Cybersecurity and Privacy Protection
As a critical infrastructure, cybersecurity is a fundamental to Telecommunication business. Chunghwa Telecom Co., Ltd. (“Chunghwa Telecom”) is a leading telecommunication company with a mission to provide safe, reliable, and valuable services of the highest global standards in the cybersecurity arena. Through in-house developed Intelligent Security Operation Center (CHT SOC), Chunghwa Telecom takes a proactive tactic to uncover malicious behaviors and to hunt possible cyber threats in early stage. Cybersecurity Policy and Privacy Protection Policy are thoroughly implemented, embedded in daily operation, and continuously refined in accordance with Plan-Do-Check-Action cycle. Chunghwa Telecom achieves zero tolerance in major cybersecurity and privacy incidents to contribute to evolvement of smart living and digital economy.
“Cybersecurity and Privacy Protection Steering Committee” has established in Chunghwa Telecom (as the Figure below). An SEVP-level officer is appointed by the Chairman as CISO to convene both “cybersecurity working group” and “personal data and privacy protection working group” periodically, oversee and manage protection of cybersecurity and privacy, and report to the Board regularly.
Cybersecurity management department has been established since 2016 to align with the laws and regulations as well as technology developments for rising business, coordinate with formulating cybersecurity policy and rules, and centralize ICT equipment for cybersecurity monitoring and joint defense. These will reduce the corporate cybersecurity risk, promote rising business, and offer clients safe and reliable digital services.
Cybersecurity and Privacy Governance
Given that the trends of new technology and applications (e.g. 5G, IoT, AI, and cloud services), which increases exposure risk and leads to diversified attacks, Chunghwa Telecom enacts cybersecurity policy in line with operational objectives and promotes managerial solutions progressively to fully support with business strategies and goals.
These solutions including appropriate risk management, strict cybersecurity protection management, and thorough implementation of client’s data and privacy protection. Meanwhile, ensure the security of supply chain by gathering intelligence and early warning mechanism, handling cybersecurity incidents immediately with rapid notification and response, and selecting and monitoring suppliers properly.
Cybersecurity trainings and promotions are organized for employees to enhance their cybersecurity and privacy protection awareness. In the meantime, penetration test, internal/external and third-party auditing are held to evaluate the effectiveness of cybersecurity activities. And the results are reported to the executive levels on a regular basis. Through the Plan-Do-Check-Act (PDCA) cycle, actions regarding cybersecurity and privacy protection management are continuously improved to ensure its compliance and effectiveness of cybersecurity and privacy protection.
Cybersecurity and Privacy Protection Risk Management Mechanisms
To ensure the security of ICT systems and critical infrastructure, Chunghwa Telecom refers the NIST Cybersecurity Framework (CSF) and in accordance with domestic and international standards and regulations to establish Cybersecurity and Privacy Protection Risk Management Framework” (shown as the figure below) for preventing possible risks, implementing effective measures for cybersecurity and privacy protection.
Chunghwa Telecom evaluates the maturity of cybersecurity governance with risk management and amends the cybersecurity policy and guidelines in accordance with the results of internal and external risk assessment annually. Promoting training for employee’s awareness and performance will be integrated with appraisals, and also conducting regularly internal/external auditing. Chunghwa Telecom has been certified by competent authorities and third-party (ISO 27001, ISO 27011, BS10012, CSA STAR Certification, etc.), valid through 2020, to provide a better cybersecurity and privacy protection for clients.
Personal Data and Privacy Protection
Personal data inventory and privacy impact analysis will be conducted prior to launch of a business. “Personal Data Collection Notice” is communicated explicitly via channels of service websites, apps, stores, and Customer Service Hotline to individuals. The data collected are used in line with the scope of specified purposes while users have the right to access and learn about categories and methods of collection, processing, and use of the data thereof and the disclosure of such to a third party by Chunghwa Telecom as well as rights exercised by clients.
The relevant collection, storage, processing, and use of privacy and personal data are conducted within the scope of specified purposes and managed by Chunghwa Telecom itself. Chunghwa Telecom shall not disclose such to a third party via exchange, lease, or any other means. In the event of cooperation with a third-party service provider, technologies such as deidentification and pseudonymization, or statistics, tendency, or any other form that renders deidentified results, are employed in data exchange therein. Where it is stipulated by the laws or regulations (e.g. to ensure national security or further public interest or to prevent material harm on the rights and interests of others), Chunghwa Telecom shall provide necessary information in accordance to the pertaining regulations. The actions taken by Chunghwa Telecom in cooperation with the government and law enforcement agencies this year are as follows:
In response to the COVID-19 pandemic and in light of the epidemic prevention needs of the government since January 26, 2020, Chunghwa Telecom acts in compliance with “Communicable Disease Control Act” and “Special Act for Prevention, Relief and Revitalization Measures for Severe Pneumonia with Novel Pathogens”. On the basis of advancing the public interests for all, the telecom service providers in Taiwan are liable to provide necessary information in line with the pertaining regulations to assist the government to enforce the home isolation policy and prevent the disease spread. With a rigid management over data security, Chunghwa Telecom deletes and keeps no record of data upon case closure to safeguard the privacy of its clients.
The government or law enforcement agency contacts Chunghwa Telecom to inquire information of clients for the goal of protecting public safety and crime prevention. In compliance with the stipulations of “Directions Governing Telecommunication Enterprise's Handling of Inquiries about Data of Telecommunication Users by Relevant Agencies (Institutes)” and “Directions Governing Telecommunication Enterprise's Handling of Inquiries of Telecommunication Records by Relevant Agencies”, Chunghwa Telecom shall provide information accordingly to the government or law enforcement agency after a rigid examination. The provision ratio in this regard in 2019 is 98.24%.
In addition, “Customer Service Center” and the 24-Hour Customer Service Hotline are available. Well-trained personnel with the knowledge of privacy protection regulations provides professional consulting service. Chunghwa Telecom receives 4 “the alleged information breach cases” in 2019, one of them was filed by National Communications Commission (NCC) and others over the Customer Service Hotline. (9 cases less than 2018, accounting for 0.0000085% of the annual service delivery by the Customer Service Hotline). After investigation, all 4 cases are confirmed without any fact of personal data breach.
Resources Allocated in the Cybersecurity and Privacy Protection
For years, Chunghwa Telecom has invested huge resources to incubate brilliant cybersecurity talents and elevate the self-reliant R&D energy in terms of cybersecurity. Over 100 strong of dedicated cybersecurity personnel and cybersecurity R&D teams are allocated. Apart from regular organization of education and trainings for all employees on cybersecurity and privacy protection, which have attained the goal of 100%, training courses pertaining to cybersecurity and privacy protection for professional fields such as system management, network management, software development, cybersecurity management, penetration Test, and privacy protection are organized. Also, subsidies are available for employees to obtain external professional certifications. Over 839 international certificates have been acquired, including ISO27001 LA, CISSP, GWAPT, CEH, CHFI, ECSA, CISA, MCSA, and BS10012 LA.
Cybersecurity and Privacy Protection Incidents
The performance in cybersecurity and privacy protection risk management has been tracked and managed on a monthly basis by “Risk Management Committee” of Chunghwa Telecom. Any major risk concern will be reported to the Audit Committee under the Board of Directors or directly to the Board of Directors. For the major domestic security incidents over the years, Chunghwa Telecom has deployed with prevention mechanisms in advance, such as disabled Network Neighborhood (SAMBA) function, enabled AD domain security control and blocked APT malicious emails, as well as leveraged CHT SOC with intelligence to detect unknown threats and violations. And, with IOCs produced from the in-house developed threat intelligence system, CHT SOC can track and check the impacts of external threats rapidly. Up to 2019, Chunghwa Telecom did not receive any impact to Chunghwa Telecom’s businesses due to cybersecurity or privacy breach, nor does it receive any punishment or fine arising from such impact.
**Dedicated Cybersecurity Management Department in Chunghwa Telecom: Cyber Security Department
** For more information of “Cybersecurity and Privacy Protection” of Chunghwa Telecom, kindly refer to p. 114~116 of the 2019 Annual Report. (Go to the Annual Report of Chunghwa Telecom )
** Should you have any concern over our privacy protection or issues with the collection/processing/use of personal data, kindly contact us via the 24-Hour Customer Service Hotline. (Go to Customer Service Hotline )