Cyber threats in the digital age have become more severe and complicated compared to the past and are likely to intensify in the future. Cybersecurity is therefore considered to be a key risk factor affecting the Bank’s business operations that we have to manage. Accordingly, we have set a clear IT security and cybersecurity framework that conforms to international standards. We have also ad-opted new technologies to monitor and detect anomalies and irregular incidents that may damage the Bank’s data or IT systems. Moreover, we have established security standards for all data collected through the Bank’s services. Our systems are regularly assessed against these security standards, both before and after customers use a service. This is to ensure that preventive or corrective actions are taken promptly once a loophole is found. The Bank has received ISO 27001 certification and is in the process of being certified for PCI/DSS standards.
Personal Data Protection Management
We have established principles and practices on personal data protection in accordance with laws and rules imposed by regulators, the Bank’s personal data protection policy and other related policies. These principles and practices cover personal data privacy protection measures and notifications in cases of violation of personal data privacy. Besides this, personal data risk has been recognized as one of the Bank’s major risks and the scope of our risk taxonomy has been expanded to cover personal data risk, requiring the Personal Data Protection Unit and the responsible officers to participate in the Bank’s risk management process. At the same time, we continue to build awareness and understanding among all executives and staff to keep them up-to-date and compliant with relevant laws and the Bank’s practices.
We have put in place appropriate step-by-step measures on personal data protection to prevent data loss, unauthorized access, usage, change, amendment or disclosure, and reviewed these on a regular basis. Relevant parties must comply with the measures and are given the responsibility to monitor data, grant access rights and classify data so as to determine levels of personal data security that are consistent with the degree of risk and potential impacts from a breach of personal data privacy.
Promoting a Data Security and Cybersecurity Risk Culture
Since we collect, use and disclose personal data, we realize the importance of responsible parties having a proper and complete understanding of how to manage data security and cybersecurity. Consequently, we have continuously built relevant knowledge among staff and executives to prevent misuse of information, theft, leakage and loss of data through a variety of approaches such as knowledge sharing sessions, cyber threat response plan rehearsals and simulations. All departments are responsible for ensuring the security of their relevant information. Building knowledge and understanding of data security and cybersecurity forms an important part of our organization-wide risk culture.