Taiwan FSC Mandates CISOs for Large Insurers to Bolster Cybersecurity Resilience

2026.6.17

In view of the accelerating pace of digital transformation in the insurance sector and the increasingly severe external information security threats, Taiwan’s Financial Supervisory Commission (the “FSC”) has officially promulgated amendments to the “Implementation Rules of the Internal Control and Audit System of Insurance Enterprises.” The primary objective of the amendments is to enhance the cybersecurity resilience of the insurance industry and to require insurers of a certain scale to establish more rigorous internal control mechanisms, so as to safeguard their competitiveness and operational stability in the digital environment.

Under the amended provisions, the FSC has expanded the scope of entities required to appoint a Chief Information Security Officer (CISO) and to establish an independent, dedicated information security unit. Specifically, insurance companies whose total assets, as audited and certified by a certified public accountant in the preceding year, reach NT$300 billion or more, or whose annual premium income from online insurance reaches NT$500 million, must appoint a CISO and set up a dedicated information security unit in accordance with the law. The amendments also clearly define the authority and responsibilities of the CISO and the dedicated unit, and newly require information-related personnel to complete a fixed number of professional training hours each year, taking a two-pronged approach addressing both organizational structure and talent development.

Taking into account that insurers need sufficient time for organizational restructuring and talent recruitment, the FSC has included a transitional provision in the amendments, granting a grace period within which affected companies may complete the relevant adjustments by December 31, 2027 (the 116th year of the Republic of China). This reflects the high importance that the competent authority attaches to financial cybersecurity governance; going forward, large insurers will face more stringent information security management responsibilities as they advance their digital transformation.