2018.6.8
Oli Wong
The Securities Supervisory Commission issued the Jin-Guan-Zheng-Chuan-Zi 1070320242 Circular of June 8, 2018 (hereinafter, the “Circular”) to stipulate that service enterprises in securities and futures markets are required to allocate appropriate manpower and equipment to take charge of the planning, supervision and implementation of an information security system. This requirement came into effect on the day of its promulgation.
This Circular was issued by the Financial Supervisory Commission in accordance with Article 36-2 and Article 37 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets to handle relevant matters. This Circular is hereby briefly discussed below:
I. Requirement that service enterprises in securities or futures markets shall allocate manpower for a dedicated security unit
1. Service enterprises in a domestic securities or futures market (Point 2 of the Circular) consist of the following, depending on different amounts of paid-in capital:
(1) For securities firms, futures enterprises, securities finance enterprises, securities investment trust enterprises, securities investment consulting enterprises operating the business of discretionary investment services for customers, and credit rating enterprises with a paid-capital of at least NT$20 billion, they shall set up a dedicated information security unit in which at least a dedicated supervisor and at least two dedicated officers shall be allocated to take exclusive charge of tasks or duties relating to information security, and which shall not concurrently operate information business or other business in conflict with the duties of such dedicated unit.
(2) For securities firms, futures enterprises, securities finance enterprises, securities investment trust enterprises, securities investment consulting enterprises and credit rating enterprises with a paid-in capital less than NT$20 billion:
a. if the paid-in capital exceeds NT$10 billion but falls short of NT$20 billion, an information security supervisor and at least two information security officers shall be allocated;
b. if the paid-in capital exceeds NT$4 billion but falls short of NT$10 billion, an information security supervisor and at least one information security officer shall be allocated; and
c. if the paid-in capital falls short of NT$4 billion, at least one information security officer shall be allocated.
2. For stock exchange, the Taipei Exchange, futures exchanges and centralized securities depositary enterprises, they are required to set up a dedicated information security unit in which a dedicated supervisor and necessary dedicated personnel shall be allocated to take exclusive charge of tasks or duties relating to information security. (Point 2, Subparagraph 3 of the Circular)
3. For foreign financial institutions, securities firms, futures enterprises and credit rating enterprises which set up and operate an affiliate or concurrently operate securities, futures and credit rating business in Taiwan pursuant to the Standards Governing the Establishment of Securities Firms, the Standards Governing the Establishment of Futures Commission Merchants, and Regulations Governing Credit Rating Enterprises, the above paid-in capital is calculated instead by the allocated operating capital. (Point 4 of the Circular)
II. Provisions prohibiting concurrent services of dedicated security personnel
As indicated above, except for the information security supervisor and personnel of a securities firm, futures enterprise, securities finance enterprise, securities investment trust enterprise, securities investment consulting enterprise and credit rating enterprise with a paid-in capital less than NT$20 billion who may concurrently hold information positions, the security supervisor and personnel of the rest of the service enterprises in the securities or futures market shall not concurrently conduct information business or other business in conflict with their business. (Point 2, Subparagraphs 1 and 3 and Point 3 of the Circular)
III. Adjustment timing for the establishment of a dedicated security unit
Relevant securities firms, futures enterprises, securities finance enterprises, securities investment trust enterprises, securities investment consulting enterprises and credit rating enterprises shall make the adjustment within six months after relevant conditions become applicable, while stock exchanges, the Taipei Exchange, futures exchanges and centralized securities depositary enterprises shall make the adjustment in three months after the effective date of this Circular. (Point 5 of the Circular)
IV. Disclosure requirement
This Circular requires all service enterprises to issue a statement on the status of the overall implementation of information security in the format of the table attached to the Circular and submit the same to the board of directors for approval. The contents of such statement shall be disclosed in the Market Observation Post System three months after the end of each accounting year. (Point 6 of the Circular)