Risk Management
Risk Management Framework and Culture
Fubon Financial Holdings has built a robust risk management organizational structure that includes the board of directors, Audit and Risk Management Committee, Risk Management Executive Committee, Personal Information Protection Committee, chief risk officer and Risk Management Division. The chief risk officer is responsible for managing all risk management affairs and supervising the Risk Management Division’s independent implementation of risk management.
Enterprise Risk Management (ERM) Model and Three Lines of Defense
Fubon Financial Holdings has put in place a comprehensive risk management system encompassing risk identification, measurement, response, monitoring, and reporting that is founded on an enterprise risk management framework. Under this enterprise risk management framework, there are three lines of defense to manage risk and shape a risk culture. In the first line of defense, all business, operations, and management units are responsible for identifying and managing risk, making sure they are complying with risk management policies, and following risk management procedures when performing tasks related to their functions and business responsibilities. In the second line of defense, an independent risk management unit (the Risk Management Division, supervised by the chief risk officer) is responsible for establishing risk management rules and controlling and reporting risks. In the third line of defense, an independent audit unit (the Auditor Division) is responsible for auditing how effectively risk management rules and mechanisms are being complied with every six months. A regulatory authority also conducts an independent review at least once every two years. In past years, internal and external reviews have been conducted based on the procedures described above, and no major flaws have been detected, indicating that the risk management mechanism has been functioning effectively.
Emerging Risk Management
Fubon Financial Holdings refers to the World Economic Forum’s Global Risks Report during its annual overview of the Company’s and subsidiaries’ business development and future prospects and assessment of the major long-term emerging risks of concern. It screens the risks based on their relevance to and potential impact on the business, and how vulnerable the business is to them. In 2024, the Company identified the major long-term emerging risks at the financial holding company level as “geopolitical confrontation” in the geopolitical risk category and “economic downturn” and “inflation” in the economic risk category. Appropriate responses to these risks were devised and they continued to be monitored.
Information Security Management
Fubon Financial Holdings and its subsidiaries have established dedicated information security departments responsible for planning, monitoring, and managing their information security systems. Regular meetings are held to stay up to date on the overall information security situation and analyze and discuss information security issues to strengthen joint information security efforts. The Company’s information security strategy and plan are based on the information security framework proposed by the National Institute of Standards and Technology (NIST). It has established a multi-layer security protection framework with identification, protection, detection, response and recovery features and completed the planning and construction of multiple information security protection mechanisms, contributing to the creation of a digital finance environment. Another priority has been to strengthen the protection capabilities of the network, host and endpoints in each information environment and develop proactive information security measures through anti-virus software, spam email detection and blocking, web filtering and protection, intrusion detection and protection systems, website application firewalls, and a system that monitors the likelihood of information security risks occurring.
Information Security Risk Management Flow Chart
Information Security Action Plans and Results
Strengthening Financial Resilience
- Red team/blue team and BAS exercises, information security operations continuity and recovery drills, and vulnerability tests conducted annually.
- In 2024, neither the financial holding company nor any of its subsidiaries experienced major information security incidents, indicating that the strengthening of management measures has proven effective.
- 24/7 weak spot monitoring of external risks done to monitor and handle weaknesses more efficiently and eliminate information security risks.
Harness Joint Information Security Defenses
- 12 meetings on information security held in 2024 to fine-tune direction of information security strategies.
- An information sharing mechanism implemented to identify an information security incident and related attack methods in real time.
- Material risk vulnerabilities and information on the supervision and management of investigations into those vulnerabilities communicated to subsidiaries.
Deepening Information Security Governance
- 43,471 people participated in information security training (3 hours for regular employees, 15 hours for information security personnel); coverage was 100%.
- Social engineering simulations conducted every six months, with average click rates on phishing emails 3%.
- Fubon Financial Holdings and its subsidiaries have been certified under ISO 27001:2002. (Effective date: March 15, 2024; Expiration Date: March 14, 2027)
- In addition, as part of the process to keep information secure, a third-party verification unit conducts an inspection every six months to maintain the certification’s validity.
- Planned the implementation strategy and protection mechanism for the development of zero-trust architecture.
Strengthening Information Security Oversight
- Information security policy approved by the board of directors; information security departments report on a regular basis to the board.
- Performance indicators for supplier management information security were reinforced; reviewed related internal operational rules to ensure that they comply with existing laws and regulations; and, in line with regulatory authority rules and international cybersecurity attack and defense trends, completed management training and social engineering exercises for the financial holding company’s information and communications service providers.
- Security incident monitoring and management procedures and incident tracking procedures improved and optimized.
- Established a list of “Information Security Things to Know” and publicized it to the entire workforce; before new hires begin their jobs, they must sign the “Information Security Things to Know,” increasing the responsibility of group employees on information security.
Personal Information Protection
Protecting the personal information of customers is one of Fubon Financial Holdings’ highest priorities. We have established the Fubon Financial Co., Ltd. and Subsidiaries Personal Information Protection Policy, which clearly stipulates the responsibilities and obligations of employees in handling and protecting personal information, and posted a ”Privacy Statement” on our website, informing customers of their rights and the measures taken to protect the confidentiality of their personal information. If a breach of personal information occurs, the case is to be handled and reported based on the Personal Data Protection Act and the Fubon Financial Holding Co., Ltd. and Subsidiaries Operational Risk Reporting and Management Guidelines. If a case reaches the media, the media strategy should be handled based on the ”Fubon Financial Holding Co., Ltd. and Subsidiaries Principles for Media Crisis Management.”
To ensure the protection of personal information, the ”Personal Information Protection and Supervision Committee” set up under Fubon Financial Holdings’ Risk Management Committee oversees the protection and management of personal information by the financial holding company and its subsidiaries. It reports on personal information protection issues to the Risk Management Committee on a quarterly basis. Each unit conducts a semi-annual self-check of its internal controls and compliance practices and a self-assessment of compliance issues, and auditing units check on a regular and irregular basis how effectively each unit is managing personal information protection.