Cybersecurity Culture Implementation
Chunghwa Telecom is convinced that implementation of corporate cybersecurity and privacy information security is not only the responsibility for the cybersecurity team and the management but also that of each and every one in the Company. Therefore, Chunghwa Telecom is committed to cultivation of a cybersecurity culture. Apart from stipulation, maintenance, and execution of the internal cybersecurity policies, it also embeds cybersecurity in corporate operation and identifies performance of cyber/network security behaviors as one of the indicators for employee performance appraisal.
Through cybersecurity education and promotion, CHT regularly conducts product security and risk assessments as well as evaluation of cybersecurity performance. As such, it effectively strengthens all employees’ knowledge and emphasis on cybersecurity, cultivating employees’ accountability on cybersecurity. Also, through tests like infiltration tests, vulnerabilities scanning, and social engineering emails, CHT seeks to embed the cybersecurity awareness into the corporate culture to warrant personal and consumer data protection.
Information Security Management Programs
Unceasingly researching and analyzing cybersecurity risks and corresponding protective strategies, we implement various effective measures on the ground, including ICT Readiness for Business Continuity (IRBC), cybersecurity vulnerability analysis, internal information security audits, external information security management certification, cybersecurity training, and real-time incident reporting. Furthermore, we continually refine and enhance our cybersecurity and privacy protection management through the PDCA cycle on a rolling basis.
- Information security-related business continuity plans
- Risk Assessment and Business Impact Analysis (BIA)
- Response Strategies and Backup Planning
- Disaster Recovery Plan (DRP) and Exercise
- Information security vulnerability analysis
- Escalation process for employees to report incidents, vulnerabilities or suspicious activities
- Incident Classification and Reporting Principles: Cybersecurity incidents are classified and handled per the respective scope of impact and level of damage. In the event of major cybersecurity incidents (e.g., personal data breaches or leaks of core business data involving critical telecommunications infrastructure), the CHT SOC is to immediately notify the Chief Information Security Officer (CISO) for handling escalation.
- Establishment of an Emergency Response Team: A cross-departmental team, comprising relevant departmental units, cybersecurity technical personnel, IT personnel and network technology personnel, is formed, tasked with the responsibilities for emergency response plan activation, damage control, damage recovery, incident investigation, and evidence preservation, as well as identification of the impacted scope to prevent further damage.
- Regulatory Reporting and Cross-Unit Coordination: In accordance with the Cyber Security Management Act and competent authority regulations, an initial report is to be completed within 1 hour upon aware of an incident. Depending on the severity of the incident, damage control or recovery operations are to be completed within 36 or 72 hours. Where necessary, other telecommunications service providers, law enforcement agencies, or collaborative units for defense will be liaised via the Communication Computer Emergency Response Team (C-CERT) for support.
- Post-Incident Review and Improvement: The impact, damage, and effects arising from the incident are reviewed. Each case is examined to identify broader implications, and concrete improvement plans are formulated to prevent any recurrence.
- Information security awareness training
- 188 sessions of cybersecurity and privacy protection education or trainings with 229,312 hours in total were organized and accessed by 47,925 participants in 2024.
- Two email social engineering exercises will be conducted annually. The false click rate less than 0.2% in 2024. It effectively improved the knowledge of APT attacks as well as strengthened employees’ cybersecurity capabilities and enhanced the employees’ cybersecurity awareness.
- As of 2024, over 1000 international cybersecurity certificates have been obtained by employees of Chunghwa Telecom, including ISO27001 LA、CISSP、GWAPT、CEH、CHFI、ECSA、CISA、MCSA、BS10012 LA, etc.
- Internal audits of the information security management systems
- Independent external certification of information security management
A company-level Business Continuity Management (BCM) plan is in place, with the purpose of ensuring that a swift recovery of critical systems when the Company faces potential threats or disaster events, in order to minimize the impact of operational disruptions and to maintain our service commitments to customers and society. The specific actions taken are as follows:
With a Business Impact Analysis (BIA) table, each ICT system is categorized in terms of risk level and assessed whether it is a critical core system. Also, the extent of impact involving internal/external service disruptions, company reputation, regulatory compliance, and shareholder rights is assessed. The results of this analysis serve as the basis for our business continuity management strategies and disaster recovery plans.
Based on the risk assessment results, the Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each ICT system are defined. All systems incorporate modern software design architecture with cloud computing technology introduced. Both local and off-site backup environments are established, and the flexibility and scalability are enhanced, so as to ensure a swift recovery of the systems in the event of any unforeseen incident.
For highly critical systems, Disaster Recovery Plans (DRPs) are established based on the aforementioned risk and response strategy assessments. Exercises are conducted semi-annually (e.g., simulating anomalies of a core platform or database) to verify the effectiveness of the plans and the internal coordinated response capabilities. 2 DRP exercises were completed in 2024, covering 28 critical systems. Hence, we ensure that these systems can be restored to a basic operational level within 4 hours of disruption, and data can be recovered to the state 5 minutes before the disruption occurred. (RPO ≤ 5 minutes)
To ensure the information security of service systems and applications, the Company conducts vulnerability scans of ICT systems and applications every half a year, scanning for vulnerabilities in hosts, websites, and open-source packages. In addition, for core ICT systems with critical operational impact, third-party organizations with international cybersecurity professional qualifications are engaged to conduct simulated hacker attacks as part of third-party vulnerability analysis, red team exercises and penetration testing. The scope of testing covers physical security, website/host vulnerabilities, defense perimeter penetration, and internal network lateral intrusion, among others. Any vulnerability found during testing is remediated and retested within a specified deadline in line with their severity of exposure, thereby shortening the zero-day exposure window.
A comprehensive mechanism for preventing, reporting, responding to, and improving cybersecurity incidents has been established at the Company. The “Procedures for Notification and Response of Cybersecurity Incidents” is in place to specify all response processes. Through the CHT Security Operation Center (CHT SOC), cybersecurity risks are continuously monitored and proactively deploys countermeasures. Hence, operational losses arising from significant security incidents are thus prevented.
Should an employee discover any suspected cybersecurity incident, they are to report it according to the established cybersecurity incident response procedures by notifying the dedicated cybersecurity personnel via email or other communication channels. Once confirmed as a cybersecurity incident, emergency response procedures are immediately activated, and all actions for handling thereof are to be completed within specified timeframe. The operating procedures are as follows:
The Directions for Rewards for Employee Proactively Reporting Cybersecurity (Personal Data Protection) Incident are specifically stipulated to offer employees rewards to encourage employees to actively report any suspected cybersecurity incidents.
As a professional cybersecurity solutions provider, Chunghwa Telecom has invested a plethora of resources for years to cultivate brilliant cybersecurity talents and keep cybersecurity R&D teams over 100 people. We regularly organize trainings in “cybersecurity and privacy protection,” demanding all employees 100% completion of the trainings, which covers contractors (including outsourced personnel and personnel of subsidiaries stationed at the Company for service) as well.
In addition, we have designed advanced training courses for managers of different levels as well as fields of system management, network management, software and application development, and cybersecurity management to improve the knowledge and skills in cybersecurity and privacy protection, so that all personnel can incorporate Security by Design for cybersecurity and privacy protection at the early stage of development. Also, subsidies are available for employees in terms of fees arising from external professional certifications. Results on the ground are as follows:
Chunghwa Telecom, in accordance with the Cyber Security Management Act, the Administration Regulations of Cyber Security on Telecommunications Business, and the Cybersecurity Policy at Chunghwa Telecom, conducts internal audits of ICT security on an annual basis. Furthermore, as per the Regulations Governing Establishment of Internal Control Systems by Public Companies, the Audit Department at the Headquarters, which reports directly to the Board of Directors, performs the annual internal control audit related to cybersecurity, ensuring an effective implementation of the cybersecurity management system and security protection measures.
Our Information Security Management System (ISMS) and Personal Information Management System (PIMS) have obtained certifications for ISO 27001, ISO 27701, ISO 27017, ISO 27018, CSA STAR, BS 10012 etc. The certified scope covers our company's owned operations and 100% of IT infrastructures, including mobile communication networks, fixed-line networks, international long-distance networks, data networks, big data, ICT services, cloud services, customer service, enterprise business, research and development, education and training, and other major business.
Cybersecurity Results of the Year
The performance of cybersecurity and privacy risk management has been incorporated into the monthly tracking by the Risk Management Committee for management. Any material risk issue will be submitted to the Audit Committee or directly reported to the Board of Directors.
Under the management via the rigorous mechanisms, there was no business impact or penalty arising from cybersecurity or privacy breach as of 2024. Meanwhile, “Cybersecurity Insurance - Data Protection Insurance” has been purchased to protect the rights of customers and investors.
| Item | 2022 | 2023 | 2024 |
|---|---|---|---|
| Number of cybersecurity incidents | 0 | 0 | 0 |
| Number of customer information losses as a result of cybersecurity incidents | 0 | 0 | 0 |
| Number of customers/employees affected as a result of cybersecurity incidents | 0 | 0 | 0 |
- Dedicated cybersecurity management unit at Chunghwa Telecom: Cyber Security Department
- For more information on “Cybersecurity and Privacy Protection” at Chunghwa Telecom, please refer to our Annual Report.( access the company's annual report )