Information Security Governance

The Company has established an Information Security Policy approved by the Board of Directors and set up an Information Security Committee chaired by the President. Committee members include top-level executives under the President, Chief Risk Management Officer, and Chief Compliance Officer, with the audit supervisor attending as a non-voting participant. A Chief Information Security Officer, reporting directly to the President, has been appointed to manage the independently operating Information Security Department, overseeing governance, system maintenance, and incident response. High-risk information security incident scenarios and key risk indicators are included in the monthly Risk Integration Report submitted by the Risk Management Department to the Board of Directors. The overall implementation status is reported to the Board annually, while implementation effectiveness is presented to the Information Security Committee semi-annually.
To enhance information security governance and management synergy across the group, Taiwan Life's Chief Information Security Officer holds weekly information security executive meetings with the parent company CTBC Holding, with 42 meetings held in 2024. The Company has actively responded to the FSC's Financial Cyber Security Action Plan and Emphasis on Information Security Supervision in the Insurance Industry, continually improving its information security governance. In independent third-party assessments by SGS, the score improved from 4.23 in 2023 to 4.71 in 2024 (out of a maximum score of 5).

Information Security Defense

Based on the NIST Cybersecurity Framework 2.0 architecture, which comprises the six core functions of govern, identify, protect, detect, respond, and recover, the Company has designed defense-in-depth technical mechanisms. Risks are identified through methods such as vulnerability scanning, black-box testing, white-box testing, APP testing, and penetration testing. To ensure timely risk monitoring and response, technologies like extended detection and response and third-party automated assessment are employed. Following international standards including ISO 27001, ISO 27701, and BS 10012, the Company implements effective information security and personal data protection measures across its networks, application systems, hardware, operating systems, and data to detect and block threats, strengthening critical risk defense engineering. Additionally, Taiwan Life conducts automated attack and defense drills and red team–blue team exercises to simulate real-world hacker techniques and verify the effectiveness of information security protection.
To enhance overall information security, the Company has continued to expand its security investments. In 2024, the information security budget increased by 59.6% compared to the previous year, accounting for 4% of the total IT budget. Taiwan Life and subsidiary CTBC Insurance had no major information security or personal data breach incidents resulting in losses in 2024.

Personal Data Protection

The Company has adopted the ISO 27001:2013 Information Security Management System, ISO 27701:2019 Privacy Information Management System, and BS 10012:2017 Personal Data Management System standards, and has adopted frameworks including strategy, governance, maintenance, and technology to construct effective information security and personal data management methods. By incorporating control measures into the five stages of information system, namely requirement discussion, system analysis and design, development and construction, system testing, and system launch, we have enhanced the quality of software security as well as ensured that rigorous protective measures are implemented throughout operating processes, ranging from personal data collection, storage, processing, transmission, to deletion. An Information Security Policy and Personal Data Management Policy have also been established to protect various operating information and protect the rights and interests of customers. In addition, Personal Information Security Guidelines, the Statement on Personal Data Protection, and the Commitment to Information Confidentiality are also in place to ensure that rigorous protection measures are implemented in the collection, processing, and use of customer information.
To strictly protect customer personal data, the information system platform displays only the minimum amount of data required for business, thereby reducing the risk of exposure. A separate Emergency Response Plan for Personal Data Breaches has also been formulated to ensure compliance in the event of a personal data infringement incident. We also continually carry out information security and personal data protection education, training, and advocacy to improve personnel capabilities and strengthen the awareness for information security and personal data protection.

Business continuity management

When a disaster occurs, Taiwan Life strives to minimize damages to ensure personnel safety, customer rights and interests, and the preservation of the Company's goodwill and assets. In order to ensure that important services can continue to operate when an incident, facility failure, or damage occurs to business or information services, the Company regularly revises its business continuity management standards and implement them in practice in order to continuously improve and provide uninterrupted customer service.