Information Security Governance
Nan Shan Life has appointed a Vice President-level senior executive with practical experience in information and cybersecurity to serve as the Chief Information Security Officer (CISO), who is responsible for overseeing the promotion of information security policies and resource coordination.
The CISO reports quarterly on the overall execution of information security to the Risk Management Committee under the Board of Directors, and compiles an annual report in the first quarter of each year summarizing the previous year’s performance. This report is jointly reviewed by the Chairman, President, Chief Auditor, CISO, and Compliance Officer and issued as a Statement on the Internal Control System, which is then submitted to the Board of Directors for approval.
The CISO reports quarterly on the overall execution of information security to the Risk Management Committee under the Board of Directors, and compiles an annual report in the first quarter of each year summarizing the previous year’s performance. This report is jointly reviewed by the Chairman, President, Chief Auditor, CISO, and Compliance Officer and issued as a Statement on the Internal Control System, which is then submitted to the Board of Directors for approval.
Information Security Management
Nan Shan Life has established its Information Security Policy, which was approved at the Board level. The policy is based on international standards such as ISO 27001 and incorporates internal business needs and regulatory requirements to ensure the confidentiality, integrity, and availability of information assets. The policy is implemented in the "Plan-Do-Check-Act" (PDCA) mode to ensure continuous improvement of the management efficiency.
Personal Data Protection
BS 10012:2017 Compliance and Enhanced Data Protection Network
To verify the effectiveness of its personal data management cycle, Nan Shan conducts annual activities including personal data inventory, personal data risk assessments, and self-evaluations of data protection operations. Nan Shan compiles and prepares an Annual Self Assessment Report on Personal Data Protection Management based on the results. The 2024 risk assessment results indicated that Nan Shan Life and NSGI both comply with applicable personal data protection laws and management standards.
Outsourced Personal Data Management
When outsourcing the collection, processing, or use of personal data to third parties, Nan Shan Life imposes strict requirements on the commissioned parties to comply with relevant laws and confidentiality agreements concerning personal data. Regular supervision and management are conducted to protect the rights of data subjects and to fulfill the Company’s responsibility for data protection.
To further safeguard clients’ personal data and privacy, Nan Shan Life exercises caution in managing client information and proactively informs clients of their rights, obligations, and the purposes of data usage. For detailed information, please refer to the Company’s Privacy Policy Statement and Client Data Sharing and Privacy Policy. In 2024, no incidents at Nan Shan were identified as material personal data breaches or information security events.
To further safeguard clients’ personal data and privacy, Nan Shan Life exercises caution in managing client information and proactively informs clients of their rights, obligations, and the purposes of data usage. For detailed information, please refer to the Company’s Privacy Policy Statement and Client Data Sharing and Privacy Policy. In 2024, no incidents at Nan Shan were identified as material personal data breaches or information security events.
Personal Data Protection Training and Annual Management Overview
Nan Shan is committed to embedding the principles of personal data protection into its corporate culture and daily operations. Personal data protection has been designated a mandatory training topic for all employees at Nan Shan Life. Through our e-learning platform and online video courses, we continuously promote awareness and education on data protection. In 2024, Nan Shan conducted a series of training programs, including Basic Personal Data Protection Training, Advanced Personal Data Protection Training, Personal Data Inventory Training, and Personal Information Management System (PIMS) Certification Training, to strengthen employees’ awareness of personal data protection risks.
Personal Data Protection Training Execution Status
