Information Security Management PolicyInformation Security Management Policy
Since its establishment in 1999, Hotai Finance Corporation has demonstrated financial expertise by continuously improving and innovating diverse financial products. Hotai Finance Corporation has accumulated nearly three million customer cases. To ensure the safety of our customers’ personal data and minimize information security risks, we are committed to strengthening our information safety system and hence issue the Information Security Management Policy. The policy aims to provide employees a clear conduct to follow, and Hotai Finance Corporation expects each employee to participate and advocate for the policy to ensure the smooth operation of data, information systems, equipment, and the internet. Since its establishment in 1999, Hotai Finance Corporation has demonstrated financial expertise by continuously improving and innovating diverse financial products. Hotai Finance Corporation has accumulated nearly three million customer cases. To ensure the safety of our customers’ personal data and minimize information security risks, we are committed to strengthening our information safety system and hence issue the Information Security Management Policy. The policy aims to provide employees a clear conduct to follow, and Hotai Finance Corporation expects each employee to participate and advocate for the policy to ensure the smooth operation of data, information systems, equipment, and the internet.
Implement Information Security, Enhance Service Quality Implement Information Security, Enhance Service Quality
All employees must thoroughly implement the Information Security Management System (ISMS). All related information and communication operations must ensure the confidentiality, integrity, and availability of business data, protecting it from risks such as leaks, damage, or loss due to external threats or improper internal management. Appropriate protective measures should be selected to reduce risks to an acceptable level. Continuous monitoring, reviewing, and auditing of the ISMS are essential to strengthen service quality and elevate service standards.All employees must thoroughly implement the Information Security Management System (ISMS). All related information and communication operations must ensure the confidentiality, integrity, and availability of business data, protecting it from risks such as leaks, damage, or loss due to external threats or improper internal management. Appropriate protective measures should be selected to reduce risks to an acceptable level. Continuous monitoring, reviewing, and auditing of the ISMS are essential to strengthen service quality and elevate service standards.
Strengthen Cybersecurity Training, Ensure Continuous OperationsStrengthen Cybersecurity Training, Ensure Continuous Operations
Protective systems are not foolproof, especially as hacking methods continuously evolve. Therefore, enhancing cybersecurity awareness involves the following approaches: a. Diverse Educational Training and Communication: Continuously deepen every employee’s cybersecurity awareness through various forms of education and communication. For example, all employees must undergo annual cybersecurity training and testing to minimize security incidents or sensitive data leaks due to a lack of understanding of cybersecurity regulations. b. Annual Cybersecurity Audits: Ensure all employees adhere to information security management practices, establishing a culture of "Information Security is Everyone’s Responsibility." This initiative helps employees understand the importance of information security, encourages compliance with security regulations, enhances cybersecurity intelligence, and emergency response capabilities, thereby reducing cybersecurity risks and achieving the goal of continuous operations.Protective systems are not foolproof, especially as hacking methods continuously evolve. Therefore, enhancing cybersecurity awareness involves the following approaches: a. Diverse Educational Training and Communication: Continuously deepen every employee’s cybersecurity awareness through various forms of education and communication. For example, all employees must undergo annual cybersecurity training and testing to minimize security incidents or sensitive data leaks due to a lack of understanding of cybersecurity regulations. b. Annual Cybersecurity Audits: Ensure all employees adhere to information security management practices, establishing a culture of "Information Security is Everyone’s Responsibility." This initiative helps employees understand the importance of information security, encourages compliance with security regulations, enhances cybersecurity intelligence, and emergency response capabilities, thereby reducing cybersecurity risks and achieving the goal of continuous operations.
Prepare for Emergencies, Ensure Rapid Disaster RecoveryPrepare for Emergencies, Ensure Rapid Disaster Recovery
Develop emergency response plans and disaster recovery plans for critical information assets and key business operations. Regularly conduct drills for various emergency procedures to ensure rapid recovery in the event of system failures or major disasters, maintaining continuous operation of key business functions and minimizing losses.Develop emergency response plans and disaster recovery plans for critical information assets and key business operations. Regularly conduct drills for various emergency procedures to ensure rapid recovery in the event of system failures or major disasters, maintaining continuous operation of key business functions and minimizing losses.
Information security management organizationInformation security management organization
Information security investment resources in 2023 Information security investment resources in 2023
- Policy Formulation Meetings: 16 sessions
- ISO 27001 Certification Audits: Internal audit & External audit
- Dedicated Information Security Management System Training: 2 sessions
- Staff Allocation: 2 dedicated cybersecurity personnel; 25 additional supporting staff (from the IT department)
- 2023 Vulnerability Scans: 3 scans conducted. The third-party scan reports provided Hotai Finance with clearer guidance and professional recommendations for improving cybersecurity.
- In 2023, we offered three courses to employees, and a total of 3,271 people completed the three courses on the Personal Data Protection Act, intellectual property rights, and information security.
ISO 27001 CertificationISO 27001 Certification
Information security managementInformation security management
In recent years, with frequent cyberattacks and network information and product security issues, information security issues have become more important to enterprises and the public sector. How to control and alleviate such risks and reduce losses has become the priority of business management. The "Global Risks Report 2023" of the World Economic Forum pointed out that cybercrime ranks among the top 10 risks in the world. In particular, the number of ransomware cases has increased dramatically around the world, and the majority of cybersecurity incidents can be attributed to human error. With escalating cybercrime, the losses caused to enterprises are substantial. The report also mentioned that the current growth rate of global cyber threats is beyond people's ability to prevent and manage.In recent years, with frequent cyberattacks and network information and product security issues, information security issues have become more important to enterprises and the public sector. How to control and alleviate such risks and reduce losses has become the priority of business management. The "Global Risks Report 2023" of the World Economic Forum pointed out that cybercrime ranks among the top 10 risks in the world. In particular, the number of ransomware cases has increased dramatically around the world, and the majority of cybersecurity incidents can be attributed to human error. With escalating cybercrime, the losses caused to enterprises are substantial. The report also mentioned that the current growth rate of global cyber threats is beyond people's ability to prevent and manage.
Information security incident management processInformation security incident management process
| Subject Matters | 2021 | 2022 | 2023 |
| Number of major information security incidents | 0 | 0 | 0 |
| Number of violations of customer privacy | 0 | 0 | 0 |
| Number of customers affected by information leakage | 0 | 0 | 0 |
| Total fines/penalties paid for information security incidents | 0 | 0 | 0 |
Regularly review the vulnerability in information securityRegularly review the vulnerability in information security
To strengthen all our systems and information security and expand the coverage, we commission an impartial and objective third party to conduct a thorough review of our systems. Therefore, HFC also commissioned an information security consulting company to perform vulnerability scanning to comprehensively assess the weaknesses of information systems and the overall information security risk level. A total of 3 vulnerability scanning was performed in 2023. Third-party scan reports provide HFC with clearer information security improvement guidelines and professional advices.To strengthen all our systems and information security and expand the coverage, we commission an impartial and objective third party to conduct a thorough review of our systems. Therefore, HFC also commissioned an information security consulting company to perform vulnerability scanning to comprehensively assess the weaknesses of information systems and the overall information security risk level. A total of 3 vulnerability scanning was performed in 2023. Third-party scan reports provide HFC with clearer information security improvement guidelines and professional advices.
Internal information security auditInternal information security audit
As the information security system is like the blood vessels of an enterprise, to ensure normal and secure operations of the information system, the Information Department arranges regular internal audits every month and every year, and all employees in the Company must cooperate. The audit mechanism and method differ by level. The monthly audit schedule is formulated by the Information Department to audit systems or system functions going live for information security risks, to ensure the normal operation and alignment of new systems or functions with needs. For the annual audit, employees conduct self-check through the "Personal Computer Information Security Checklist". We design different audit topics every year. The Information Department assigns dedicated personnel to randomly audit 10–20% of the Company’s personal computers. After the audit, the percentage of defects for each department is calculated, and an annual information security audit report is prepared that covers relevant improvement measures.As the information security system is like the blood vessels of an enterprise, to ensure normal and secure operations of the information system, the Information Department arranges regular internal audits every month and every year, and all employees in the Company must cooperate. The audit mechanism and method differ by level. The monthly audit schedule is formulated by the Information Department to audit systems or system functions going live for information security risks, to ensure the normal operation and alignment of new systems or functions with needs. For the annual audit, employees conduct self-check through the "Personal Computer Information Security Checklist". We design different audit topics every year. The Information Department assigns dedicated personnel to randomly audit 10–20% of the Company’s personal computers. After the audit, the percentage of defects for each department is calculated, and an annual information security audit report is prepared that covers relevant improvement measures.
Regular risk assessmentRegular risk assessment
We regularly review the Company’s information asset risks and formulated an information asset risk response program in accordance with the ISO 27001 ISMS process to review and improve the one “high” risk.We regularly review the Company’s information asset risks and formulated an information asset risk response program in accordance with the ISO 27001 ISMS process to review and improve the one “high” risk.
In 2023, we conducted a risk assessment of 171 information assets and identified a total of 183 vulnerabilities and corresponding threats. There were 1 high, 43 medium, and 139 average risks. One unacceptable high-risk "Veritas Net Backup 5240" project was reviewed, and a risk management plan was formulated as follows:Since "Veritas Net Backup 5240," has been in operation for many years and there is a high vulnerability of "insufficient system resources," continued use poses a high risk of hardware failures. We planned to purchase new equipment to expand the system resources with the aim of reducing the risk of hardware failure caused by insufficient system resources.In 2023, we conducted a risk assessment of 171 information assets and identified a total of 183 vulnerabilities and corresponding threats. There were 1 high, 43 medium, and 139 average risks. One unacceptable high-risk "Veritas Net Backup 5240" project was reviewed, and a risk management plan was formulated as follows:Since "Veritas Net Backup 5240," has been in operation for many years and there is a high vulnerability of "insufficient system resources," continued use poses a high risk of hardware failures. We planned to purchase new equipment to expand the system resources with the aim of reducing the risk of hardware failure caused by insufficient system resources.
Improving information security awareness of all employeesImproving information security awareness of all employees
We list the personal data protection course and the information security course as required for all employees. Through the courses, we raise their awareness of information security once again. If an employee fails to complete the courses prior to a deadline, it will be included in the annual performance evaluation. The courses contain a variety of information. We explain the purpose and background of the Personal Data Protection Act, the definition of personal data assets, digital personal database and online privacy content collection, processing, use, and security maintenance. We teach clear definitions in class, provide relevant learning materials, and arrange after-class exercises, allowing employees to understand the course content through questions to ensure effective learning. In 2023, we offered three courses to employees, and a total of 3,271 people completed the three courses on the Personal Data Protection Act, intellectual property rights, and information security.We list the personal data protection course and the information security course as required for all employees. Through the courses, we raise their awareness of information security once again. If an employee fails to complete the courses prior to a deadline, it will be included in the annual performance evaluation. The courses contain a variety of information. We explain the purpose and background of the Personal Data Protection Act, the definition of personal data assets, digital personal database and online privacy content collection, processing, use, and security maintenance. We teach clear definitions in class, provide relevant learning materials, and arrange after-class exercises, allowing employees to understand the course content through questions to ensure effective learning. In 2023, we offered three courses to employees, and a total of 3,271 people completed the three courses on the Personal Data Protection Act, intellectual property rights, and information security.