As cryptocurrency policies gradually open up, Taiwan’s Financial Supervisory Commission (FSC) has continued to strengthen cybersecurity governance. Following the rollout of the Financial Cybersecurity Action Plan 2.0 in 2022, the FSC issued Zero Trust Architecture (ZTA) reference guidelines for the financial sector at the end of last year, encouraging financial institutions to adopt a zero-trust mindset to enhance security defenses. At the same time, major cloud service providers (CSPs) such as AWS have established local data centers in Taiwan. Both public and private financial institutions are accelerating their cloud adoption journeys, making security and risk control core strategic assets for safeguarding trust and competitiveness.
However, while large-scale cloud adoption brings efficiency and flexibility, it also introduces new challenges. How to effectively implement data governance, ensure regulatory compliance and data security, and establish sufficient defense mechanisms against increasingly complex cyberattacks has become the top priority for financial institutions after migrating to the cloud.
Rising Challenges in Cloud Adoption: Compliance and Security as Core Priorities
As financial institutions move to the cloud, cost efficiency and flexibility rise significantly, creating opportunities for innovative services. Yet, once core operations and sensitive data migrate to the cloud, compliance and security issues become more critical.
To meet the FSC’s increasingly strict regulatory requirements, institutions must ensure that cloud data storage, processing, and transmission comply with regulations—covering data localization, privacy protection, and auditability. Traditional security frameworks can no longer cope with the dynamic nature of the cloud, making multi-factor authentication, zero trust architecture, and multi-cloud backup with data encryption new areas of focus.
The FSC’s Financial Cybersecurity Action Plan 2.0 further mandates enhanced resilience and protection of core operations. The policy covers both traditional financial services and virtual assets, underscoring the need to embed cybersecurity considerations into system design from the start and to establish governance frameworks that enable continuous monitoring and rapid response.
Practical Guide: Three Key Pillars of Data Governance and Risk Control in Cloud Adoption
Migrating to the cloud is not just a technical shift but also a mindset transformation. With highly sensitive data such as customer identities, asset details, and transaction records at stake, implementing effective data governance and compliance has become the foremost task. To build a strong security foundation in the cloud, financial institutions can focus on three key areas:
Cloud Data Governance: The Foundation of Compliance
With tools such as AWS Glue and AWS Lake Formation, institutions can automate data classification, encryption, and access control, ensuring that every piece of data is traceable and auditable.
Zero Trust Architecture: Securing Every Access Request
With the rise of generative AI-driven threats, every access request in the cloud must be verified. Zero Trust has become more critical than ever, leveraging continuous authentication and monitoring to reduce risk and strengthen defense. Financial institutions can use AWS IAM and AWS WAF to implement zero trust frameworks, preventing unauthorized access and mitigating insider risks.
Multi-Cloud Backup and Disaster Recovery: Strengthening Resilience
By deploying backups across different cloud providers and regions, institutions can reduce single points of failure, enhance business continuity, and comply with the FSC’s requirements for resilience and risk management under Cybersecurity Action Plan 2.0.
Table of Contents
Table of Contents
Next-Generation Cloud Risk Control: Threshold Encryption and MPC
As digital assets become more prevalent, cybersecurity faces new challenges. Traditional encryption protects data but is vulnerable to single points of failure in key management—if a single key is compromised, all encrypted data is at risk. To address this, next-generation threshold encryption has emerged, splitting keys into multiple parts stored separately to eliminate single points of failure and safeguard critical information.
| Technology | Operation Mode | Security | Application Scenarios | Compliance |
| Traditional Encryption | Uses a single key for encryption and decryption | Single key failure or leakage creates risks | General applications, low-sensitivity data | More difficult to meet higher-level financial regulatory requirements |
| Threshold/Shared Encryption | Splits the key into multiple parts, requiring multiple parties to jointly reconstruct | Eliminates single point of failure, enhances security strength | Financial transactions, digital asset custody | Better aligned with financial security and legal compliance requirements |
MPC (Multi-Party Computation) is an advanced form of threshold encryption that enables multiple parties to jointly compute results without revealing their original data—holding vast potential in financial applications:
- Digital Asset Custody: Private keys can be split across multiple entities to minimize single-point risks.
- Transaction Verification: Multiple institutions can jointly verify cross-institution transactions without disclosing customer data.
- Regulatory Audits: Regulators can perform efficient audits without accessing raw data, balancing compliance with data security.
Under the FSC’s Cybersecurity Action Plan 2.0, banks including CTBC, KGI, and Union Bank have already implemented MPC and threshold encryption in their pilot digital asset custody services and transaction verification processes.
Threshold encryption is a crucial technical component of cloud security architecture, while Cloud Storage Security solutions integrate multiple components into an automated security management platform. Beyond encryption, such platforms deliver scalability, efficiency, and stronger compliance alignment—helping financial institutions embrace cloud flexibility without compromising on the highest standards of cybersecurity and regulatory compliance.
Beyond Cloud Migration: Nextlink Driving Secure Transformation for Finance
Facing new challenges in data governance and risk control, Nextlink leverages deep cloud expertise and a dedicated cybersecurity team to help leading financial and insurance institutions,as well as public sector organizations,adopt AWS cloud services—enabling innovation while ensuring compliance with strict regulations.
From foundational architecture design and deployment to advanced governance and security monitoring, Nextlink delivers end-to-end solutions to help clients build FSC-compliant cloud security frameworks.With extensive industry experience and technical depth, Nextlink enables organizations to move forward confidently, balancing regulatory compliance, security, innovation, and operational efficiency.
contact us to co-create a more resilient and trusted financial service environment—where your institution can fully harness the flexibility and efficiency of the cloud while safeguarding compliance and data security.
