

Risk Management
Risk Management Framework and Culture
Fubon Financial Holdings has built a robust risk management organizational structure that includes the board of directors, Audit Committee, Risk Management Committee, Personal Information Protection Committee, Chief Risk Officer and Risk Management Division. The Chief Risk Officer is responsible for managing all risk management affairs and supervising the Risk Management Division’s independent implementation of risk management.
Enterprise Risk Management (ERM) Model and Three Lines of Defense
Fubon Financial Holdings has put in place a comprehensive risk management system encompassing risk identification, measurement, response, monitoring, and reporting that is founded on an enterprise risk management framework. Under this enterprise risk management framework, there are three lines of defense to manage risk and shape a risk culture. In the first line of defense, all business, operations, and management units are responsible for identifying and managing risk, making sure they are complying with risk management policies, and following risk management procedures when performing tasks related to their functions and business responsibilities. In the second line of defense, an independent risk management unit (the Risk Management Division) is responsible for establishing risk management rules and controlling and reporting risks. In the third line of defense, an independent audit unit (the Auditor Division) is responsible for auditing how effectively risk management rules and mechanisms are being complied with every six months. A regulatory authority also conducts an independent review at least once every two years. In past years, internal and external reviews have been conducted based on the procedures described above, and no major flaws have been detected, indicating that the risk management mechanism has been functioning effectively.
Emerging Risk Management
Fubon Financial Holdings refers to the World Economic Forum’s Global Risks Report during its annual overview of the Company’s and subsidiaries’ business development and future prospects and assessment of the major long-term emerging risks of concern. It screens the risks based on their relevance to and potential impact on the business, and how vulnerable the business is to them. In 2023, the Company identified the major long-term emerging risks at the financial holding company level as ”geopolitical confrontation” in the geopolitical risk category and a ”prolonged economic downturn” and ”debt crises” in the economic risk categories. Appropriate responses to these risks were devised and they continued to be monitored.
Information Security Management
Fubon Financial Holdings and its subsidiaries have established dedicated information security departments responsible for planning, monitoring, and managing their information security systems. Regular meetings are held to stay up to date on the overall information security situation and analyze and discuss information security issues to strengthen joint information security efforts. The Company’s information security strategy and plan are based on the information security framework proposed by the National Institute of Standards and Technology (NIST). It has established a multi-layer security protection framework with identification, protection, detection, response and recovery features and completed the planning and construction of multiple information security protection mechanisms, contributing to the creation of a digital finance environment. Another priority has been to strengthen the protection capabilities of the network, host and endpoints in each information environment and develop proactive information security measures through anti-virus software, spam email detection and blocking, web filtering and protection, intrusion detection and protection systems, website application firewalls, and a system that monitors the likelihood of information security risks occurring.

Information Security Risk Management Flow Chart

Information Security Action Plans and Results
Strengthen Risk Management
- Red team/blue team exercises, information security operations continuity and recovery drills, and vulnerability tests conducted annually.
- In 2023, neither the financial holding company nor any of its subsidiaries experienced major information security incidents, indicating that the strengthening of management measures has proven effective.
- 24/7 weak spot monitoring of external risks done to monitor and handle weaknesses more efficiently and eliminate information security risks.
- Completed an “information security governance maturity assessment” in 2023; through the identification of information security risk issues and the business’ own information security maturity, the assessment identified inherent risks and possible improvements in management practices.
Align Operations with Laws and Regulations
- Reviewed internal operating guidelines to ensure regulatory compliance and alignment with association regulations and international information security trends.
- Fubon Financial Holdings and its subsidiaries have been certified under ISO 27001:2002. (Effective date: March 15, 2024; Expiration Date: March 14, 2027)
- As part of the process to keep information secure, a third-party verification unit conducts an inspection every six months to maintain the certification’s validity.
Strengthen Information Security Awareness
- 35,715 people participated in information security training (3 hours for regular employees, 15 hours for information security personnel); coverage was 100%.
- Social engineering simulations conducted every six months, with average click rates on phishing emails 1.45%.
- Information security policy approved by the board of directors; information security departments report on a regular basis to the board.
- Information security policy posted on the Company’s enterprise information portal for the reference of all employees across the organization.
Consolidation of Defense in Depth Strategy
- 12 meetings on information security held in 2023 to fine-tune direction of information security strategies.
- Completed the replacement of web application firewalls and the replacement of network detection and response systems.
- Stayed on top of information security trends through visual dashboards and strengthened safety inspections of non-Windows systems.
Personal Information Protection
Protecting the personal information of customers is one of Fubon Financial Holdings’ highest priorities. We have established the Fubon Financial Co., Ltd. and Subsidiaries Personal Information Protection Policy, which clearly stipulates the responsibilities and obligations of employees in handling and protecting personal information, and posted a ”Privacy Statement” on our website, informing customers of their rights and the measures taken to protect the confidentiality of their personal information. If a breach of personal information occurs, the case is to be handled and reported based on the Personal Data Protection Act and the Fubon Financial Holding Co., Ltd. and Subsidiaries Operational Risk Reporting and Management Guidelines. If a case reaches the media, the media strategy should be handled based on the ”Fubon Financial Holding Co., Ltd. and Subsidiaries Principles for Media Crisis Management.”
To ensure the protection of personal information, the ”Personal Information Protection and Supervision Committee” set up under Fubon Financial Holdings’ Risk Management Committee oversees the protection and management of personal information by the financial holding company and its subsidiaries. It reports on personal information protection issues to the Risk Management Committee on a quarterly basis. Each unit conducts a semi-annual self-check of its internal controls and compliance practices and a self-assessment of compliance issues, and auditing units check on a regular and irregular basis how effectively each unit is managing personal information protection.