The Taiwan Banker

In recent years, frequent cyberattacks have occurred against domestic and foreign governments and enterprises, challenging our ability of to respond. According to Check Point Software’s 2023 Cyber ​​Security Report, global cyberattacks increased by 38% annually in 2022, and organizations face an average of 1,168 attacks per week. Looking at the global cyberattacks in the first quarter of 2023, attacks increased by 7%. Organizations were attacked an average of 1,248 times a week, while organizations in Taiwan were attacked an average of 3,250 times a week, 2.6 times the global average, with an annual growth rate of 24%. According to research by Kaspersky, another cybersecurity company, the number of ransomware attacks reached 74.2 million in 2022, an increase of 20% from 61.7 million in 2021. Complex and changeable cybersecurity issues arise with the steady emergence of new technologies, and cyberattacks cover almost all industries and organization types. In order to resist the threat of cyberattacks from China and its allies, the US established the Bureau of Cyberspace and Digital Policy (BCDP) in 2021 and strengthened cooperation with large technology companies. The 2022 National Security Strategy mentioned that it is necessary to improve the supply chain security of the electronics manufacturing industry. US financial security measures provide Taiwan a path forward The White House released the National Cybersecurity Strategy on March 2, aiming to ensure that all citizens of the US can benefit from a secure digital ecosystem, and to build secure and resilient next-generation technology and infrastructure through strategic investment and coordination, while establishing international partnerships to pursue common goals. Taiwan is playing an increasingly important role in both international politics and economics. In addition, Taiwan and the US have closely interacted with each other on the issue. In September 2020, Taiwan and the US jointly detected a foreign attack against CNPC and held a joint press conference to explain the situation. In order to deepen exchanges between Taiwan and the US, in June, the American Institute in Taiwan (AIT) invited George Salmoiraghi, Director of the Risk Analysis and Resilience Division of Cyber ​​Intelligence at the Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) of the US Department of the Treasury, Wilson Co, Deputy Director of International Internet Policy, and Steven Nider, Senior Policy Advisor. They came to Taiwan and participated in the Taiwan-US Financial Security Forum, sponsored by TABF and co-organized by the Institute for Information Industry, to share their insights on financial supervision and risk control. It was the first time for the US and Taiwan to cooperate on financial security in an open forum. Participants heard speeches from Taiwan President Tsai Ing-wen and AIT Director Sandra Oudkirk. Oudkirk thanked the Ministry of Finance, Financial Supervisory Commission (FSC), and the business community for their efforts to jointly deal with financial cybersecurity issues together with AIT. In both the US and Taiwan, the financial industry faces ransomware and other cyberattacks. As criminals continue to evolve and change, both sides should work together and keep learning how to make networks more resilient. Oudkirk also said that the March Cybersecurity Strategy included important risk mitigation measures. The US is working with Taiwan and other like-minded partners to promote strategies reflecting American values and prosperity, human rights, and democratic freedoms. In order to achieve those goals, it will be necessary to respond together to withstand threats and invest in future resilience. Oudkirk said that cybersecurity exchanges are one of the important tasks of AIT. The US is committed to working with partners who share common values ​​to build a more trustworthy supply chain. Building a stronger protection system President Tsai said in her speech that her administration had constantly emphasized the concept of “information security is national security.” As Taiwan promotes digital transformation, it will inevitably need to Identify, evaluate, and eliminate threats in an increasingly complex security environment, requiring cross-industry and cross-field cooperation. Tsai also detailed the administration’s efforts to improve all aspects of security. First, the Ministry of Digital Affairs was established last August. It led a delegation to participate in RSA, the world’s most important cybersecurity conference, in the US. The National Institute for Cybersecurity was created in February, a state-level cybersecurity body to promote R&D, application and operation of cutting-edge security technology, striving to improve the key information system and infrastructure protection capability. Taiwan’s international cooperation is also strong. Tsai said that Taiwan set up the Financial Information Sharing and Analysis Center (F-ISAC) in 2017, preventing systemic risks through drills, evaluation, and analysis. In 2019, F-ISAC commenced information sharing with relevant US systems. In January 2022, Taiwan became a member of the Forum of Incident Response and Security Teams (FIRST) in the US. It has also signed MOUs with financial security bodies in many countries. As for domestic financial institutions, the 2020 Financial Security Action Plan 1.0 required banks to install chief information security officers (CISOs), introduce international standards, conduct drills, and establish contingency plans in order to better respond to incidents. Last year, the FSC released the Action Plan 2.0 in order to strengthen the important core data security and encourage zero trust verification, pragmatically reducing risk through the spirit of “never trust, always verify.” According to the FSC, at the end of last year, the main KPIs of the Financial Security Action Plan 1.0 were all met, which account for 86% of the 2.0 plan. In order to expand, implement and deepen application, and encourage foresight, 40 new measures have been formulated, including 12 new security measures, 5 expansions of application scope, and 23 continuous measures, with 9 major points for improvement. The first is to establish CISOs and regularly hold liaison meetings with them; second is to add and revise self-regulatory norms in response to digital transformation and the creation of online services; third is to deepen core data security and business continuity drills; fourth is to expand use of international cybersecurity management standards and monitoring mechanisms; fifth is to encourage effective assessment of cybersecurity monitoring and protection; sixth is to encourage “zero trust” architecture and strengthen verification and authorization control; seventh is to encourage deployment of cybersecurity experts with multiple talents, and to expand the capacity of drills; eighth is to enhance information sharing and joint defense operations; and ninth is to plan major incident response drills. The Financial Security Action Plan 2.0 will last for three years, and the results will be reviewed on a quarterly basis. Five methods will be used to promote its implementation. First, the government, institutions associated with FSC, and various public-private industry associations will work together. Second is differentiated security requirements in sequence by industry, business scale, and service offerings. Next is resource sharing, establishing information sharing, incident response and monitoring systems. Then is incentives for security, giving incentives to reduce operating costs, such as lower deposit insurance rates. Finally is international cooperation, in conjunction with other national cybersecurity organizations, in order to grasp the international security situation and coordinate responses to threats. A Cybersecurity Training Base TABF has been cultivating financial skills for a long time, and actively responded to the government’s measures. In August 2020, it jointly launched the Cybersecurity and Information Security Executive (CISE) program with a financial information company, as well as a Learning Executive Apex Program (LEAP) cybersecurity class. The curricula are based on NIST and F-ISAC cybersecurity training frameworks. Jerry Lin, Vice President of TABF, emphasized that “the key to cybersecurity lies in people.” Each of the past four years, TABF has trained 25 financial security chiefs, assisting banks to cultivate security teams and comprehensively enhance security awareness through nearly a hundred seminars and realistic red/blue team drills. The first pillar of the US National Cybersecurity Strategy, “Protecting Critical Infrastructure,” requires full public confidence in the resilience and availability of infrastructure and services. Tsai also mentioned that at the end of May, the Legislative Yuan passed amendments to the Banking Act, Securities Trading Act, and Futures Trading Act in the third reading, increasing penalties for disrupting the normal operation of the core information systems. The maximum penalty will be 7 years in prison and a fine of up to 10 million yuan. Tsai said that even though resilience requires large investments with no short-term quantifiable benefit, resources to protect both financial institutions and customers are institutions’ greatest assets. The importance of cyber warfare is no less than that of physical warfare. The industrial cybersecurity protection capabilities possessed by information security chiefs and staff are like soldiers defending their homes and the country. Instead of weapons, however, they use intangible assets to protect the financial industry and overall national security.