The Taiwan Business Bank (hereinafter referred to as the Bank) hereby establishes these Policies to ensure the security of the Bank’s various information and communication system and information assets, and to better the Bank’s overall cyber security architecture and reduce operational risks.

For the purposes of these Policies, the terms below shall have the following meanings ascribed to them:

• “Information and Communication Systems” means systems that are used to collect, control, transmit, store, circulate, delete information; or other ways in which said information may be treated, used, or shared.
• “Information Asset” means objects and people of value to the Bank’s information operations including hardware, software, data, documents, and people.
• “Cyber Security” means the action of preventing information and communication systems or information from unauthorized access, use, control, leakage, damage, tampering, destruction, or other intrusions, to ensure its confidentiality, integrity, and availability.
• “Cyber Security Incident” means the occurrence of a situation in which the system, service, or network status is identified to potentially violate these Policies or cause the failure of protection measures, affecting the operational functions of information and communication systems posing a threat to these Policies.

The overall goal of cyber security lies in ensuring the confidentiality, integrity, and availability of information and communication systems and information assets, as well as in preventing the Bank’s operations from being impacted by cyber security incidents; in effect lowering operational risks.

These policies are applicable to the Bank’s various information and communication systems and information assets, and shall be complied with by the entirety of the Bank’s personnel, contractors, and visitors.

To effectively manage cyber security procedures, the Cyber Security Management Committee shall be established for the general management of cyber security and the supervision of its procedures. The establishment guidelines of the committee shall be stipulated separately from these policies.

The Bank shall abide by the relevant laws and regulations including but not limited to the Cyber Security Management Act and the Personal Information Protection Act, as well as the Bank’s regulations regarding cyber security to ensure the appropriate use of the Bank’s information and communication systems and information assets.

The Bank shall implement proper inventory management of its information and communication systems and information assets, which shall be classified according to importance. The Bank shall also establish control mechanisms according to risk evaluation results.

The Bank shall establish a cyber security maintenance plan, cyber security incident response mechanisms, and practice incident drills to maintain the information and communication systems’ continuous operations.

In the case of a cyber security incident, reports and responses shall be filed according to relevant regulations.

The Bank shall carry out education and training on information security relevant for personnel of various business categories and competencies to help the Bank’s staff in understanding the importance of cyber security; thus enhancing cyber security awareness and allowing staff to become familiar with relevant procedures.

The Bank shall implement management systems related to cyber security, and pass third-party verifications as needed.

The Information Security Department shall inspect these Policies annually, and in the event of a major change, to ensure they meet the latest developments in legislation, technology, organizations, and operations related to cyber security. The Information Security Department shall also present the Bank’s operational situation regarding cyber security of the previous year for review at the Board of Directors Meeting during the first quarter of each year.

For core information and communication system transformation, major structural adjustment or cross-version upgrade, relevant information should be reported to the board of directors (managing directors') before the system goes online. The definition and authorization of the core information communication system shall be formulated by the management department.

The previous operation is compiled and reported by Information Technology Dept. The report should include the operation items, methods and schedules of the system conversion and update, and the conversion method should cover the preparation work before, during and after the system conversion, conversion procedures and event management, etc. related information.

The Bank adheres to the three lines of defense principle in division of labor to ensure the full implementation of procedures regarding cyber security and the effectiveness of overall cyber security operations:

• The first line of defense is the information and communication systems administrative and usage departments, which are responsible for the design and execution of security mechanisms for information and communication systems.
• The second line of defense is the Information and Security Department, which is responsible for the planning, monitoring, and execution of cyber security management practices.
• The third line of defense is the Auditing Department, which is responsible for the execution of the independent auditing of cyber security mechanisms.

For issues not covered in these Policies, the relevant law decrees and Taiwan Business Bank regulations shall apply.

These Policies shall come into effect upon the approval of the Board of Directors. The same condition shall apply when revisions are made to these Policies.