Taiwan's F-ISAC brings it in line with international practices

In recent years, with the growth of fintech and digital transformation in the financial sector, cybersecurity has become significantly more important. In 2020, the Financial Supervisory Commission (FSC) released the Financial Security Action Plan 1.0 so that the public can use safer, more convenient, and uninterrupted financial services. At the end of 2022, entering the post-epidemic era, following rolling reviews and considering changes in the domestic and foreign cybersecurity environment and operational practices, and referring to international cybersecurity supervision policies, the FSC released the Financial Security Action Plan 2.0.

In order to continuously enhance cybersecurity in financial institutions, the FSC has encouraged the industry to pay attention to cultivation and allocation of cybersecurity talent and conduct drills. It has also supervised the establishment of the Financial Information Security Analysis Center (F-ISAC), and continued to strengthen the depth and breadth of intelligence analysis, joining hands with the industry to establish a joint defense system.

Hacking methods are getting ever more sophisticated

Cybersecurity has a major impact on financial and social stability. In 2007, for example, as the Estonian government prepared to remove a Soviet-era commemorative bronze statue, hackers attacked the Congress, government, banks, media, and other websites. ATMs could not dispense money, causing widespread theft and rioting.

It was reported that the hackers used a distributed denial of service (DDoS) method, using multiple machines to attack at the same time to generate sufficient network traffic to paralyze the target. This incident was regarded by military experts as the first national-level cyber war. After the incident, seven NATO member states signed an agreement in 2009 to jointly fund and establish a cybersecurity research center, and the concept of cybersecurity joint defense gradually took shape.

On February 24, 2022, the Ukraine War began. Three days later, the Russian cyberarmy invaded Ukraine, intending to paralyze Ukraine's basic living facilities, finance, media and other services requiring information and communication technology. Ukrainian officials asked for help from Elon Musk, the world’s richest man. Musk dispatched Starlink satellites to provide internet service in Ukraine, highlighting the importance of resilience in cybersecurity.

Financial systems can be destroyed, whether by human error or misuse of ICT. The communique of the March 2017 G20 finance ministers and central bank governors’ meeting noted out that malicious use of ICT may paralyze a country or the international financial system, undermine financial security and public trust, and endanger financial stability. However, as hacking become more sophisticated and attacks become more intense, institutions can only seek to reduce risks.

Although the industry may never be able to completely prevent zero-day attacks, ensure supply chain security, and mitigate human error, it can establish a preventive mindset, including looking at general cases, accumulating experience, and strengthening response and defense capabilities. It can complete asset inventory, assess risks, deploy effective defenses, and create multiple layers of detection. In the unlikely event of an incident, it can minimize the scope of the impact, respond effectively, and quickly resume operations.

Finance is a frequent target

The information held by the financial industry is quite valuable, making it a frequent target of international hackers. In 2016, a large ATM robbery case broke out in First Bank, causing a sensation in Taiwan. Hackers infiltrated the bank’s internal network and used malicious programs to remotely control 41 ATMs in 22 branches in Taipei and Taichung to automatically dispense money. An investigation found that a mainframe telephone recording server locked in a cabinet in the London branch became a springboard for the attack.

In 2017, hackers broke into Far East Bank’s internal network, tried to delete seven anti-virus programs, executed ransomware, encrypted files in some computers. They also concealed the traces of intrusion, and made the bank believe that its files had been encrypted. The hackers gained access to the highest account privileges and used the SWIFT cross-border remittance system to steal NT$1.8 billion, the seventh such incident in the world.

That same spring, for the first time in the history of Taiwan, a group of brokerages was attacked by DDoS for extortion. Thirteen brokerages received ransom notes in English, demanding payment of 7-10 bitcoins (with market value from about NT$270,000 to NT$300,000). The notes declared that if they did not pay, the hackers would launch a larger-scale, even terabyte-level DDoS attack. Since then, the financial and securities industries have gradually introduced mechanisms to prevent DDoS attacks.

In 2021, there were frequent reports of fraudulent phishing text messages from banks, including Cathay United Bank and Taishin Bank. The same year, domestic brokerages were hit by hackers using the common attack method of password credentialing, and fake customers placed orders to buy Hong Kong stocks. Yuanta Securities suffered the most serious intrusion.

At the beginning of August 2022, a number of Taiwanese websites were attacked; threatening messages were placed on the electronic billboards of 7-Eleven and the Taiwan Railway. The hacker group APT27 claimed to have 200,000 connected devices, and intends to publish zero-day vulnerabilities for some information systems and stolen government data.

A joint financial security defense system

Seeing the growing sophistication of cyber threats, the FSC hopes that financial institutions strengthen their security defense in order to maintain customers’ trust.

Many financial institutions have reported that in the past, the pain points of information security protection in the financial field were the high risk, multitude of threats, lack communication, and scarcity of skills. Because international hackers are usually organized, they continue to attack and blackmail the industry, yet financial institutions still lack communication channels with each other. In addition, the shortage of financial security professionals poses a huge challenge, highlighting the importance of a joint financial security defense system.

In December 2017, in order to provide early warning and joint financial security mechanisms to improve the overall security governance capabilities of the industry, strengthen joint defense, and stabilize the financial market order, the FSC established the Financial Information Sharing and Analysis Center (F-ISAC), referring to the practices of FS-ISAC in the US. The participating members include regulators, financial holdings companies, domestic and foreign banks and securities companies, property and life insurance, and financial industry associations, electronic payment manufacturers, credit card companies, local financial institutions, and financial peripheral units.

“The biggest difference between Taiwan’s F-ISAC and FS-ISAC is that it includes the regulator.” The FSC mentioned that its source of intelligence information is the National Information Security Analysis Center (N-ISAC), as well as information security partners such as Microsoft and Trend Micro. In the medium term, it will join SWIFT-ISAC, FS-ISAC and other international financial ISACs to provide information, and later provide and share information by from its own members.

In 2019, as the Taiwan stock market index broke through 11,000 points, hackers took the opportunity to launch DDoS attacks, paralyzing the websites of many brokerages. F-ISAC worked closely with the Taiwan Stock Exchange. It issued early warnings, and the TSE also simultaneously notified the information directors of each securities company to reduce the time of the attacks and reduce loss. F-ISAC also shared malicious IP and other information with Japan’s F-ISAC and Korea’s financial security agencies.

The joint financial security defense system includes three key points. The first is early warning and protection. Through analysis and sharing of financial security information, members can grasp security threats in advance, better understand past incidents, respond immediately, and reduce incident risks. The second is monitoring and response during the event. F-ISAC established the Financial Security Operations Center (F-SOC), which is responsible for collecting, aggregating and comprehensively analyzing event information from financial institutions, and cross-analyzing the information security threats they experience. The third is recovery after the incident. Financial emergency response teams are formed with professional security vendors to assist members in responding to incidents.

As of December 31, 2022, F-ISAC has collected 1,856 pieces of domestic and foreign threat information, and released 531 pieces of information following research and analysis. Information sharing by members accounted for 64% of that, showing that financial institutions have the courage to share information with F-ISAC, and then provide it to all members after analysis and aggregation by F-ISAC. “From one-way information sharing to two-way interaction and trust, this is a worthy achievement in financial security.”

Expansion of security drills

The main KPIs for the Financial Security Action Plan 1.0 reached the standard (86%) in 2022, including installing chief information security officers, introducing international information security standards, conducting security drills and competitions, establishing a financial security incident response system.

In December 2022, the FSC carried out a rolling review and started promoting the Financial Security Action Plan 2.0, with refined measures such as expanded installation of chief information security officers, regular meetings between them, and strengthening of suppliers’ security resilience. The Bankers Association has revised and added self-regulatory measures in response to employees, customers, and third-party service providers, etc. working from home or elsewhere. Emerging technologies such as ChatGPT and deep fakes may cause new types of risks, and financial institutions should establish more stringent protections.

Zero trust has moved from the concept discussion stage into practical deployment planning. Major countries have established national zero-trust strategies in turn. The US plans to complete initial migration of its federal network by 2024. The FSC also encourages financial institutions to introduce zero-trust thinking and strengthen connection verification and authorization control.

Beginning in 2019, the Executive Yuan has conducted cross-border financial security drills simulating attacks, identifying weaknesses in financial institutions, and checking their defense mechanisms. This year, the FSC will expand the use of red/blue team drills, and cooperate with professional training institutions to organize cybersecurity certification courses in order to train financial security experts and enhance financial institutions’ information defense and combat capabilities.