attack Monitor and Traffic Cleaning Protection" mechanism for Internet network of major businesses.
● Regular information security evaluations are conducted by external professional vendors, including information architecture review, network activitytesting, security settings review, vulnerability scanning, penetration testing, compliance review, etc. In accordance with the internal information security management regulations established by King's Town Bank, the risky items in the evaluation report are regularly reviewed and improvement measures are tracked in the Information Security Management Committee to ensure information security is not compromised.
● Update information security protection software and hardware regularly to detect and blocks Internet attacks effectively and timely.
● Join the Financial Information Sharing and Analysis Center (F-ISAC), to become a member of domestic information security joint defense system, and establish a joint defense system to have instant access to financial security information.

(2)Information Security Emergency Response Drills

In order to minimize the impact on business and resume operation in the shortest time in case of major disasters occurring to the information service, KTB has formulated regulations including, "Business Continuity Management Manual," "Cyber Security Incident Management Procedure," "ATM Cyber Security Emergency Response Procedure," "Information Office Handling of Denial-of-Service Attack Guide," and "Open System Backup Exercise Plan," etc. Also, KTB conducts annual drills to minimize possible information security impacts through correct operation procedures. In 2023, KTB organized total 31 drills, and the content is as follows. KTB has submitted the status of the drills to the Information Security Committee for review:

(3)Information Security Planning: In order to continuously enhance the Company’s management measures related to information security, we plan to implement the new version of ISO 27001:2022 and provide education and training for personnel with relevant certifications in information security.

Resources Invested in Information Security

KTB has been continuously investing in information security related fields. In 2023, KTB invested a total of NT$45,601 thousand in information security, accounting for 65.70% of the total information budget and the projects invested include the improvement of information security and defense equipment, data monitoring and analysis, education training and so on. In terms of information security deployment, there is 1 Information Security Officer, 4 members of information security promotion unit as the 2nd defense line, and 94 members of information security execution unit as the 1st defense line, total 99 members.

In terms of education training, the whole company participated in information security test, with a pass rate of 100%. 3,529 hours of internal and external courses related to information security were organized, of which 87% were internal education training courses and 1 3% were external education training courses. In addition, the information security promotion unit conducts information security awareness training twice a year for the whole company. The topics of the awareness training are planned according to the laws and regulations and current internal and external threat events, and the topics are as follows:

KTB has developed the "Cyber Security Incident Management Procedures" to standardize the reporting process, evaluation capability and contingency measures of information security incidents. In the event of an information security incident, the personnel of relevant units being notified shall classify and identify the incident in the first time, and decide whether to form an "Emergency Response Team" according to the incident level, identify the scope of impact within certain time, find out possible causes, eliminate and solve the information security incident, and analyze and produce reports after handling the incident to prevent the incident from happening again. List the loss, possible influence and countermeasures from significant information security incidents in recent year and as of publishing date of the annual report. If it is unable to make estimation reasonably, the fact that can't be reasonably estimated shall be explained: there is no material information security incident in 2023 and by January 2024.