Cyber Security Policy and Management
1. Cyber Security Risk Management Structure
The Company’s headquarters office is responsible for cyber security management. The General Manager is also the head of cyber security, who oversees the formulation of cyber security policies and the planning of cyber security measures. The Company also has a dedicated cyber security officer who is responsible for the execution of cyber security management operations.
The Company’s IT division is the executive unit of cyber security. It establishes the information environment in accordance with the Company’s cyber security policies and guidelines, and implements and continuously updates rigorous measures to effectively prevent and minimize cyber security risks.
The Company’s Audit Office is the cyber security audit unit. If the audit reveals deficiencies, the audited unit will be required to propose an improvement plan and submit it to the Board of Directors, and the effectiveness of the improvement will be tracked on a regular basis to minimize the risk of internal cyber security.
CPA audit is being conducted annually and if deficiencies are found during the annual audit, the CPA will request improvement measures and track the results.
In view of the importance of cyber security, the responsible unit regularly reports to the Board of Directors on the status of the Company’s cyber security governance and implementation on an annual basis, with the most recent report due on December 15, 2023.
2. Cyber security Policy and Management Program
To strengthen the cyber security management and ensure the availability, integrity, and confidentiality of information, as well as to protect it from intentional or accidental threats from internal and external sources, the Company’s cyber security facilities and management practices are categorized into six major items:
3. Commitment of resources to cyber security management
To fulfill the six major cyber security policies, the resources invested are as follows:
(1) Network hardware equipment such as firewalls, email anti-virus, spam filtering, Internet behavior analysis, and network management hubs.
(2) Software systems such as endpoint protection systems, backup management software, VPN authentication and encryption software.
(3) Telecommunication services such as multiple lines, cloud backup service, intrusion protection service, etc.
(4) Investment in manpower such as: daily system status check, weekly regular backup and backup media off-site storage implementation, at least two times a year cyber security publicity and education courses, annual system disaster recovery exercise, annual internal audit of the information cycle, accountant audit, etc.,
(5) Cyber security manpower: A dedicated cyber security head and a dedicated cyber security officer are responsible for cyber security structure design, cyber security maintenance and monitoring, cyber security incident response and investigation, and review and revision of cyber security policies; the dedicated cyber security officer reports to the board of directors at least once a year.
4. Losses and Measures for Significant Security Incidents in Recent Years
From January 2023 to December 2023, there were no significant security incidents.
5. Cyber Security escalation Procedure
In the event of a computer system abnormality, personnel should immediately notify the IT division for handling. IT personnel should be aware of cyber security when dealing with computer system abnormality or troubleshooting, and the following situations should be reported to the head of IT division, and those that are categorized as cyber security incident should be notified to the Executive Secretary of the Crisis Management Team (EST) in accordance with crisis management procedures to assess whether it is a major cyber security incident.
(1) The external network is interrupted for 30 minutes and cannot be restored.
(2) An information system anomaly has occurred and has not been restored after 3 hours.
(3) The number of computers infected by computer viruses is found to be more than 3% of the total number of computers.
(4) Signs of hacking, or system data being tampered with or exfiltrated for no reason are found.
6. Cyber Security Awareness
The Company conducts social engineering drills every year to raise employees’ awareness of cyber security. The latest social engineering drill was held on October 13, 2023, and employees who have not passed the social engineering drill have to go through compulsory training session.