Listed companies’ information security issues have released “materiality” standards, which not only specify the core system and official website being hacked, but also cover DDoS and personal information leakage | iThome

Listed companies’ information security issues have released “materiality” standards, which not only specify the core system and official website being hacked, but also cover DDoS and personal information leakage | iThome

2024-03-13 09:51:09

Listed companies are frequently attacked by hackers. How companies determine that security incidents are serious enough to require disclosure is something everyone wants to know in the past two years.

When we recently reported on the situation of listed OTC security incidents in 2023, the Taiwan Stock Exchange (SESE) stated that there are clear regulations in this regard, that isReleased in January this yearThe new version of the “Reference Questions and Answers on Things to Note on Publicly Released Major Information of Listed Companies” has revised relevant content. We had already reported this at the time. In March, the Financial Supervisory Commission (FSC) and the Securities Over-the-Counter Trading Center (OTC) released follow-up information.

Specifically, the content of the above-mentioned material information Q&A is a supplementary explanation of the current regulations “Taiwan Stock Exchange Co., Ltd. Verification and Disclosure Processing Procedures for Material Information of Securities Listed Companies” (hereinfollowing referred to as the Material Information Processing Procedures) , mainly to provide a more detailed explanation for the many questions that the outside world has regarding the implementation of regulations.

The focus of this revision is that the previous stock exchange regulations mainly left the evaluation and judgment of companies to what is considered “significant.” For example, they suggest that companies evaluate according to the “Procedures and Judgment Standards for Release of Major Information” in the Q&A set and keep relevant track records. Or, if the media reports that a company has experienced an information security incident that may affect investors’ investment decisions, it needs to be released. Big news.

Now the stock exchange regulations not only include the above content, but also clearly point out a variety of specific types of victimization, which require the release of important information.

For example, the company’s core information system, official website or confidential documents and files, etc., are attacked by hackers, invaded, destroyed, tampered with, deleted, encrypted, stolen, service denial attacks (DDoS), etc., resulting in the inability to operate or function normally. The provision of services, or the leakage of personal information, etc., will cause significant damage or impact to the company, and the company shall release major information in accordance with Paragraph 26 of the Major Information Handling Procedures Act.

Obviously, the purpose of the stock exchange’s revision of this Q&A this year is to more specifically define the “materiality” of information security incidents disclosed by serious news, so as to assist listed companies to have a more specific definition when releasing serious information security news. Metrics.

The Financial Supervisory Commission, Securities and Futures Bureau made a public statement for the first time, and the OTC Trading Center also completed revisions in March

At the regular press conference of the Financial Supervisory Commission on March 5, Huang Houming, deputy director of the Securities and Futures Bureau, also mentioned this change. He specifically announced 8 key points for the promotion of information security governance this year, one of which is to revise the Q&A on major information to clearly standardize the “materiality” standards for information security incidents.

Since this is the first time that the Securities and Futures Bureau has publicly emphasized this matter, we also asked it to learn the details. The Securities and Futures Bureau stated that the revision of the section on listed companies has indeed been completed in January, that is, a new version of the “Reference Questions and Answers on Things to Note on the Release of Major Information of Listed Companies” was released. As for listed companies, it is expected that it will be revised following a period of time. will also be completed.

A few days later (March 8), we found that the cabinet shopping center had completed the revision in this regard and released it on its business promotion websiteNew version of “Reference Questions and Answers on Things to Pay Attention to when Shang (Xing) Cabinet Company Releases Major Information”let the outside world know more regarding the regulations on major information handling procedures, and the competent authority’s “Significance” of information security incidents in Section 26 of “The Verification and Disclosure Processing Procedures for Major Information of Securities Listed Companies by the Securities Over-the-Counter Trading Center of the Republic of China” Execution and judgment of definitions.

In other words, regardless of whether a company is listed, listed on the OTC or newly listed on the OTC, once it encounters an information security incident, there are now clearer standards for judging whether it is necessary to release major information, making it easier for all companies to follow.

Although there may still be some debate regarding the definition of “significant”, the competent authorities should have considered how to ensure that all companies can comply. After all, each company is different in size, and some listed companies are required to set up a chief security officer. Or a dedicated information security unit is only a requirement within the past two years. Therefore, many companies may not yet have an information security chief, or may not have the ability to judge whether an information security incident is major and whether it is necessary to release major information.

The Information Security Information Disclosure Standard will be completed for 3 years. Please pay attention to the latest changes in the standard revision.

For listed companies, they are very concerned regarding the major changes in the disclosure of information security incidents.

Although the relevant regulations on releasing major information to disclose information security incidents have been implemented since April 2021, in the following three years, we have indeed seen some listed companies that have experienced information security incidents release major information in accordance with the regulations.

However, we learned from some information security experts that there are still listed companies that are completely unaware of this. They do not know that companies must announce major information when a major information security incident occurs, and that the loss of a major information security incident reaches 300 million yuan or equity. 20% of the total, a major press conference should be held to explain to the public.

Moreover, there are some key points for correction in the future, which are also parts that need to be paid attention to. For example, there have been changes in the preparation of annual reports. Starting from the 2022 annual report, it will not only record information security actions, but also disclose the losses and impacts of major information security incidents, and explain how the company responded when an incident occurred.

Next, in the revision of major information processing procedures in 2023, the requirements for the content of major news releases must be consistent with the content explained to the outside world and the media, and there must be no bias.

As for the latest normative change in 2024, it is the revision of the above-mentioned serious interrogation question and answer set, which clearly regulates the “materiality” standard of information security incidents.

Listed over-the-counter companies that violate regulations on the release of important news are subject to a fine of up to 5 million yuan, and the Financial Supervisory Commission continues to promote the regulations

When an information security incident occurs in a listed company and it is necessary to release important information, in addition to paying attention to the relevant regulatory amendments following 2021, the previous major information regulations must not be forgotten, because these regulations are still required today.

Since the competent authorities required the release of major information decades ago, they have regulated more than 50 situations that may have a significant impact on shareholders’ rights or securities prices, requiring listed companies to release major information and explain it to investors. For example, we often see companies release important news due to major personnel changes.

“The occurrence of disasters, collective protests, strikes, environmental pollution, information security incidents or other major events” is also one of the situations that require the release of major information. Information security incidents were only specified and added to the list in 2021. in.

Due to the above-mentioned regulations, the Financial Supervisory Commission and Securities Futures Bureau have continued to promote the following matters this year, reminding listed companies to keep in mind and follow them. For example: (1) The release time of major information security incidents must be released 2 hours before the opening of the next business day (before 7 o’clock); (2) Violation of the regulations on the release of major information shall result in liquidated damages of 30,000 to 5 million yuan; (3) If a major information security incident occurs in one of its subsidiaries, the parent company also needs to make an announcement on behalf of the subsidiary.

Are there any recent cases of fines related to violation of declarations? When we reviewed the major information security incidents of Taiwanese companies last year, we found that one company seemed to be in such a situation.

according toAnnouncement from the counter shopping center on November 9, indicating that Nobel Baby found out that customer information was suspected to be leaked on September 14, but failed to release major information within the time limit as required, violating Article 34 of the Stock Review Guidelines for Emerging Counter Stocks. Therefore, the counter buying center imposed liquidated damages. 150,000 yuan. The company only released major information on October 7 to explain that it had been attacked by a network.

In order to help everyone understand the origin of these standards, we have further confirmed with the Securities and Futures Bureau of the Financial Supervisory Commission. For example, it is required to announce a major message 2 hours before the opening of the next business day, which is stipulated in the 2016 revision of major message handling procedures; violation of a major message can result in a fine of 30,000 to 5 million yuan, which was standardized in 2011; When a company’s major news-related events occur, it is regarded as major information for listed companies and should be reported on behalf of the company. This was revised in 2014.

This year, for listed companies, what other regulatory trends should we pay attention to? Judging from the recent forecast of the Financial Supervisory Commission, the aspect of the above-mentioned subsidiaries is a key one. This is because we have noticed that one of the eight major measures that the Financial Supervisory Commission said it will promote this year is to focus on the implementation of corporate supervision and management of the information security of subsidiaries. In other words, the competent authorities not only encourage listed companies to strengthen their information security, but also encourage these listed companies to pay equal attention to strengthening the information security of their subsidiaries.

In addition, the Financial Supervisory Committee will also focus on the following tasks: improving the proportion of information security internal control audits and tracking the improvement of deficiencies. The increased strength in this regard may be related to the recent increase in information security incidents at listed counters.

As for a number of other supervisory assistance measures, the Financial Supervisory Commission will continue to implement them this year, including: reviewing and revising the “Information Security Management and Control Guidelines for Listed Overseas Companies” released at the end of 2021, as well as strengthening the education and training of information security personnel and sharing information security incidents. Case, continue to promote joining TWCERT/CC to share information on information security incidents, and obtain international certification of information security standards and obtain external verification. Through these measures, we will further promote listed companies to implement information security enhancement.

1710393402
#Listed #companies #information #security #issues #released #materiality #standards #core #system #official #website #hacked #cover #DDoS #personal #information #leakage #iThome

Leave a Replay