2.5 Privacy and Information Security Management

Given the increasing prevalence of online trading in the era of digital finance, PSC considers it a priority to maintain and continuously improve its information security mechanisms to rigorously protect customer personal information and ensure transaction security. The Company will continue to monitor digital trading patterns of financial products and financial crime tactics, while also enhancing its internal information security systems and protocols to provide customers with a secure trading environment.

2.5.1 Organization Structure and Policy Implementation of Information Security

In accordance with the FSC’s regulations and PSC’s Information Security Policy, the Company officially established the Information Security Section under the Information System Department in 2018, upgrading the task force to a permanent organization staffed with an information security supervisor and two information security specialists. The function is intended for strengthening the maintenance and control of information systems. On November 4, 2021, a new Chief Information Security Officer (CISO) was appointed, following approval by the Board of Directors. The CISO is responsible for overseeing information security policy implementation and resource allocation. Additionally, a cross-departmental Information Security Team was established, and annual meetings of this team are convened. The President serves as the convener, and the head of the Information Systems Department serves as the chief secretary of this team. This structure allows for the integration of various departmental efforts in promoting internal information security policies, developing work plans, and allocating resources effectively. The goal is to ensure the organization effectively promotes information security management policies, enhances internal information security awareness, and provides customers with the safest possible transaction environment. Inf

n accordance with the TWSE Information Security Inspection Mechanism for Securities Firms, PSC is classified as a level B securities firm. The Company diligently adheres to the thirteen requirements specified in the classification guidelines, which include maintaining professional certifications in information security, system classification, network firewalls, antivirus software, email filtering mechanisms, information security check-ups, threat detection and management mechanisms, intrusion detection and defense mechanisms, and application firewalls. Additionally, we conduct market simulation tests in collaboration with the competent authority semiannually to ensure that backup computer systems operate smoothly and to enhance proficiency in system operations. In 2022, the Company allocated approximately 15.77% of its total information budget to cybersecurity-related expenses. Furthermore, in that year, we participated in the Financial Information Sharing and Analysis Center (F-ISAC) cybersecurity governance maturity assessment and completed assessments of inherent risk and network security maturity

Deepening Awareness of Internal Information Security

In 2022, PSC conducted various information security-related educational courses, seminars, and information security drills with a goal to promote information security control processes and enhance employees' awareness of information security through multiple channels and measures. While remaining vigilant about relevant risks in various businesses, we also ensured the implementation of information security and maintained the rights and interests of both customers and the Company. In addition to amendments made to information security management regulations, the Company has completed consistent security updates and version upgrades for equipment. Furthermore, external organizations were engaged to conduct independent testing and assessments to proactively identify potential information security risks.

2.5.2 Electronic Trading and Information Security Management

In response to the digital transformation in the financial market, PSC is committed to promoting electronic trading. Throughout the Company's operations, the proportion of electronic trading has been steadily increasing. In 2022, electronic trading accounted for 79% of the total trading, which represents a 5% increase compared to the 74% in 2021. The Company adopts Taiwan-CA Inc.’s certification to check each order placed. When clients trade online, securities or futures firms will check their account number and password, while we will check the certificates issued by an impartial third party to increase the level of security that is critical when trading online. Meanwhile, we adopt the internationally recognized secure sockets layer (SSL) to encrypt transmission to enhance security that is critical in online trading.

Information Security Management System (ISMS) Certification

IPSC has applied for and obtained the ISO 27001: 2005 certification for the electronic trading system from the British Standards Institution (BSI) since August 2013; passed the information security certification renewal review at the end of July 2014, and adopted the revised ISO 27001: 2013; The Company underwent the annual review in the subsequent years to maintain the validity of the certification. Additionally, a complete reevaluation and recertification process for ISO 27001 was conducted every three years. In 2022, a recertification audit was completed on August 25th, and the certification remains valid until August 24th, 2025. By implementing the ISO 27001 framework, PSC has established a system for managing information security at various security levels, which institutionalizes and standardizes internal information security measures, enhances existing security management mechanisms, and reduces operational errors, ultimately lowering information security risks and protecting business confidentiality. It further allows the Company to provide customers with a trading system featuring a comprehensive protection mechanism and convenient services without security concerns.

Furthermore, we adopted two-factor authentication when users log in to all electronic trading platforms in 2022 Q1 to enhance the trading security and avoid account theft.

2.5.3 Personal Data Protection

With a strong emphasis on personal data protection, PSC has adopted the internationally recognized BS 10012 Personal Information Management System to deliver our responsibility in protecting customer personal information and transaction data. This approach actively complies with the Personal Data Protection Act and exemplifies our commitment to safeguarding customer privacy rights.

PSC's Brokerage Department obtained the BS 10012 Personal Information Management System certification in December 2013. In 2017, the scope of certification expanded to cover the Shareholder Services Department. The operational procedures related to account opening and logistical services in these departments comply with the standards and management mechanisms outlined in the BS 10012 Personal Information Management System certification. PSC is among the few securities firms in the industry to have obtained the certification for two departments.

PSC formally adopted a personal data management project in the Company's internal policies and operating standards through a professional consultancy; established a personal data file center on the Company's intranet site for all units to follow in 2012.

In the same year, we established a task-based Personal Data Committee, with the President as the convener, the head of each department as the personal data responsible personnel, and the Compliance Division as the Personal Data Protection Team, the Administration Department as the Emergency Response Team, as well as the Brokerage Department as the Personal Data Contact Point Team, to ensure the effective implementation of personal data management policy and tasks.

The chair of the Personal Data Committee convenes a committee meeting every quarter to report on and review the personal data operations and implementation for each quarter. We also review applicable regulations in accordance with internal regulations every year and examine any documents that involve clients’ personal data.

PSC attaches great importance to any data submitted by clients to us. The Company diligently ensures the security and confidentiality of customer personal data in accordance with the Personal Data Management Objectives and Policies. In 2022, there were no incidents of data leakage, and there were no occurrences of customer personal data or privacy breaches, nor any incidents of customer data loss. The number of individuals affected by such events was zero.

Personal data protection management system: