Newsletter
Taiwan Financial Supervisory Commission Announced “Financial Operational Resilience on Cybersecurity Ecosystem Blueprint”
Taiwan’s Financial Supervisory Commission (“FSC”), in line with national policies and to ensure uninterrupted operation of the financial system, issued the "Financial Operational Resilience on Cybersecurity Ecosystem Blueprint" (“Blueprint”) on December 30, 2025, aiming to strengthen the cybersecurity protection capabilities and operational resilience of the financial industry. The Blueprint sets out 29 measures, which the FSC has summarized into ten key points. These key points are outlined as follows:
1.Strengthen executive-level cybersecurity governance functions and accountability mechanisms and encourage the adaptation of cybersecurity regulations: The FSC will continue to promote enhancing board-level cybersecurity oversight in financial institutions and strengthen the responsibilities and authority of chief information security officers (“CISOs”). The goal is to establish a robust governance framework that entails clear accountability, authority for decision-making, and resources, strengthen the accountability chain, ensure decision-making independence, and enhance the flexibility and resilience of cybersecurity governance. Meanwhile, the Blueprint alsoencourages adaptive regulatory updates to, among others, empower CISOs with the flexibility to implement relevant control measures, thereby making cybersecurity governance more flexible and effective.
2.Enhance cybersecurity talent development and exchanges, moving from a common baseline to reach strategic goals: The FSC will encourage financial institutions to conduct talent gap analyses to ensure adequate staffing. The FSC will organize forums and workshops to foster knowledge sharing and technical skills enhancement in cybersecurity. Furthermore, the Blueprint will guide financial institutions from a compliance-oriented approach to a goal-oriented one, and establish a supervisory framework that is measurable, scalable, and differentiable.
3.Shift-left Security and secure by design: This initiative encourages financial institutions to move security testing to an earlier stage of the development phase. The Blueprint promotes the adoption of DevSecOps to integrate security into the entire software development lifecycle. It also requires the production of a Software Bill of Materials (“SBOM”) and the establishment of mechanisms for vulnerability monitoring and version updates. Additionally, the FSC will develop security standards for application programming interfaces (APIs) to fortify their defenses.
4.Promote zero-trust architecture to elevate cybersecurity defense baselines: The FSC will continue to promote the “Reference Guide for the Financial Industry’s Adoption of Zero Trust Architecture” as previously announced, starting with high-risk areas. It will also survey implementation progress.
5.Ensure the greater effectiveness of cybersecurity monitoring and protection measures: The FSC will continue to encourage the establishment of security operations centers (“SOC”) and the development and expansion of cybersecurity monitoring and configuration baselines to include cloud environments, and financial institutions will be encouraged to regularly validate the effectiveness of their security deployments.
6.Deploy early to address the challenges of emerging technologies: The FSC will develop reference guidelines for AI systems security and testing, covering both traditional threats and AI-specific attack vectors. The FSC will also develop a “Post-Quantum Cryptography Migration Reference Guide” to help the financial industry prepare for this technological shift.
7. Enhance supply chain cybersecurity to fortify the financial ecosystem: The Blueprint will establish a tiered classification system for third-party vendors based on industry characteristics, the vendor’s level of access to information and communications systems, and data sensitivity. Based on this system, the FSC will develop reference clauses for outsourcing contracts that clearly delineate cybersecurity responsibilities. Financial institutions will be encouraged to establish supply chain risk assessment mechanisms and collaborate with key suppliers to share threat intelligence and conduct joint security drills.
8. Strengthen cybersecurity intelligence analysis and collaborative defense: The Blueprint aims to enhance the automated intelligence sharing and analysis capabilities of the Financial-Information Sharing and Analysis Center (“F-ISAC”). This includes revising incentive programs on intelligence sharing, establishing a vulnerability disclosure and response channel, and furthering international cooperation to improve cross-border incident response.
9. Conduct cybersecurity offensive and defensive drills to enhance incident response capabilities: The FSC will continue to conduct cybersecurity attack and defense exercises. Major Cybersecurity incident response scenario exercises will also be conducted to test and validate the coordination, communication, and support mechanisms linking financial institutions, F-ISAC, and other components of the joint defense system.
10. Reinforce multi-layered backup mechanisms to ensure availability of critical financial services: The Blueprint will promote the adoption of multi-layered backup architecture and require regular testing and drills to ensure failover capabilities. Financial institutions must also assess the disaster recovery and backup capabilities of their critical supply chain partners, integrating them into their own backup and drill planning.
In the era of artificial intelligence (AI) and digitalization, cyber risks to financial institutions are accelerating rapidly, making cybersecurity a top priority. It is expected that cybersecurity-related regulations and policies in the financial industry will continue to evolve, and industry participants should closely monitor relevant developments.