Press Release
FSC releases Financial Cyber Security Action Plan 2.0, guides continued improvements in financial cyber security
2023-02-14
The Financial Supervisory Commission (FSC) has released the Financial Cyber Security Action Plan 2.0 to ensure uninterrupted operation of the financial system, provide the public a trading environment that inspires confidence, and strengthen the cyber defense capabilities of financial services firms.
To achieve secure, convenient, and uninterrupted financial services, the FSC on 6 August 2020 adopted the Financial Cyber Security Action Plan, which the FSC has now implemented for more than two years in coordination with financial industry self-regulatory organizations, financial industry associations, and financial institutions. These efforts have resulted in achievement of the Plan's main performance indicators (e.g. appointment of chief information security officers; adoption of international cyber security standards; conduct of cyber security offensive and defensive exercises, as well as competitions; and establishment of a financial cyber security incident response system). The FSC has achieved 86% of the Plan's goals, and is still working on the remaining 14%. In response to business development and technological progress, the FSC continues seeking to improve the cyber defense capabilities of financial institutions. Following a reappraisal of fintech trends over the past two years, changes in cyber security conditions at home and abroad, and the state of financial services operations, and making reference to international cyber security supervisory policies, the FSC has conducted rolling reviews and formulated the Financial Cyber Security Action Plan 2.0 to serve as the basis for the next stage of implementation.
The Financial Cyber Security Action Plan 2.0, which will focus on expanding the scope of application of existing measures, implementing them better and more thoroughly, and encouraging forward-looking measures. The Plan includes a total of 40 measures, of which 12 are newly added cyber security measures, 5 are revisions to expand the scope of application measures, and 23 are existing measures that will continue to be implemented:
1. Require more institutions to appoint a CISO, institute periodic CISO liaison meetings: The FSC adopted internal control system regulations for different types of financial service firms. These regulations require banks and financial institutions above a certain size to designate a chief information security officer (CISO) at the vice president level. For an institution where electronic transactions account for a certain percentage of total transactions, the quality of its cyber defenses has a major impact on overall business operations. Accordingly, such institutions are included among those required to appoint a CISO to oversee cyber security policy and allocate resources. In order to strengthen the cyber security duties of CISOs, the participants at CISO liaison meetings will discuss current cyber security conditions, strategies, and key issues, and will take advantage of the meetings to enhance interactions and joint defense efforts among financial institutions.
2. Adopt/amend self-regulatory rules in response to digital transformation and deregulation of online services: The response of financial institutions to the pandemic has accelerated the pace of digital transformation, generating ever increasing reliance on digital financial services and causing traditional financial service scenarios to expand from financial institutions to "financial ecosystem services," therefore the FSC has drawn up plans, making reference to the ISO 29115 entity authentication assurance framework, to carry out eKYC procedures by using "enrolment phase," "credential management phase," and "entity authentication phase" to distinguish between different levels of assurance. Self-regulatory organizations have also established rules on operational risk mapping, to be observed by financial services firms when they provide online financial services, and have taken the assessment and management of risks arising from cooperation with third-party service providers (TSPs) and included them among the matters to be addressed in self-regulatory rules they are going to formulate.
3. Enhance data vaulting and operational continuity drills: The security of financial information affects financial stability, and core financial business data vaulting is necessary to ensure the property rights of the public at financial institutions. To respond to major cyber security incidents, natural disasters, and other risks, the FSC has studied core data vaulting mechanisms (including encryption of core files and databases as well as offsite backup, split-knowledge backup, or cloud backup thereof). Also, in order to verify that financial institutions' operating mechanisms can work effectively at critical moments, the FSC will adopt guidelines governing core business system recovery training (to focus on such matters as local and remote recovery operations, and switchover timeliness requirements), and has continued encouraging entities to design their remote recovery drills to include a focus on the actual administration of external services as well as verification of their effectiveness. For this reason, the FSC encourages financial institutions to join with related outside entities to conduct joint information system training to meet disaster recovery needs.
4. Expand the adoption of international cyber security standards and the establishment of Security Operation Centers: Since 2020 the FSC has encouraged financial institutions to adopt international cyber security management standards and establish Security Operation Centers (SOCs). Principal financial institutions have already adopted (or have set timetables to adopt) international cyber security standards. For the sake of effective implementation the FSC, based on the special features of different sectors of the financial industry, has specified that financial institutions above a certain size or whose electronic transactions account for a certain percentage of total transactions will be added to the range of institutions subject to requirements governing: the scope of items that must meet international cyber security standards (e.g. information infrastructure, all core information systems, core business processes, and online financial services) and; the scope of items for which security operation standards must be adopted (e.g. organization, operating procedures, scope of monitoring and control, and mechanisms for detection and management of cyber threats).
5. Encourage assessments of the effectiveness of cyber security monitoring and defenses: Early detection and response is a very important aspect of cyber security monitoring and defense, as is a tight defense network, but when you're always on the defense it is hard to avoid an occasional failure, which is why the FSC encourages financial institutions that have already established an SOC and reached a certain size to go on the offense. This means, for example, to periodically test the effectiveness of their cyber security monitoring and defense arrangements through the use of aggressive methods, such as DDoS attack and defense drills, drills that pit red and blue teams against each other, and breach and attack simulations.
6. Encourage establishment of zero trust networks, improved network connection validation and authorization control: The COVID pandemic has spurred a shift to offsite work and work-from-home arrangements. Meanwhile, data and services have moved to the cloud, users have switched to mobile devices, and storage equipment has grown increasingly varied. Under these circumstances, the traditional network model based on trust boundaries have not been so capable of meeting new requirements. Accordingly, the FSC encourages financial institutions to gradually adopt three core ZTN mechanisms (user identification, device identification, and trust inference), and combine these with fine-grained authorization controls in order to better meet cyber defense needs in a post-pandemic world where a digital transformation has taken place.
7. Encourage hiring of cyber security personnel with diverse specialties, enhanced attack & defense training: To facilitate the achievement of comprehensive protection of cyber security at financial institutions, the FSC encourages financial institutions to appreciate the importance of appointing a sufficient number of cyber security personnel and getting these personnel to obtain professional cyber security licenses (certificates) from training institutes both at home and abroad. Toward this end, the FSC is guiding financial institutions to properly value the professional qualifications and abilities of cyber security personnel, so that financial institutions can build up the competencies needed for internal security operations. To strengthen ability to respond to hacker attacks, the FSC intends to adopt the MITRE ATT&CK and ENGAGE frameworks developed by the US-based Mitre Corporation, and to hold financial cyber security training courses to improve strategic and tactical thinking on cyber attack and defense, and will expand training capabilities.
8. Improve cyber intelligence sharing capabilities, achieved more effective cyber security joint defense: The FSC has overseen an effort by F-ISAC to further enhance the depth and breadth of intelligence analysis and to deepen interactions among its members in the area of intelligence analysis, so as to facilitate prompt provision of more accurate and comprehensive early warnings and defense recommendations. The FSC will guide financial institution SOCs to use cyber security configuration baselines (including anomalous event triggers and correlation analysis rules) and to use this as the basis for formulating monitoring configuration and incident ticket trigger rules for coordination with joint SOCs, to ensure that joint SOCs can provide incident ticket correlation analyses to financial institutions in a more timely and effective manner, to facilitate the feedback of cyber monitoring intelligence, and to ensure that coordinated operations between financial institution SOCs and joint SOCs will yield greater benefits.
9. Cyber security offensive and defensive exercises, plan for major cyber event support exercises: To strengthen the contingency response capabilities of financial institutions, the FSC will continue holding DDoS offensive and defensive exercises, live cyber security offensive and defensive exercises, offensive and defensive exercises competitions, and major cyber security incident situational exercises.
The FSC will implement the Financial Cyber Security Action Plan 2.0 in phases over a period of three years. The achievements of the Plan will be reviewed on a quarterly basis and adjusted in response to cyber security developments and the state of business operations. To facilitate promotion of the Plan, it will be implemented as follows:
1. Public private partnership: The public sector, financial industry self-regulatory organizations, and the various financial industry associations will adopt related regulatory rules and standards, cultivate cyber security personnel, and coordinate on cyber monitoring and response, in order to help financial institutions improve their cyber defense capabilities.
2. Differential regulatory treatment: Depending on the particular characteristics of different lines of business, the size of different financial institutions, and operational risks, the FSC will adopt appropriately graded cyber security standards that pay balanced attention to financial institutions' actual cyber defense needs as well as the feasibility of implementation.
3. Resource sharing: Continue promoting cyber intelligence sharing and cooperation, establish a financial cyber incident response and monitoring system, implement cyber security joint defense, encourage financial industry self-regulatory organizations (or financial industry associations) to establish a cyber security incident response team, and use resource sharing and cooperation to strengthen financial cyber defense capabilities.
4. Compliance incentives: The competent authority can use supervisory measures (e.g. including cyber security risk factors among the matters it takes into consideration when: deciding whether to approve applications to conduct a new line of business; determining regulatory capital charges; calculating premium rates for deposit insurance or the Taiwan Insurance Guaranty Fund) to guide financial institutions to actively implement cyber security measures.
5. International cooperation: Obtain international financial cyber intelligence by strengthening exchanges and cooperation or signing MOUs with financial cyber security authorities in other countries, and engage with international cyber security organizations in a joint effort to strengthen cyber defenses.
The FSC will continue enhancing the cyber defense capabilities of financial institutions and building a secure environment for financial services development to serve as the foundation for fintech innovation, and to provide consumers with financial services that afford them peace of mind, convenience, and diversity.
Contact: Mr. Wei-Lun Chang, Section Chief, Department of Informational management
Tel: +886 2 8968 0806
To achieve secure, convenient, and uninterrupted financial services, the FSC on 6 August 2020 adopted the Financial Cyber Security Action Plan, which the FSC has now implemented for more than two years in coordination with financial industry self-regulatory organizations, financial industry associations, and financial institutions. These efforts have resulted in achievement of the Plan's main performance indicators (e.g. appointment of chief information security officers; adoption of international cyber security standards; conduct of cyber security offensive and defensive exercises, as well as competitions; and establishment of a financial cyber security incident response system). The FSC has achieved 86% of the Plan's goals, and is still working on the remaining 14%. In response to business development and technological progress, the FSC continues seeking to improve the cyber defense capabilities of financial institutions. Following a reappraisal of fintech trends over the past two years, changes in cyber security conditions at home and abroad, and the state of financial services operations, and making reference to international cyber security supervisory policies, the FSC has conducted rolling reviews and formulated the Financial Cyber Security Action Plan 2.0 to serve as the basis for the next stage of implementation.
The Financial Cyber Security Action Plan 2.0, which will focus on expanding the scope of application of existing measures, implementing them better and more thoroughly, and encouraging forward-looking measures. The Plan includes a total of 40 measures, of which 12 are newly added cyber security measures, 5 are revisions to expand the scope of application measures, and 23 are existing measures that will continue to be implemented:
1. Require more institutions to appoint a CISO, institute periodic CISO liaison meetings: The FSC adopted internal control system regulations for different types of financial service firms. These regulations require banks and financial institutions above a certain size to designate a chief information security officer (CISO) at the vice president level. For an institution where electronic transactions account for a certain percentage of total transactions, the quality of its cyber defenses has a major impact on overall business operations. Accordingly, such institutions are included among those required to appoint a CISO to oversee cyber security policy and allocate resources. In order to strengthen the cyber security duties of CISOs, the participants at CISO liaison meetings will discuss current cyber security conditions, strategies, and key issues, and will take advantage of the meetings to enhance interactions and joint defense efforts among financial institutions.
2. Adopt/amend self-regulatory rules in response to digital transformation and deregulation of online services: The response of financial institutions to the pandemic has accelerated the pace of digital transformation, generating ever increasing reliance on digital financial services and causing traditional financial service scenarios to expand from financial institutions to "financial ecosystem services," therefore the FSC has drawn up plans, making reference to the ISO 29115 entity authentication assurance framework, to carry out eKYC procedures by using "enrolment phase," "credential management phase," and "entity authentication phase" to distinguish between different levels of assurance. Self-regulatory organizations have also established rules on operational risk mapping, to be observed by financial services firms when they provide online financial services, and have taken the assessment and management of risks arising from cooperation with third-party service providers (TSPs) and included them among the matters to be addressed in self-regulatory rules they are going to formulate.
3. Enhance data vaulting and operational continuity drills: The security of financial information affects financial stability, and core financial business data vaulting is necessary to ensure the property rights of the public at financial institutions. To respond to major cyber security incidents, natural disasters, and other risks, the FSC has studied core data vaulting mechanisms (including encryption of core files and databases as well as offsite backup, split-knowledge backup, or cloud backup thereof). Also, in order to verify that financial institutions' operating mechanisms can work effectively at critical moments, the FSC will adopt guidelines governing core business system recovery training (to focus on such matters as local and remote recovery operations, and switchover timeliness requirements), and has continued encouraging entities to design their remote recovery drills to include a focus on the actual administration of external services as well as verification of their effectiveness. For this reason, the FSC encourages financial institutions to join with related outside entities to conduct joint information system training to meet disaster recovery needs.
4. Expand the adoption of international cyber security standards and the establishment of Security Operation Centers: Since 2020 the FSC has encouraged financial institutions to adopt international cyber security management standards and establish Security Operation Centers (SOCs). Principal financial institutions have already adopted (or have set timetables to adopt) international cyber security standards. For the sake of effective implementation the FSC, based on the special features of different sectors of the financial industry, has specified that financial institutions above a certain size or whose electronic transactions account for a certain percentage of total transactions will be added to the range of institutions subject to requirements governing: the scope of items that must meet international cyber security standards (e.g. information infrastructure, all core information systems, core business processes, and online financial services) and; the scope of items for which security operation standards must be adopted (e.g. organization, operating procedures, scope of monitoring and control, and mechanisms for detection and management of cyber threats).
5. Encourage assessments of the effectiveness of cyber security monitoring and defenses: Early detection and response is a very important aspect of cyber security monitoring and defense, as is a tight defense network, but when you're always on the defense it is hard to avoid an occasional failure, which is why the FSC encourages financial institutions that have already established an SOC and reached a certain size to go on the offense. This means, for example, to periodically test the effectiveness of their cyber security monitoring and defense arrangements through the use of aggressive methods, such as DDoS attack and defense drills, drills that pit red and blue teams against each other, and breach and attack simulations.
6. Encourage establishment of zero trust networks, improved network connection validation and authorization control: The COVID pandemic has spurred a shift to offsite work and work-from-home arrangements. Meanwhile, data and services have moved to the cloud, users have switched to mobile devices, and storage equipment has grown increasingly varied. Under these circumstances, the traditional network model based on trust boundaries have not been so capable of meeting new requirements. Accordingly, the FSC encourages financial institutions to gradually adopt three core ZTN mechanisms (user identification, device identification, and trust inference), and combine these with fine-grained authorization controls in order to better meet cyber defense needs in a post-pandemic world where a digital transformation has taken place.
7. Encourage hiring of cyber security personnel with diverse specialties, enhanced attack & defense training: To facilitate the achievement of comprehensive protection of cyber security at financial institutions, the FSC encourages financial institutions to appreciate the importance of appointing a sufficient number of cyber security personnel and getting these personnel to obtain professional cyber security licenses (certificates) from training institutes both at home and abroad. Toward this end, the FSC is guiding financial institutions to properly value the professional qualifications and abilities of cyber security personnel, so that financial institutions can build up the competencies needed for internal security operations. To strengthen ability to respond to hacker attacks, the FSC intends to adopt the MITRE ATT&CK and ENGAGE frameworks developed by the US-based Mitre Corporation, and to hold financial cyber security training courses to improve strategic and tactical thinking on cyber attack and defense, and will expand training capabilities.
8. Improve cyber intelligence sharing capabilities, achieved more effective cyber security joint defense: The FSC has overseen an effort by F-ISAC to further enhance the depth and breadth of intelligence analysis and to deepen interactions among its members in the area of intelligence analysis, so as to facilitate prompt provision of more accurate and comprehensive early warnings and defense recommendations. The FSC will guide financial institution SOCs to use cyber security configuration baselines (including anomalous event triggers and correlation analysis rules) and to use this as the basis for formulating monitoring configuration and incident ticket trigger rules for coordination with joint SOCs, to ensure that joint SOCs can provide incident ticket correlation analyses to financial institutions in a more timely and effective manner, to facilitate the feedback of cyber monitoring intelligence, and to ensure that coordinated operations between financial institution SOCs and joint SOCs will yield greater benefits.
9. Cyber security offensive and defensive exercises, plan for major cyber event support exercises: To strengthen the contingency response capabilities of financial institutions, the FSC will continue holding DDoS offensive and defensive exercises, live cyber security offensive and defensive exercises, offensive and defensive exercises competitions, and major cyber security incident situational exercises.
The FSC will implement the Financial Cyber Security Action Plan 2.0 in phases over a period of three years. The achievements of the Plan will be reviewed on a quarterly basis and adjusted in response to cyber security developments and the state of business operations. To facilitate promotion of the Plan, it will be implemented as follows:
1. Public private partnership: The public sector, financial industry self-regulatory organizations, and the various financial industry associations will adopt related regulatory rules and standards, cultivate cyber security personnel, and coordinate on cyber monitoring and response, in order to help financial institutions improve their cyber defense capabilities.
2. Differential regulatory treatment: Depending on the particular characteristics of different lines of business, the size of different financial institutions, and operational risks, the FSC will adopt appropriately graded cyber security standards that pay balanced attention to financial institutions' actual cyber defense needs as well as the feasibility of implementation.
3. Resource sharing: Continue promoting cyber intelligence sharing and cooperation, establish a financial cyber incident response and monitoring system, implement cyber security joint defense, encourage financial industry self-regulatory organizations (or financial industry associations) to establish a cyber security incident response team, and use resource sharing and cooperation to strengthen financial cyber defense capabilities.
4. Compliance incentives: The competent authority can use supervisory measures (e.g. including cyber security risk factors among the matters it takes into consideration when: deciding whether to approve applications to conduct a new line of business; determining regulatory capital charges; calculating premium rates for deposit insurance or the Taiwan Insurance Guaranty Fund) to guide financial institutions to actively implement cyber security measures.
5. International cooperation: Obtain international financial cyber intelligence by strengthening exchanges and cooperation or signing MOUs with financial cyber security authorities in other countries, and engage with international cyber security organizations in a joint effort to strengthen cyber defenses.
The FSC will continue enhancing the cyber defense capabilities of financial institutions and building a secure environment for financial services development to serve as the foundation for fintech innovation, and to provide consumers with financial services that afford them peace of mind, convenience, and diversity.
Contact: Mr. Wei-Lun Chang, Section Chief, Department of Informational management
Tel: +886 2 8968 0806
- Visitor: 3632
- Update: 2023-02-15