Information Security

■ Information Security Governance System

The Board of Directors is responsible for reviewing overall information security policies of E.SUN FHC, as well as important decision-making for issues related to information security. Risk management committee was established in 2021. The chief information security officer should report information security issues to risk management committee each year. Every year, the chairman, president, chief auditor, and the chief officer of the dedicated information security office shall jointly issue a Declaration of Overall Information Security Implementation. The Board of Directors and the senior management shall fulfill their duties of supervision and governance. E.SUN's Board of Directors is comprised of members with information backgrounds. E.SUN Bank has appointed a chief information security officer (CISO) to supervise the overall implementation of information security operations, inspect the effectiveness of information security risk management mechanisms, and report to the Board of Directors with regard to the overall effectiveness of relevant management conducted by the information security management organizations. The CISO is the highest information security officer.

To strengthen information security governance, E.SUN FHC Information Security Management Committee (ISMC) was set up in 2017. In 2019, the information security management system of information security unit was established to promote and implement information security operations. The ISMC is in charge of reviewing E.SUN FHC Information Security Policy, which is applied to all subsidiaries under E.SUN FHC. In addition to reviewing governance policy, the Committee also supervises the execution of information security management and regularly reports to the Board of Directors on the information security governance status, including policy amendments, risk disclosure and handling.

E.SUN's vision of information security is to establish a tight and effective information security defense network. Under this vision, E.SUN gradually improves the comprehensive protection capacity based on the consistency in information security governance. The aim is to become a benchmark enterprise of information security governance maturity.

The Information Security Management Division is responsible for FHC's governance, promotion, and risk management of information security. For information security governance, it manages a comprehensive governance system, ensures compliance with regulation, promotes implementation of security procedure, and raises the employees' awareness and professional abilities of information security. The division utilizes technologies to identify information security risks and weaknesses, conducts effective enhancement, establishes a comprehensive governance system and information security protection capacity and raises employees' information security awareness.

■ Resources for Information Security

E.SUN continuously invests resources in information security-related matters. The expenses spent in 2020 increased by 48.73% from 2019. Resources were invested to improve the infrastructure of security governance and technologies, strengthen information security defense equipment, conduct security intelligence analysis, conduct response drills and provide education and training, thereby comprehensively improving the Bank's capabilities for information security
Regarding information security training, 162 employees have obtained ISO27001 Lead Auditor certification by the end of 2020. All employees in the Company attended information security tests and the passing rate was 100% in 2020. Additionally, for tech-related personnel, a total of 7,586 hours of information security courses were conducted, and 93.4% of those were internal training and 6.6% were external. In addition, the Information Security Management Division conducts information security training for all employees every month, and the themes are planned according to the current internal and external threats.
Monthly training of information security in 2020
Month Topic Month Topic
January Social Engineering Attacks and Prevention July Information Security Guide
February Malware Prevention August Safety Guide on Mobile Devices
March Malicious Site Identification September Protection from Malware
April Email Attacks October IT Devices and Physical Safety
May Information Security for Working form Home November Malicious Site Identification
June IoT's Potential Threat to Information Security December Protecting Personal Information Stored in IT Devices

■ Information Security Incident

For the reporting and handling of information security incidents, the Company stipulates the reporting and handling procedures of information security. The information on security incidents of the entire Bank is recorded by the notification contact of the information technology unit and ranked by event severity. In major incidents of information security, the Information Security Management Division and the "notification contact for major incidents of the FHC/headquarters" must be notified. The Information Security Management Division shall deal with and solve an information security incident within the target handling time. After the incident, the root of cause must be analyzed, and corrective measures must be adopted to prevent any recurrence of incidents.

In the past three years, the information security incidents and the financial losses arising thereof are shown in the following chart. In the incident in 2020, E.SUN received a customer's feedback that the customer's internet banking account appeared to have been hacked and a transfer was conducted. After inspecting the information security equipment and relevant host computer, it was verified that there was no information security risk such as hacking or virus infection. The internet banking transaction procedures were also protected by a comprehensive e-banking transaction security control. The investigation showed that the customer's cell phone was planted with malware, which caused personal data breach and usage for account transfers. The incident did not result from internal control faults or major deficiency in operations. In order to protect the customer's interests, E.SUN compensated the customer with the full amount and announced the relevant news and alerts on the official website to remind customers of the risks or improper usage of cell phones.
A- Information Security Incident 2018 2019 2020
Total number of information security incidents 0 0 0
Total number of information security incidents causing customer data loss 0 0 0
Total number of customers affected by information security incidents 0 0 0
Financial losses due to information security incidents 0 0 0
B- Data breaches 2018 2019 2020
Total number of data breaches 0 0 0
The percentage of breaches involving personally identifiable information 0% 0% 0%
Total number of account holders affected by data breaches involving personally identifiable information 0 0 0

■ Personal Information Protection Management

The Personal Information Protection Task Force is responsible for establishing personal information protection regulations, which include management measures for collection, handling, and use of personal information. The Company followed "E.SUN FHC and Subsidiary Guidelines for Personal Information Management and Organization" to examine and adjust the Personal File Checklist and Overview of Corporate Information Flow. The organizational structure is shown in the chart below.
E.SUN FHC and subsidiaries use customers' data with the utmost care. In 2020, E.SUN received 36 customer cases relating to personal information; 27 of them came from the Financial Supervisory Commission and 9 were collected by E.SUN from customer feedback channels or business units. (Please see the Statistics of the Number of Complaints Related to E.SUN Services and Personal Information for details.) After investigating, all cases did not involve personal information breach. However, in one of the cases, the customer asked for mediation by the Financial Ombudsman Institution and a compensation of 12,000 NTD was paid. E.SUN always actively responds to customer complaints and continues to enhance the service staff's training in order to improve E.SUN's service quality. The 2020 audit was conducted by an independent audit department. The current status of retained personal information was also reviewed. The audit results showed that no deficiencies in the use of customer data were found. (Please see the Statistics of the Number of Audited Deficiency in Terms of the Use of Personal Information in Recent Years for more details.) E.SUN will persevere in our attempts to protect customer information.
Statistics of the Number of Complaints Related to E.SUN Services and Personal Information in 2020
Cases of Personal Information Competent Authority Collected by E.SUN Total
Deposits and transfers 4 1 5
Personal credit services 7 2 9
Wealth management services 9 0 9
Credit cards services 5 3 8
Corporate credit services 0 0 0
Other 2 3 5
Total 27 9 36
Statistics of the Number of Audited Deficiency in Terms of the Use of Personal Information in Recent Years
Year 2016 2017 2018 2019 2020
Use of personal information audited deficiency - 0 2 0 0

■ Customer's data for secondary purposes

  • I. E.SUN monitors 100% of the usage of customers' data and evaluates whether processing for another purpose is compatible with the original purpose prior to the secondary usage. The evaluation principles are as follows:
    • (I) Reasonable link between the original and new purposes.
    • (II) Whether customers' identities and background are suitable for secondary usage.
    • (III) Nature of the personal data, in particular whether special categories of sensitive personal data are processed.
    • (IV) The possible consequences of the intended further processing.
    • (V) The existence of appropriate safeguards, which may include encryption or encoding.
  • II. The relevant control mechanisms and results of customer's data being used for secondary purposes are as follows:
    • (I) Information processing: All data used are through remote desktop, and the whole process is recorded for tracking by the cloud side.
    • (II) Data Output: Before the data output, the list review will be conducted through the "Global Communication Framework" to exclude customers who are not proper, such as blacklists, customers who do not accept joint marketing, etc.
Cases related to personal information 2019 2020
Number of customers' data being used for secondary purposes 5.08 million 7.18 million
Percentage of all customers 74.7% 76.6%