The financial services industry has demanding requirements for the stability and data security of information systems. In order to ensure the privacy and security of client data, Noah has established a professional information security team and released
the Noah Data Security Regulations, Noah Information Security Principles and Policies, Punitive Measures for Information Security Violations in Noah, Privacy Policy and other policies and administrative documents, explicitly specifying
the details of operation-related information security, scope of use of client's confidential data (such as contacts and ID number), as well as the management process for obtaining, transmitting, archiving, and destroying such information,
for the purpose of ensuring operational service information security.
For information security related content in the information system, all software design and development should conform to Noah's Web Application Security Baseline v3.1 guideline. For identity authentication and access control, session and content management, data encryption and shielding, anti-phishing and code quality control, multi-level security design should be applied.
For information security related content in the information system, all software design and development should conform to Noah's Web Application Security Baseline v3.1 guideline. For identity authentication and access control, session and content management, data encryption and shielding, anti-phishing and code quality control, multi-level security design should be applied.
Attestation Report of the Independent Registered Public Accounting Firm
Opinion on Internal Control over Financial Reporting
Opinion on Internal Control over Financial Reporting
We have audited the internal control over financial reporting of Noah Holdings Limited and its subsidiaries and consolidated variable interest entity (the “Group”) as of December 31,2018,based on criteria established in internal Control—Integrated Framework(2013)
issued by the Committee of Sponsoring Organizations of the Treadway Commission(COSO).In our opinion,the Group maintained,in all material respects,effective internal control over financial reporting as of December 31,2018,based on criteria
established in Internal Control—Integrated Framework (2013) issued by COSO.
For information related to the audit on Noah Holdings based on the Sarbanes-Oxley Act, please refer to our corporate annual report.
To ensure the privacy and security of client data, Noah has built a professional information security team and introduced and obtained ISO 27001 and ISO 29151 certifications. Furthermore, Noah carries out strict control over client privacy information and ensures client data security to meet the requirements of the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other laws and regulations on the protection of personal information.
In 2021, Noah has completed the extraordinary self-examination of privacy protection following the relevant national laws and regulations on privacy protection and has set privacy policies for four client-oriented APPs (Fund Smile, WeNoah, iNoah, and Olive Master), the WeChat public account of Glory Insurance and the WeChat mini-program of Enoch Education. Moreover, Noah has completed nine updates of the versions thereof. At the same time, the function of clients’ online application for account cancellation and the function of the separate pop-up window to request clients’ authorization before collection of face-sensitive information have been newly added to the relevant Apps to meet the privacy protection requirements.
In addition, to comply with the requirements of the Data Security Law, Personal Information Protection Law, and other laws and regulations, in internal benchmarking analysis based on the Company’s actual situation, relevant internal management rules of the Company were updated to ensure compliance and effective protection of clients’ personal information.
In 2021, Noah has completed the extraordinary self-examination of privacy protection following the relevant national laws and regulations on privacy protection and has set privacy policies for four client-oriented APPs (Fund Smile, WeNoah, iNoah, and Olive Master), the WeChat public account of Glory Insurance and the WeChat mini-program of Enoch Education. Moreover, Noah has completed nine updates of the versions thereof. At the same time, the function of clients’ online application for account cancellation and the function of the separate pop-up window to request clients’ authorization before collection of face-sensitive information have been newly added to the relevant Apps to meet the privacy protection requirements.
In addition, to comply with the requirements of the Data Security Law, Personal Information Protection Law, and other laws and regulations, in internal benchmarking analysis based on the Company’s actual situation, relevant internal management rules of the Company were updated to ensure compliance and effective protection of clients’ personal information.
Noah Privacy and Data Security Protection Mechanism
Category
Policies/Mechanisms
Description
Policies
Noah Information Security Principles and Policies
Privacy Policy
Privacy Policy
• Standardize the use of clients’ private information (such as contact information and ID numbers) collected in the process of operation
Measures
Noah Data Security Regulations
Noah Sensitive Information Management Specification
Noah Sensitive Information Management Specification
• Standardize the management procedures for the acquisition, transmission, filing, and destruction of such information
• Standardize the requirements for encryption and desensitization of sensitive information
• Standardize the requirements for encryption and desensitization of sensitive information
Management system
ISO 27001 Certification: Information Security Management Systems
ISO 29151 Certification: Guide to the Protection of Personal Identity Information
ISO 29151 Certification: Guide to the Protection of Personal Identity Information
• The obtainment of ISO 27001 certification to guarantee Noah’s reliability in the field of information security and reduce the risk of disclosure
• The obtainment of ISO 29151 certification to clarify Noah’s privacy protection policy and enhanced privacy control measures
• The obtainment of ISO 29151 certification to clarify Noah’s privacy protection policy and enhanced privacy control measures
Management Mechanisms
Online business scenarios using clients’ privacy information
• Deployment of Web application firewall, network firewall, host intrusion detection, and other security protection systems
• Continuous monitoring and real-time early warning for cyber-attacks are implemented using encrypted transmission of client information
• Monitoring and auditing of abnormal operations relating to client data security are implemented using a database security audit system
• Centralized and rapid processing of cyber-security risks by Group Security and Operation Team
• Continuous monitoring and real-time early warning for cyber-attacks are implemented using encrypted transmission of client information
• Monitoring and auditing of abnormal operations relating to client data security are implemented using a database security audit system
• Centralized and rapid processing of cyber-security risks by Group Security and Operation Team
View policy details
View Noah Upright Privacy Policy
View WeNoah Privacy Policy
ISO 27001 & 29151 Certifications Obtained by Noah
In order to further solidify internal and client information security, Noah in 2018 commenced on a journey for and in
2020 succeeded in the obtainment of ISO 27001 information security management system certification and ISO 29151 code
of practice for personally identifiable information protection certification. These efforts help bolster Noah's
reliability in information security, reduce the risk of sensitive information leakage and augment the protection of
key data. Noah's client and internal data protection mechanisms have become more systematic and comprehensive, with
a more defined privacy protection strategy and better reinforced privacy protection measures.
In 2022, Noah continuously updated and improved privacy protection following the relevant national laws and regulations on privacy protection and has set privacy policies for three client-oriented APPs (Fund Smile, WeNoah, and iNoah), the WeChat public account of Glory Insurance and the WeChat mini-program of Enoch Education. Moreover, Noah has completed five updates of the versions thereof. At the same time, we hired third-party professional testing institutions to test and evaluate the security of privacy policies.
In addition, to comply with the requirements of the Data Security Law, Personal Information Protection Law, and other laws and regulations, an internal benchmarking analysis was conducted based on the actual situation of the company and a risk analysis report was provided to the management. Relevant internal management rules of the Company were updated to ensure compliance and effective protection of clients’ personal information.
Through a four-stage endeavor (analysis, realization, operation and verification), Noah identified and assessed existing and potential risks, formulated corresponding risk management plans, and completed the establishment of its information security management system and processes. External evaluation and non-conformance rectification were completed in September 2020, while the Noah Upright Fund Sales Co., Ltd. - Science and Technology Center successfully obtained ISO 27001 and ISO 29151 certifications issued by the accredited certification body DNV. The certification body evaluates Noah's information security management system compliance every year.
Noah demonstrates to clients, competitors, suppliers, employees and investors our commitment to information security through the obtainment of ISO 27001 and ISO 29151 certifications. In the future, we will regularly monitor the evaluation process, and ensure continual supervision and improvement in the organization's information system, so that clients and stakeholders alike can truly feel at ease because of our commitment to information security.
In 2022, Noah continuously updated and improved privacy protection following the relevant national laws and regulations on privacy protection and has set privacy policies for three client-oriented APPs (Fund Smile, WeNoah, and iNoah), the WeChat public account of Glory Insurance and the WeChat mini-program of Enoch Education. Moreover, Noah has completed five updates of the versions thereof. At the same time, we hired third-party professional testing institutions to test and evaluate the security of privacy policies.
In addition, to comply with the requirements of the Data Security Law, Personal Information Protection Law, and other laws and regulations, an internal benchmarking analysis was conducted based on the actual situation of the company and a risk analysis report was provided to the management. Relevant internal management rules of the Company were updated to ensure compliance and effective protection of clients’ personal information.
Through a four-stage endeavor (analysis, realization, operation and verification), Noah identified and assessed existing and potential risks, formulated corresponding risk management plans, and completed the establishment of its information security management system and processes. External evaluation and non-conformance rectification were completed in September 2020, while the Noah Upright Fund Sales Co., Ltd. - Science and Technology Center successfully obtained ISO 27001 and ISO 29151 certifications issued by the accredited certification body DNV. The certification body evaluates Noah's information security management system compliance every year.
Noah demonstrates to clients, competitors, suppliers, employees and investors our commitment to information security through the obtainment of ISO 27001 and ISO 29151 certifications. In the future, we will regularly monitor the evaluation process, and ensure continual supervision and improvement in the organization's information system, so that clients and stakeholders alike can truly feel at ease because of our commitment to information security.
Classified Protection of Cybersecurity Project
To meet the requirements of national laws and regulations such as the Cybersecurity Law of the People’s Republic of China and the Measures for the Regulation of Informatization Work of Insurance Intermediaries issued by the China Banking and Insurance Regulatory Commission, Noah keeps enhancing its control over cybersecurity and data security. In 2020, Noah invited external professional evaluation agencies to conduct a series of consulting and evaluation work for Noah Glory insurance brokerage system, Noah Upright’s official website, and private equity core trading systems.
Glory insurance brokerage system and private equity core trading system have successfully passed the MLPS III evaluation. In addition, Noah Upright’s official website has given the MLPS II evaluation, reaching a good level.
Glory insurance brokerage system and private equity core trading system have successfully passed the MLPS III evaluation. In addition, Noah Upright’s official website has given the MLPS II evaluation, reaching a good level.
Protection of Client Privacy and Data
Noah Upright employees must follow the principles of minimum authorization and the necessity to know when accessing clients’ private data. Suppose it is necessary to extract or disclose clients’ private data to external regulatory authorities in daily operation, prior approvals from the applicant’s supervisor, data owner, and Noah Upright’s Information Security Department shall be obtained.
• Employees must sign confidentiality agreements before employment, receive continuous training during their work, and are strictly prohibited from disclosing Noah Upright’s client information. In addition, Non-Noah Upright employees such as external consultants and technical support personnel must sign confidentiality agreements before work and may not have access to Noah Upright’s clients’ privacy information.
• Noah Upright’s Information Security Department conducts annual inspections to protect clients’ private data and punishes violations of security regulations following the Company’s management regulations; cases involving violations of law will be referred to the judicial department.
Noah has information security incident reports phone numbers, emails, and WeChat accounts for internal and external feedbacks that may involve leakage and will be filed for investigation. If Noah Upright’s reasons cause client privacy leakage, the problem will be rectified. The relevant personnel will be held responsible. In 2021, Noah has no client information leakage.
• Employees must sign confidentiality agreements before employment, receive continuous training during their work, and are strictly prohibited from disclosing Noah Upright’s client information. In addition, Non-Noah Upright employees such as external consultants and technical support personnel must sign confidentiality agreements before work and may not have access to Noah Upright’s clients’ privacy information.
• Noah Upright’s Information Security Department conducts annual inspections to protect clients’ private data and punishes violations of security regulations following the Company’s management regulations; cases involving violations of law will be referred to the judicial department.
Noah has information security incident reports phone numbers, emails, and WeChat accounts for internal and external feedbacks that may involve leakage and will be filed for investigation. If Noah Upright’s reasons cause client privacy leakage, the problem will be rectified. The relevant personnel will be held responsible. In 2021, Noah has no client information leakage.
Noah Information Security Protection Mechanism
Orientation
Protection mechanism
Internal
1)Data encryption storage: The client’s sensitive information (mobile phone, certificate number, bank card number, etc.) is encrypted and stored through the self-developed key management system to ensure the security of the client’s sensitive information.
2)Data transmission monitoring: Data anti-leakage software is installed throughout the employee to monitor clients’ sensitive information. Any outward sending copying client’s sensitive information will trigger the alarm and be punished as information security violations of regulations if confirmed.
3)Data extraction control: All extraction of client data from the system due to business needs and regulatory requirements must be approved by the Information Security Department and implemented by the information security team to control the data extraction.
2)Data transmission monitoring: Data anti-leakage software is installed throughout the employee to monitor clients’ sensitive information. Any outward sending copying client’s sensitive information will trigger the alarm and be punished as information security violations of regulations if confirmed.
3)Data extraction control: All extraction of client data from the system due to business needs and regulatory requirements must be approved by the Information Security Department and implemented by the information security team to control the data extraction.
External
1)Deploy major network security protection equipment, including firewalls, intrusion detection systems, security audit systems, etc., to effectively resist external network attacks and infiltrations.
2)Install well-known manufacturers’ antivirus software on all terminals and conduct automatic terminal scanning every day. Ensure the security of all terminal equipment. Implement system security tests regularly, invite external professional security vendors to implement security testing and evaluation, find vulnerabilities and patch them in time to ensure system security.
3)Improve suppliers’ information security management mechanism: Formulate and implement the Noah Implementation Rules for the Management of Outsourcing and Supplier’s Information Security. Before cooperating, all outsourcing suppliers must sign special confidentiality agreements and information security notices. In addition, office computers are required to install security software before connecting to Noah’s network, and the information security clauses to be included in the IT hardware and software procurement contracts are supplemented.
2)Install well-known manufacturers’ antivirus software on all terminals and conduct automatic terminal scanning every day. Ensure the security of all terminal equipment. Implement system security tests regularly, invite external professional security vendors to implement security testing and evaluation, find vulnerabilities and patch them in time to ensure system security.
3)Improve suppliers’ information security management mechanism: Formulate and implement the Noah Implementation Rules for the Management of Outsourcing and Supplier’s Information Security. Before cooperating, all outsourcing suppliers must sign special confidentiality agreements and information security notices. In addition, office computers are required to install security software before connecting to Noah’s network, and the information security clauses to be included in the IT hardware and software procurement contracts are supplemented.
Information Security Audit:
1. Conduct a quarterly information system security check, including domain account numbers, system administrator accounts, outsourcing management, weak passwords, host vulnerability scanning, security device configuration check.
2. Check the bottom line of the information security of the whole Group (including the Group and all subsidiaries) on an annual basis, including access control management, sensitive data management, change management, security assessment and testing of application systems, antivirus, network management, backup, and recovery testing, security baseline check and other contents.
3. In 2021, the Noah Public Cloud Information Security Management Requirements will be formulated. A special cloud security audit will be added to the annual inspection to help the Company identify and manage security risks faced by new technologies.
4. A rectification notice will be sent by email to the responsible unit/department for the problems identified in the quarterly and annual information security audits, requiring a clear rectification time plan. The Information Security Department will continuously track the issue to support closure.
1. Conduct a quarterly information system security check, including domain account numbers, system administrator accounts, outsourcing management, weak passwords, host vulnerability scanning, security device configuration check.
2. Check the bottom line of the information security of the whole Group (including the Group and all subsidiaries) on an annual basis, including access control management, sensitive data management, change management, security assessment and testing of application systems, antivirus, network management, backup, and recovery testing, security baseline check and other contents.
3. In 2021, the Noah Public Cloud Information Security Management Requirements will be formulated. A special cloud security audit will be added to the annual inspection to help the Company identify and manage security risks faced by new technologies.
4. A rectification notice will be sent by email to the responsible unit/department for the problems identified in the quarterly and annual information security audits, requiring a clear rectification time plan. The Information Security Department will continuously track the issue to support closure.
Information Security Training and Audit
Information Security Week is an information security awareness training that is mandatory for all Noah employees. In addition to information security education, a series of information security activities will be carried out to reinforce security awareness of all employees.
During Information Security Week 2022, a number of information security awareness and education activities were launched for all Noah employees, including Mandatory online course on information security awareness for all employee, Phishing email test, Offline security threat experience, Offline security threat experience and Information security inspection in the workplace, in order to enhance and improve employees' information security awareness. More than 500 employees participated, and workplace security inspection problems reduced by 70% compared with last year. Noah employees have established good information security awareness.
Information security awareness publicity and education activities, including:
•Mandatory online course on information security
awareness for all employees
•Phishing email test for all employees
•Offline security threat experience
•Security display board and daily security short video
•Information security inspection in the workplace
During Information Security Week 2022, a number of information security awareness and education activities were launched for all Noah employees, including Mandatory online course on information security awareness for all employee, Phishing email test, Offline security threat experience, Offline security threat experience and Information security inspection in the workplace, in order to enhance and improve employees' information security awareness. More than 500 employees participated, and workplace security inspection problems reduced by 70% compared with last year. Noah employees have established good information security awareness.
Information security awareness publicity and education activities, including:
•Mandatory online course on information security
awareness for all employees
•Phishing email test for all employees
•Offline security threat experience
•Security display board and daily security short video
•Information security inspection in the workplace
Four Categories of Information Security Education and Training Activities
Category
Item
Results 2022
Information Security Week
Information security awareness publicity and education activities, including:
• Mandatory online course on information security awareness for all employees
• Phishing email test for all employees
• Offline security threat experience
• Security display board and daily security short video
• Information security inspection in the workplace
• Mandatory online course on information security awareness for all employees
• Phishing email test for all employees
• Offline security threat experience
• Security display board and daily security short video
• Information security inspection in the workplace
• Participation of more than 500 employees
• Four offline security threat experience activities
• Reduction in workplace security inspection problems by 70% compared with last year
• Total training hours: 210
• Four offline security threat experience activities
• Reduction in workplace security inspection problems by 70% compared with last year
• Total training hours: 210
Security awareness oriented training
Security awareness oriented training on business departments and off-site outsourcers involved in client information processing
• 17 Directional security training
• Total number of participants: 2,487
• Total training hours: 1,865
• Total number of participants: 2,487
• Total training hours: 1,865
Mandatory online security awareness course
Completion of Noah Security Awareness Training Course by all employees
• Total employees: 3,393
• Total training hours: 8,314
• Total training hours: 8,314
Daily security awareness training
• Push security information to employees through WeCom, email, and WeChat public account
• Set up workplace security awareness screensaver on office computers
• Set up workplace security awareness screensaver on office computers
• Post 26 issues of security information
Organizational building of information security personnel
Establish a mechanism for information security personnel in science and technology teams:
• Monthly security training by the Information Security Department, security personnel, in turn, give internal training to employees in the department
• Security personnel are responsible for feedback on security risk incidents and security work recommendations to the Information Security Department
• All science and technology employees sign the red line list of information security violations, making the front-line employees deeply aware of security
• Select outstanding information security personnel and information security teams annually
• Monthly security training by the Information Security Department, security personnel, in turn, give internal training to employees in the department
• Security personnel are responsible for feedback on security risk incidents and security work recommendations to the Information Security Department
• All science and technology employees sign the red line list of information security violations, making the front-line employees deeply aware of security
• Select outstanding information security personnel and information security teams annually
• 12 security personnel training
• 31 science and technology information security personnel
• 178 internal security training for science and technology teams
• Total training hours 100 hours
• 31 science and technology information security personnel
• 178 internal security training for science and technology teams
• Total training hours 100 hours
Protection of Clients' Sensitive Information
To prevent the leakage of sensitive client information, Noah has developed the Sensitive Information Management Specification, which defines client-sensitive information and cooperates with a series of control measures to effectively reduce the risk of client information leakage. In addition, to meet the requirement of compliance in the sales process, Noah has deployed a WeCom archiving system to archive the dialogues of all employees of the Company and ensure that records of all conversations with clients in the WeCom are stored locally.
In addition, sensitive words shall be set up in the system, under which sales personnel are required to contact clients via WeCom. They shall not take the initiative to ask for clients’ contact information during the sales process, nor shall they make promises to clients regarding proceeds during the sales process. If any sensitive word is triggered, an automatic message warning will be sent to personnel at the security audit position and the compliance position to handle the events of violations. We successively close down the Internet access channels to reduce the Internet attack surface and risk exposure of the Company system. We also continue to implement the mobile APP security reinforcement project. As a result, the Company’s client-oriented App can complete code encryption through the security reinforcement platform to enhance APP application and data security.
In addition, Noah also carries out various emergency plan drills every year and responds to the cloud-based scenario in 2022. We have carried out disaster recovery drills for public and private equity trading systems and Inoah systems to ensure that such architecture is effective and highly available, has the capability of disaster recovery, and meets business continuity requirements.
In addition, sensitive words shall be set up in the system, under which sales personnel are required to contact clients via WeCom. They shall not take the initiative to ask for clients’ contact information during the sales process, nor shall they make promises to clients regarding proceeds during the sales process. If any sensitive word is triggered, an automatic message warning will be sent to personnel at the security audit position and the compliance position to handle the events of violations. We successively close down the Internet access channels to reduce the Internet attack surface and risk exposure of the Company system. We also continue to implement the mobile APP security reinforcement project. As a result, the Company’s client-oriented App can complete code encryption through the security reinforcement platform to enhance APP application and data security.
In addition, Noah also carries out various emergency plan drills every year and responds to the cloud-based scenario in 2022. We have carried out disaster recovery drills for public and private equity trading systems and Inoah systems to ensure that such architecture is effective and highly available, has the capability of disaster recovery, and meets business continuity requirements.
Emergency Response Plan for Data Leakage Events
In 2021, Noah formulated the Noah Emergency Plan for Client Information Leakage. According to the Plan, if any of our clients’ information disclosure is detected, the Information Security Department will uniformly organize early warning response work, launch the Emergency Plan, and determine the security level of such incidents. It will also notify the relevant business collaboration entity to handle such incidents and keep evidence. For a preeminent client information leakage event that meets the conditions for regulatory reporting, the Information Security Department and Compliance Department of the Group shall send a summary report in writing to the cybersecurity department and other regulatory authorities where the event occurs. In 2022, Noah formulated the Noah Network and Wire Fraud Emergency Plan to respond to network and wire fraud emergencies. Based on the principle of unified organization and hierarchical command, an emergency response team was formed by the Group's information security department, public affairs department, and legal department while other departments collaborated to carry out emergency response to network and wire frauds.
Cyber Security Attack and Defense Drill
The Attack and Defense Drill (ADD) is a fully simulated actual combat of attack and defense. For all domestic and foreign external businesses of the Group, more than a dozen cyberattack scenarios are simulated to test the Company’s work achievements in information security management, technical prevention and control, and security contingency stages. By virtue of the actual combat drill, the security awareness of corporate technical personnel will be enhanced, the attack and defense skills of the security department be tempered, the potential risks of information systems be disclosed, and the improvement and upgrading of information security governance be promoted.
In 2022, Noah actively participated in the Attack and Defense Drill project organized by Shanghai's Cybersecurity authorities and implemented an ADD project for one month. During the project, the defender (Blue Team) of Noah Information Security Department and science and technology operation teams successfully detected more than 10 attack nodes from inside and outside China, involving domestic operators, public cloud, Europe and the United States, Southeast Asia, etc. In the process of attack and defense, Noah’s protection mechanism successfully intercepted all external attacks at all technical levels. At the same time, in the risk assessment of the business process, the security risks in the information system were effectively identified, and all the risk items were rectified after the drill. Through this actual combat, the security team can have a clearer understanding of its shortcomings, pointing out the direction for the evolution and exploration of security governance in the technical respect.
In 2022, Noah actively participated in the Attack and Defense Drill project organized by Shanghai's Cybersecurity authorities and implemented an ADD project for one month. During the project, the defender (Blue Team) of Noah Information Security Department and science and technology operation teams successfully detected more than 10 attack nodes from inside and outside China, involving domestic operators, public cloud, Europe and the United States, Southeast Asia, etc. In the process of attack and defense, Noah’s protection mechanism successfully intercepted all external attacks at all technical levels. At the same time, in the risk assessment of the business process, the security risks in the information system were effectively identified, and all the risk items were rectified after the drill. Through this actual combat, the security team can have a clearer understanding of its shortcomings, pointing out the direction for the evolution and exploration of security governance in the technical respect.
The financial services industry has demanding requirements for the stability and data security of information systems. In order to ensure the privacy and security of client data, Noah has established a professional information security team and released
the Noah Data Security Regulations, Noah Information Security Principles and Policies, Punitive Measures for Information Security Violations in Noah, Privacy Policy and other policies and administrative documents, explicitly specifying
the details of operation-related information security, scope of use of client's confidential data (such as contacts and ID number), as well as the management process for obtaining, transmitting, archiving, and destroying such information,
for the purpose of ensuring operational service information security. For information security related content in the information system, all software design and development should conform to Noah's Web Application Security Baseline
v3.1 guideline. For identity authentication and access control, session and content management, data encryption and shielding, anti-phishing and code quality control, multi-level security design should be applied.
Attestation Report of the Independent Registered Public Accounting Firm Opinion on Internal Control over Financial Reporting
We have audited the internal control over financial reporting of Noah Holdings Limited and its subsidiaries and consolidated variable interest entity (the “Group”) as of December 31,2018,based on criteria established in
For information related to the audit on Noah Holdings based on the Sarbanes-Oxley Act, please refer to our corporate annual report.
To ensure the privacy and security of client data, Noah has built a professional information security team and introduced and obtained ISO 27001 and ISO 29151 certifications. Furthermore, Noah carries out strict control over client privacy information and ensures client data security to meet the requirements of the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other laws and regulations on the protection of personal information.
In 2021, Noah has completed the extraordinary self-examination of privacy protection following the relevant national laws and regulations on privacy protection and has set privacy policies for four client-oriented APPs (Fund Smile, WeNoah, iNoah, and Olive Master), the WeChat public account of Glory Insurance and the WeChat mini-program of Enoch Education. Moreover, Noah has completed nine updates of the versions thereof. At the same time, the function of clients’ online application for account cancellation and the function of the separate pop-up window to request clients’ authorization before collection of face-sensitive information have been newly added to the relevant Apps to meet the privacy protection requirements.
In addition, to comply with the requirements of the Data Security Law, Personal Information Protection Law, and other laws and regulations, in internal benchmarking analysis based on the Company’s actual situation, relevant internal management rules of the Company were updated to ensure compliance and effective protection of clients’ personal information.
In 2021, Noah has completed the extraordinary self-examination of privacy protection following the relevant national laws and regulations on privacy protection and has set privacy policies for four client-oriented APPs (Fund Smile, WeNoah, iNoah, and Olive Master), the WeChat public account of Glory Insurance and the WeChat mini-program of Enoch Education. Moreover, Noah has completed nine updates of the versions thereof. At the same time, the function of clients’ online application for account cancellation and the function of the separate pop-up window to request clients’ authorization before collection of face-sensitive information have been newly added to the relevant Apps to meet the privacy protection requirements.
In addition, to comply with the requirements of the Data Security Law, Personal Information Protection Law, and other laws and regulations, in internal benchmarking analysis based on the Company’s actual situation, relevant internal management rules of the Company were updated to ensure compliance and effective protection of clients’ personal information.
Noah Privacy and Data Security Protection Mechanism
Category
Policies/Mechanisms
Description
Policies
Noah Information Security Principles and Policies
Privacy Policy
Privacy Policy
• Standardize the use of clients’ private information (such as contact information and ID numbers) collected in the process of operation
Measures
Noah Data Security Regulations
Noah Sensitive Information Management Specification
Noah Sensitive Information Management Specification
• Standardize the management procedures for the acquisition, transmission, filing, and destruction of such information
• Standardize the requirements for encryption and desensitization of sensitive information
• Standardize the requirements for encryption and desensitization of sensitive information
Management system
ISO 27001 Certification: Information Security Management Systems
ISO 29151 Certification: Guide to the Protection of Personal Identity Information
ISO 29151 Certification: Guide to the Protection of Personal Identity Information
• The obtainment of ISO 27001 certification to guarantee Noah’s reliability in the field of information security and reduce the risk of disclosure
• The obtainment of ISO 29151 certification to clarify Noah’s privacy protection policy and enhanced privacy control measures
• The obtainment of ISO 29151 certification to clarify Noah’s privacy protection policy and enhanced privacy control measures
Management Mechanisms
Online business scenarios using clients’ privacy information
• Deployment of Web application firewall, network firewall, host intrusion detection, and other security protection systems
• Continuous monitoring and real-time early warning for cyber-attacks are implemented using encrypted transmission of client information
• Monitoring and auditing of abnormal operations relating to client data security are implemented using a database security audit system
• Centralized and rapid processing of cyber-security risks by Group Security and Operation Team
• Continuous monitoring and real-time early warning for cyber-attacks are implemented using encrypted transmission of client information
• Monitoring and auditing of abnormal operations relating to client data security are implemented using a database security audit system
• Centralized and rapid processing of cyber-security risks by Group Security and Operation Team
ISO 27001 & 29151 Certifications Obtained by Noah
In order to further solidify internal and client information security, Noah in 2018 commenced on a journey for and in 2020 succeeded in the obtainment of ISO 27001 information security management system certification and ISO 29151 code of practice for personally identifiable information protection certification. These efforts help bolster Noah's reliability in information security, reduce the risk of sensitive information leakage and augment the protection of key data. Noah's client and internal data protection mechanisms have become more systematic and comprehensive, with a more defined privacy protection strategy and better reinforced privacy protection measures.
In 2022, Noah continuously updated and improved privacy protection following the relevant national laws and regulations on privacy protection and has set privacy policies for three client-oriented APPs (Fund Smile, WeNoah, and iNoah), the WeChat public account of Glory Insurance and the WeChat mini-program of Enoch Education. Moreover, Noah has completed five updates of the versions thereof. At the same time, we hired third-party professional testing institutions to test and evaluate the security of privacy policies.
In addition, to comply with the requirements of the Data Security Law, Personal Information Protection Law, and other laws and regulations, an internal benchmarking analysis was conducted based on the actual situation of the company and a risk analysis report was provided to the management. Relevant internal management rules of the Company were updated to ensure compliance and effective protection of clients’ personal information.
Through a four-stage endeavor (analysis, realization, operation and verification), Noah identified and assessed existing and potential risks, formulated corresponding risk management plans, and completed the establishment of its information security management system and processes. External evaluation and non-conformance rectification were completed in September 2020, while the Noah Upright Fund Sales Co., Ltd. - Science and Technology Center successfully obtained ISO 27001 and ISO 29151 certifications issued by the accredited certification body DNV. The certification body evaluates Noah's information security management system compliance every year.
Noah demonstrates to clients, competitors, suppliers, employees and investors our commitment to information security through the obtainment of ISO 27001 and ISO 29151 certifications. In the future, we will regularly monitor the evaluation process, and ensure continual supervision and improvement in the organization's information system, so that clients and stakeholders alike can truly feel at ease because of our commitment to information security.
In 2022, Noah continuously updated and improved privacy protection following the relevant national laws and regulations on privacy protection and has set privacy policies for three client-oriented APPs (Fund Smile, WeNoah, and iNoah), the WeChat public account of Glory Insurance and the WeChat mini-program of Enoch Education. Moreover, Noah has completed five updates of the versions thereof. At the same time, we hired third-party professional testing institutions to test and evaluate the security of privacy policies.
In addition, to comply with the requirements of the Data Security Law, Personal Information Protection Law, and other laws and regulations, an internal benchmarking analysis was conducted based on the actual situation of the company and a risk analysis report was provided to the management. Relevant internal management rules of the Company were updated to ensure compliance and effective protection of clients’ personal information.
Through a four-stage endeavor (analysis, realization, operation and verification), Noah identified and assessed existing and potential risks, formulated corresponding risk management plans, and completed the establishment of its information security management system and processes. External evaluation and non-conformance rectification were completed in September 2020, while the Noah Upright Fund Sales Co., Ltd. - Science and Technology Center successfully obtained ISO 27001 and ISO 29151 certifications issued by the accredited certification body DNV. The certification body evaluates Noah's information security management system compliance every year.
Noah demonstrates to clients, competitors, suppliers, employees and investors our commitment to information security through the obtainment of ISO 27001 and ISO 29151 certifications. In the future, we will regularly monitor the evaluation process, and ensure continual supervision and improvement in the organization's information system, so that clients and stakeholders alike can truly feel at ease because of our commitment to information security.
Classified Protection of Cybersecurity Project
To meet the requirements of national laws and regulations such as the Cybersecurity Law of the People’s Republic of China and the Measures for the Regulation of Informatization Work of Insurance Intermediaries issued by the China Banking and Insurance Regulatory Commission, Noah keeps enhancing its control over cybersecurity and data security. In 2020, Noah invited external professional evaluation agencies to conduct a series of consulting and evaluation work for Noah Glory insurance brokerage system, Noah Upright’s official website, and private equity core trading systems.
Glory insurance brokerage system and private equity core trading system have successfully passed the MLPS III evaluation. In addition, Noah Upright’s official website has given the MLPS II evaluation, reaching a good level.
Glory insurance brokerage system and private equity core trading system have successfully passed the MLPS III evaluation. In addition, Noah Upright’s official website has given the MLPS II evaluation, reaching a good level.
Protection of Client Privacy and Data
Noah Upright employees must follow the principles of minimum authorization and the necessity to know when accessing clients’ private data. Suppose it is necessary to extract or disclose clients’ private data to external regulatory authorities in daily operation, prior approvals from the applicant’s supervisor, data owner, and Noah Upright’s Information Security Department shall be obtained.
Employees must sign confidentiality agreements before employment, receive continuous training during their work, and are strictly prohibited from disclosing Noah Upright’s client information. In addition, Non-Noah Upright employees such as external consultants and technical support personnel must sign confidentiality agreements before work and may not have access to Noah Upright’s clients’ privacy information.
Noah Upright’s Information Security Department conducts annual inspections to protect clients’ private data and punishes violations of security regulations following the Company’s management regulations; cases involving violations of law will be referred to the judicial department.
Noah has information security incident reports phone numbers, emails, and WeChat accounts for internal and external feedbacks that may involve leakage and will be filed for investigation. If Noah Upright’s reasons cause client privacy leakage, the problem will be rectified. The relevant personnel will be held responsible. In 2021, Noah has no client information leakage.
Employees must sign confidentiality agreements before employment, receive continuous training during their work, and are strictly prohibited from disclosing Noah Upright’s client information. In addition, Non-Noah Upright employees such as external consultants and technical support personnel must sign confidentiality agreements before work and may not have access to Noah Upright’s clients’ privacy information.
Noah Upright’s Information Security Department conducts annual inspections to protect clients’ private data and punishes violations of security regulations following the Company’s management regulations; cases involving violations of law will be referred to the judicial department.
Noah has information security incident reports phone numbers, emails, and WeChat accounts for internal and external feedbacks that may involve leakage and will be filed for investigation. If Noah Upright’s reasons cause client privacy leakage, the problem will be rectified. The relevant personnel will be held responsible. In 2021, Noah has no client information leakage.
Noah Information Security Protection Mechanism
Orientation
Protection Mechanism
Internal
1)Data encryption storage: The client’s sensitive information (mobile phone, certificate number, bank card number, etc.) is encrypted and stored through the self-developed key management system to ensure the security of the client’s sensitive information.
2)Data transmission monitoring: Data anti-leakage software is installed throughout the employee to monitor clients’ sensitive information. Any outward sending copying client’s sensitive information will trigger the alarm and be punished as information security violations of regulations if confirmed.
3)Data extraction control: All extraction of client data from the system due to business needs and regulatory requirements must be approved by the Information Security Department and implemented by the information security team to control the data extraction.
2)Data transmission monitoring: Data anti-leakage software is installed throughout the employee to monitor clients’ sensitive information. Any outward sending copying client’s sensitive information will trigger the alarm and be punished as information security violations of regulations if confirmed.
3)Data extraction control: All extraction of client data from the system due to business needs and regulatory requirements must be approved by the Information Security Department and implemented by the information security team to control the data extraction.
External
1)Deploy major network security protection equipment, including firewalls, intrusion detection systems, security audit systems, etc., to effectively resist external network attacks and infiltrations.
2)Install well-known manufacturers’ antivirus software on all terminals and conduct automatic terminal scanning every day. Ensure the security of all terminal equipment. Implement system security tests regularly, invite external professional security vendors to implement security testing and evaluation, find vulnerabilities and patch them in time to ensure system security.
3)Improve suppliers’ information security management mechanism: Formulate and implement the Noah Implementation Rules for the Management of Outsourcing and Supplier’s Information Security. Before cooperating, all outsourcing suppliers must sign special confidentiality agreements and information security notices. In addition, office computers are required to install security software before connecting to Noah’s network, and the information security clauses to be included in the IT hardware and software procurement contracts are supplemented.
2)Install well-known manufacturers’ antivirus software on all terminals and conduct automatic terminal scanning every day. Ensure the security of all terminal equipment. Implement system security tests regularly, invite external professional security vendors to implement security testing and evaluation, find vulnerabilities and patch them in time to ensure system security.
3)Improve suppliers’ information security management mechanism: Formulate and implement the Noah Implementation Rules for the Management of Outsourcing and Supplier’s Information Security. Before cooperating, all outsourcing suppliers must sign special confidentiality agreements and information security notices. In addition, office computers are required to install security software before connecting to Noah’s network, and the information security clauses to be included in the IT hardware and software procurement contracts are supplemented.
Information Security Audit:
1. Conduct a quarterly information system security check, including domain account numbers, system administrator accounts, outsourcing management, weak passwords, host vulnerability scanning, security device configuration check.
2. Check the bottom line of the information security of the whole Group (including the Group and all subsidiaries) on an annual basis, including access control management, sensitive data management, change management, security assessment and testing of application systems, antivirus, network management, backup, and recovery testing, security baseline check and other contents.
3. In 2021, the Noah Public Cloud Information Security Management Requirements will be formulated. A special cloud security audit will be added to the annual inspection to help the Company identify and manage security risks faced by new technologies.
4. A rectification notice will be sent by email to the responsible unit/department for the problems identified in the quarterly and annual information security audits, requiring a clear rectification time plan. The Information Security Department will continuously track the issue to support closure.
1. Conduct a quarterly information system security check, including domain account numbers, system administrator accounts, outsourcing management, weak passwords, host vulnerability scanning, security device configuration check.
2. Check the bottom line of the information security of the whole Group (including the Group and all subsidiaries) on an annual basis, including access control management, sensitive data management, change management, security assessment and testing of application systems, antivirus, network management, backup, and recovery testing, security baseline check and other contents.
3. In 2021, the Noah Public Cloud Information Security Management Requirements will be formulated. A special cloud security audit will be added to the annual inspection to help the Company identify and manage security risks faced by new technologies.
4. A rectification notice will be sent by email to the responsible unit/department for the problems identified in the quarterly and annual information security audits, requiring a clear rectification time plan. The Information Security Department will continuously track the issue to support closure.
Information Security Training and Audit
Information Security Week is an information security awareness training that is mandatory for all Noah employees. In addition to information security education, a series of information security activities will be carried out to reinforce security awareness of all employees.
During Information Security Week 2022, a number of information security awareness and education activities were launched for all Noah employees, including Mandatory online course on information security awareness for all employee, Phishing email test, Offline security threat experience, Offline security threat experience and Information security inspection in the workplace, in order to enhance and improve employees' information security awareness. More than 500 employees participated, and workplace security inspection problems reduced by 70% compared with last year. Noah employees have established good information security awareness.
Information security awareness publicity and education activities, including:
•Mandatory online course on information security
awareness for all employees
•Phishing email test for all employees
•Offline security threat experience
•Security display board and daily security short video
•Information security inspection in the workplace
During Information Security Week 2022, a number of information security awareness and education activities were launched for all Noah employees, including Mandatory online course on information security awareness for all employee, Phishing email test, Offline security threat experience, Offline security threat experience and Information security inspection in the workplace, in order to enhance and improve employees' information security awareness. More than 500 employees participated, and workplace security inspection problems reduced by 70% compared with last year. Noah employees have established good information security awareness.
Information security awareness publicity and education activities, including:
•Mandatory online course on information security
awareness for all employees
•Phishing email test for all employees
•Offline security threat experience
•Security display board and daily security short video
•Information security inspection in the workplace
Four Categories of Information Security Education and Training Activities
Category
Item
Results 2022
Information Security Week
Information security awareness publicity and education activities, including:
• Mandatory online course on information security awareness for all employees
• Phishing email test for all employees
• Offline security threat experience
• Security display board and daily security short video
• Information security inspection in the workplace
• Mandatory online course on information security awareness for all employees
• Phishing email test for all employees
• Offline security threat experience
• Security display board and daily security short video
• Information security inspection in the workplace
• Participation of more than 500 employees
• Four offline security threat experience activities
• Reduction in workplace security inspection problems by 70% compared with last year
• Total training hours: 210
• Four offline security threat experience activities
• Reduction in workplace security inspection problems by 70% compared with last year
• Total training hours: 210
Security awareness oriented training
Security awareness oriented training on business departments and off-site outsourcers involved in client information processing
• 17 Directional security training
• Total number of participants: 2,487
• Total training hours: 1,865
• Total number of participants: 2,487
• Total training hours: 1,865
Mandatory online security awareness course
Completion of Noah Security Awareness Training Course by all employees
• Total employees: 3,393
• Total training hours 8,314
• Total training hours 8,314
Daily security awareness training
• Push security information to employees through WeCom, email, and WeChat public account
• Set up workplace security awareness screensaver on office computers
• Set up workplace security awareness screensaver on office computers
Post 26 issues of security information
Organizational building of information security personnel
Establish a mechanism for information security personnel in science and technology teams:
• Monthly security training by the Information Security Department, security personnel, in turn, give internal training to employees in the department
• Security personnel are responsible for feedback on security risk incidents and security work recommendations to the Information Security Department
• All science and technology employees sign the red line list of information security violations, making the front-line employees deeply aware of security
• Select outstanding information security personnel and information security teams annually
• Monthly security training by the Information Security Department, security personnel, in turn, give internal training to employees in the department
• Security personnel are responsible for feedback on security risk incidents and security work recommendations to the Information Security Department
• All science and technology employees sign the red line list of information security violations, making the front-line employees deeply aware of security
• Select outstanding information security personnel and information security teams annually
• 12 security personnel training
• 31 science and technology information security personnel
• 178 internal security training for science and technology teams
• training hours: 100 hours
• 31 science and technology information security personnel
• 178 internal security training for science and technology teams
• training hours: 100 hours
Protection of Clients’ Sensitive Information
To prevent the leakage of sensitive client information, Noah has developed the Sensitive Information Management Specification, which defines client-sensitive information and cooperates with a series of control measures to effectively reduce the risk of client information leakage. In addition, to meet the requirement of compliance in the sales process, Noah has deployed a WeCom archiving system to archive the dialogues of all employees of the Company and ensure that records of all conversations with clients in the WeCom are stored locally.
In addition, sensitive words shall be set up in the system, under which sales personnel are required to contact clients via WeCom. They shall not take the initiative to ask for clients’ contact information during the sales process, nor shall they make promises to clients regarding proceeds during the sales process. If any sensitive word is triggered, an automatic message warning will be sent to personnel at the security audit position and the compliance position to handle the events of violations. We successively close down the Internet access channels to reduce the Internet attack surface and risk exposure of the Company system. We also continue to implement the mobile APP security reinforcement project. As a result, the Company’s client-oriented App can complete code encryption through the security reinforcement platform to enhance APP application and data security.
In addition, Noah also carries out various emergency plan drills every year and responds to the cloud-based scenario in 2022. We have carried out disaster recovery drills for public and private equity trading systems and Inoah systems to ensure that such architecture is effective and highly available, has the capability of disaster recovery, and meets business continuity requirements.
In addition, sensitive words shall be set up in the system, under which sales personnel are required to contact clients via WeCom. They shall not take the initiative to ask for clients’ contact information during the sales process, nor shall they make promises to clients regarding proceeds during the sales process. If any sensitive word is triggered, an automatic message warning will be sent to personnel at the security audit position and the compliance position to handle the events of violations. We successively close down the Internet access channels to reduce the Internet attack surface and risk exposure of the Company system. We also continue to implement the mobile APP security reinforcement project. As a result, the Company’s client-oriented App can complete code encryption through the security reinforcement platform to enhance APP application and data security.
In addition, Noah also carries out various emergency plan drills every year and responds to the cloud-based scenario in 2022. We have carried out disaster recovery drills for public and private equity trading systems and Inoah systems to ensure that such architecture is effective and highly available, has the capability of disaster recovery, and meets business continuity requirements.
Emergency Response Plan for Data Leakage Events
In 2021, Noah formulated the Noah Emergency Plan for Client Information Leakage. According to the Plan, if any of our clients’ information disclosure is detected, the Information Security Department will uniformly organize early warning response work, launch the Emergency Plan, and determine the security level of such incidents. It will also notify the relevant business collaboration entity to handle such incidents and keep evidence. For a preeminent client information leakage event that meets the conditions for regulatory reporting, the Information Security Department and Compliance Department of the Group shall send a summary report in writing to the cybersecurity department and other regulatory authorities where the event occurs. In 2022, Noah formulated the Noah Network and Wire Fraud Emergency Plan to respond to network and wire fraud emergencies. Based on the principle of unified organization and hierarchical command, an emergency response team was formed by the Group's information security department, public affairs department, and legal department while other departments collaborated to carry out emergency response to network and wire frauds.
Cyber Security Attack and Defense Drill
The Attack and Defense Drill (ADD) is a fully simulated actual combat of attack and defense. For all domestic and foreign external businesses of the Group, more than a dozen cyberattack scenarios are simulated to test the Company’s work achievements in information security management, technical prevention and control, and security contingency stages. By virtue of the actual combat drill, the security awareness of corporate technical personnel will be enhanced, the attack and defense skills of the security department be tempered, the potential risks of information systems be disclosed, and the improvement and upgrading of information security governance be promoted.
In 2022, Noah actively participated in the Attack and Defense Drill project organized by Shanghai's Cybersecurity authorities and implemented an ADD project for one month. During the project, the defender (Blue Team) of Noah Information Security Department and science and technology operation teams successfully detected more than 10 attack nodes from inside and outside China, involving domestic operators, public cloud, Europe and the United States, Southeast Asia, etc. In the process of attack and defense, Noah’s protection mechanism successfully intercepted all external attacks at all technical levels. At the same time, in the risk assessment of the business process, the security risks in the information system were effectively identified, and all the risk items were rectified after the drill. Through this actual combat, the security team can have a clearer understanding of its shortcomings, pointing out the direction for the evolution and exploration of security governance in the technical respect.
In 2022, Noah actively participated in the Attack and Defense Drill project organized by Shanghai's Cybersecurity authorities and implemented an ADD project for one month. During the project, the defender (Blue Team) of Noah Information Security Department and science and technology operation teams successfully detected more than 10 attack nodes from inside and outside China, involving domestic operators, public cloud, Europe and the United States, Southeast Asia, etc. In the process of attack and defense, Noah’s protection mechanism successfully intercepted all external attacks at all technical levels. At the same time, in the risk assessment of the business process, the security risks in the information system were effectively identified, and all the risk items were rectified after the drill. Through this actual combat, the security team can have a clearer understanding of its shortcomings, pointing out the direction for the evolution and exploration of security governance in the technical respect.