Information Security Governance
To effectively promote information security management, Nan Shan Life appointed a vice-president level executive to serve as the “Chief Information Security Officer, CISO” in 2021, to be responsible for the promotion of information security policies and resource management. In addition, an “Information Security Department” has been established as the unit dedicated to the planning, monitoring, and execution of information security management operations.
The CISO makes quarterly reports to the company’s risk management committee regarding the overall information security implementation of the previous quarter. Every year, after compiling the overall information security implementation of the previous year, the CISO, along with the company chairman, president, chief auditor, and the headquarters compliance officer jointly issue a statement on the internal control system, which is submitted to the Board of Directors for approval.
In addition, a review is conducted annually or in the event of major changes to ensure compliance with the latest development of relevant laws, technologies, organizations, and operations, while ensuring the confidentiality, integrity, availability, and legality of various information assets of the company in the operations and service provision process.
The CISO makes quarterly reports to the company’s risk management committee regarding the overall information security implementation of the previous quarter. Every year, after compiling the overall information security implementation of the previous year, the CISO, along with the company chairman, president, chief auditor, and the headquarters compliance officer jointly issue a statement on the internal control system, which is submitted to the Board of Directors for approval.
In addition, a review is conducted annually or in the event of major changes to ensure compliance with the latest development of relevant laws, technologies, organizations, and operations, while ensuring the confidentiality, integrity, availability, and legality of various information assets of the company in the operations and service provision process.
Information Security Management
Nan Shan Life has formulated its “Information Security Policy” for all its employees to follow in the implementation of security management of information assets, networks, and systems.
In response to the digital trend brought by financial technology, Nan Shan Life and Nan Shan General have both introduced the information security management system (ISMS), and obtained the international certification of “ISO 27001:2013 Information Security Management System”. In 2023, Nan Shan Life received the Quality Award in the “Digital Information Security Awards” and the “Information Security Leadership Award” from the Taiwan Corporate Sustainability Award (TCSA). In 2023, the Company's investment in information security (including software and hardware authorization costs, personnel training costs) accounted for 9% of the total budgeted information-related costs.
Through the ISMS, the Company has established an organizational information security management, and continuously strengthens information security management through various programs such as pre-incident risk prevention, in-process detection, and post-incident response, to ensure the effectiveness of its risk management. At the same time, through a set of comprehensive risk analysis, risk assessment, and risk processing methods, the Company’s information assets are categorized to determine their values and importance, and analyzed for potential weaknesses and threats. Risk management is thus integrated with the Company’s information security, to implement information security risk management through a systematic risk assessment process.
In response to the digital trend brought by financial technology, Nan Shan Life and Nan Shan General have both introduced the information security management system (ISMS), and obtained the international certification of “ISO 27001:2013 Information Security Management System”. In 2023, Nan Shan Life received the Quality Award in the “Digital Information Security Awards” and the “Information Security Leadership Award” from the Taiwan Corporate Sustainability Award (TCSA). In 2023, the Company's investment in information security (including software and hardware authorization costs, personnel training costs) accounted for 9% of the total budgeted information-related costs.
Through the ISMS, the Company has established an organizational information security management, and continuously strengthens information security management through various programs such as pre-incident risk prevention, in-process detection, and post-incident response, to ensure the effectiveness of its risk management. At the same time, through a set of comprehensive risk analysis, risk assessment, and risk processing methods, the Company’s information assets are categorized to determine their values and importance, and analyzed for potential weaknesses and threats. Risk management is thus integrated with the Company’s information security, to implement information security risk management through a systematic risk assessment process.
Personal Information Protection
Nan Shan Life values the protection of its policyholders' personal information and privacy. The Company has established the “Plan for Maintaining the Security of Personal Data and Files and the Guidelines for Data Processing After Business Termination” and set up the Personal Data Protection Management Committee with the President as the Personal Information Management Representative. The Personal Data Protection Management Committee oversees the planning and implementation of the Company's personal data protection system. The Personal Data Protection Task Force, which is formed under the Personal Data Protection Management Committee, is responsible for the promotion and implementation of the personal data protection management plans. Meetings are held at least quarterly to ensure the implementation of personal data protection and management policies.
To ensure the effectiveness of the personal data management cycle, Nan Shan Life and Nan Shan General perform an inventory of personal data, personal data risk assessment, and personal data protection self-evaluation every year, which are organized and compiled into an annual personal data protection management self-evaluation report. The 2023 personal data risk assessment result showed that the personal data protection processes of both Nan Shan Life and Nan Shan General were in compliance with the Personal Data Protection Act and management standards.
Both Nan Shan Life and Nan Shan General have obtained the certification for the internationally recognized standards of BS10012:2017 Personal Information Management System(PIMS), and are fully committed to the meticulous management of policyholders' personal information, and continuously improve and implement personal data management through third-party assurance and verification while complying with the Plan-Do-Check-Act (PDCA) mode of operation.
To ensure the effectiveness of the personal data management cycle, Nan Shan Life and Nan Shan General perform an inventory of personal data, personal data risk assessment, and personal data protection self-evaluation every year, which are organized and compiled into an annual personal data protection management self-evaluation report. The 2023 personal data risk assessment result showed that the personal data protection processes of both Nan Shan Life and Nan Shan General were in compliance with the Personal Data Protection Act and management standards.
Both Nan Shan Life and Nan Shan General have obtained the certification for the internationally recognized standards of BS10012:2017 Personal Information Management System(PIMS), and are fully committed to the meticulous management of policyholders' personal information, and continuously improve and implement personal data management through third-party assurance and verification while complying with the Plan-Do-Check-Act (PDCA) mode of operation.
