| 摘要: | 隨著金融科技的發展,金融機構的數位業務規模不斷擴大,資安風險也隨之增加。近年來,多起金融資安事件,如金融機構遭受駭客攻擊、系統當機造成 ATM 扣款未吐鈔、金融詐騙、內部與客戶資料外洩及供應鏈資安漏洞等事件頻繁發生,為因應這些資安挑戰,監管機構陸續強化對金融機構的資安要求,例如《資通安全管理法》與金融監理機關(如金管會、數位發展部資通安全署)對金融機構資安規範的強化,要求業者落實資訊安全治理、供應鏈風險管理及委外資安控管,此外在國際標準如 NIST、ISO 27001 及 GDPR 亦成為金融業提升資安防護的重要參考依據。
本研究旨在探討金融業在資安法規遵循與監管機制,聚焦於重大資安事件與常見缺失態樣,透過文獻回顧與案例分析,梳理金融業現行適用的資安法規、監管架構及國際標準,並彙整近年來重大資安事件與監管機關揭露的缺失態樣,以分析金融機構在目前的資安法規遵循與監管機制下可強化或調整、改善之處。
基於研究結果,金融機構在法規遵循與內部控管上仍存在許多挑戰,如能強化法規遵循機制與適用性、落實委外資安管理、提升資訊安全事件的應變能力,同時推動資訊安全人才培育,以期降低資安風險並維護金融市場的安全與穩定。;With the development of financial technology, the scale of digital business in financial institutions continues to expand. However, cybersecurity risks have also increased accordingly. In recent years, several cybersecurity incidents have occurred, including cyberattacks on financial institutions, ATM failures causing transaction deductions without dispensing cash, financial fraud, leaks of internal and customer data, and cybersecurity vulnerabilities in supply chains. To address these challenges, regulatory bodies have strengthened cybersecurity requirements for financial institutions. For example, the Cybersecurity Management Act and the regulations of financial regulatory authorities (such as the Financial Supervisory Commission, Ministry of Digital Affairs, and the National Cyber Security Agency) have emphasized the importance of implementing information security governance, supply chain risk management, and outsourced cybersecurity controls. Additionally, international standards such as NIST, ISO 27001, and GDPR have become important references for enhancing cybersecurity protection in the financial industry.
This study aims to explore the compliance with cybersecurity regulations and supervisory mechanisms in the financial industry, focusing on major cybersecurity incidents and common deficiencies. Through literature review and case analysis, it aims to outline the existing applicable cybersecurity regulations, supervisory frameworks, and international standards in the financial sector, and summarize recent major cybersecurity incidents and deficiencies disclosed by regulatory authorities. The study will also analyze areas where financial institutions can strengthen or adjust their cybersecurity regulatory compliance and supervisory mechanisms.
Based on the research findings, financial institutions still face many challenges in regulatory compliance and internal controls. Strengthening regulatory compliance mechanisms, implementing cybersecurity management for outsourced services, improving incident response capabilities, and fostering cybersecurity talent development are crucial steps to reduce cybersecurity risks and maintain the security and stability of the financial market. |
