||Amended on September 1, 2021 per Order Ref. Jin-Kuan-Bao-Tsai 11004933251 of the Financial Supervisory Commission.
An insurance enterprise shall set up a dedicated information security unit and appoint a chief information security officer that may not handle concurrently information operation or other affairs that may pose a conflict of interest, and shall be allocated
with proper manpower resources and equipment, except as otherwise provided by the competent authority with respect to insurance cooperatives.
An insurance enterprise whose total assets in the previous year as audited by a CPA exceed NTD 1 trillion shall appoint a person at the level of vice president or higher or a person in an equivalent position to serve concurrently as the chief information security
officer, who shall oversee the implementation of information security policies and allocation of resources. It shall also set up a dedicated information security unit with independent function and appoint a person at the level of associate general manager
or higher or a person in an equivalent position to be the chief officer of such dedicated information security unit.
The dedicated information security unit of an insurance enterprise is in charge of planning, monitoring and implementing information security management operation. The chief information security officer (the supervisor of the dedicated information security
unit if no chief information security officer is appointed) shall, together with personnel specified in Paragraph 1, Article 25, jointly issue an internal control system statement to the board of directors (council) for approval.
The personnel of the dedicated information security unit of an insurance enterprise shall attend at least 15 hours of professional courses on information security, or on-the-job training every year. The personnel of the head office, domestic and foreign business
units, product development management unit, fund utilization unit, information units, asset custody unit, and other management units shall attend at least 3 hours of information security courses every year.
Insurance enterprises governed by Paragraph 2 hereof shall make adjustment to become compliant within six months after it meets the applicable condition set forth therein.
The general manager of an insurance enterprise shall supervise all units to carefully assess and review the implementation status of its internal control system. The chairman, general manager, chief auditor and head office chief compliance officer shall jointly
issue an internal control system statement (Attachment), which shall be submitted to the board of directors for approval, and submitted together with the annual report set forth in Article 148-1 of the Act to the competent authority before the end of March
An insurance enterprise shall disclose its internal control system statement on its website.
These Regulations shall be in force on the date of promulgation.
Except for the part on management of financial consumers’ protection in these Regulations which has been in force since December 30, 2011, the provisions of Article 5 amended and promulgated on February 4, 2012 shall enter into force three months after the
date of promulgation.
The provisions of Article 32-2 of these Regulations amended and promulgated on May 29, 2018 shall take effect six months after promulgation.
The provisions of these Regulations amended and promulgated on August 20, 2020 shall have been in force since December 31, 2020.