Download ESG Report

Information Security

Enterprise Information Security Organization

To enhance information security management, an Information Security Director and team have been established. The security team coordinates the formulation and execution of information security policies, risk management, and compliance audits. The Chief Information Security Officer regularly reports to the Board of Directors on the effectiveness of security management, trends, and technology issues. The "Hon Chuan International Information Security Policy" was announced on March 21, 2023, and the 2023 security execution results and 2024 goals were reported to the Board on May 9, 2024.

Cyber Policy

“To maintain the Company information security, conduct self-manage, and raise information security awareness.”

Cyber Security Risk Management Framework

The Information Security Team collaborates with information security teams from Taiwan and overseas subsidiaries to plan, execute, audit, and take action (PDCA cycle) to enhance information security management. They regularly review and optimize information security policies and protective measures to effectively implement security management.

information en
  • Plan:Establishing cybersecurity policies and management practices.
  • Do:Multi-layered cybersecurity management (hardware, network, devices, access control, cybersecurity monitoring and operations)
  • Check:Continuous cybersecurity monitoring.
  • Action:Improving cybersecurity measures, implementing security tools, and conducting information security training and awareness campaigns.

Concrete Management Programs

Scheme name Scheme description Execution outcomes
Social engineering drills and information security awareness Regular social engineering drills and information security awareness. In 2023, conduct 2 social engineering drills and 5 information security awareness sessions to foster correct information security awareness among colleagues.
Implementing multi-layered cyber security defense mechanisms Deploying next-generation firewalls at gateway ends, intrusion detection and prevention systems, and email security filtering devices. Implementing antivirus and intrusion prevention systems on critical hosts, and deploying antivirus software on user endpoint computers. Protecting hosts, networks, and information security, enhancing depth of defense capabilities, and reducing the risk of attacks.
Vulnerability scanning and system updates Scanning and patching vulnerabilities on hosts and networks, and regularly updating systems. In 2023, conduct 2 vulnerability scans, update operating systems monthly, and strengthen patching of host systems and software vulnerabilities to mitigate the risk of exploitation by hackers.
Information security monitoring Configuring abnormal alert notifications for cybersecurity devices and antivirus software. Cybersecurity personnel review logs from security devices and antivirus systems daily. Cybersecurity personnel promptly detect anomalies or attack behaviors, taking immediate action to prevent the escalation of security issues.
Disaster recovery drill For critical core systems, regularly conducting off-site backups and data restoration tests. In 2023, conduct 2 disaster recovery drills to verify the effectiveness of backup data.

Investments in Resources for Cyber Security Management

In 2023, the corporate information security measures implementation results:

  1. The core system to conduct disaster recovery drills: 2 times
  2. Conducted email social engineering drills: 2 times
  3. Information security promotion: 5 times
  4. Vulnerability scanning and remediation for hosts and networks: 2 times
  5. There has been no major information security incident occurred.

Information and Communication Security Risks and Countermeasures:

  1. Although the company has implemented extensive measures to ensure the security of its network and computer-related information, it cannot guarantee immunity against new risks and attacks that may emerge in the constantly evolving landscape of information security threats. These threats may include cyber-attack launched by third parties that could paralyze the company's systems responsible for crucial corporate functions. Malicious hackers may attempt to infiltrate the company's network system with computer viruses, destructive software, or ransomware to disrupt the company's operations, blackmail, or gain control over the computer system. Such attacks may result in operational disruptions and financial losses, necessitating costly remedial and improvement measures to strengthen the company's network security system.
  2. To avoid and reduce the damage caused by such attacks, the Company implements improvements and updates its systems regularly. First, we join the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC), Taichung Port Technology Industrial Park [Information Security Sharing], Chunghwa Telecom HiNet SOC, etc., to receive information security notifications and intelligence. Second, strengthen system and software vulnerability repairs, introduce an intrusion protection system to important hosts, strengthen network firewall and network control, and set up endpoint anti-virus measures based on the computer type. Third, THC also conducts regular information security promotion and social engineering drills to train and cultivate sound information security awareness among employees. At last, the core system has established a backup mechanism and conducts disaster recovery drills twice a year to ensure the viability of essential information systems.
  3. Future target: Complete the information security system of each plant to strengthen network security protection. In the future, in addition to the expansion of information security personnel, we plan to conduct regular training and certification to improve the company's information security in terms of human resources and capability to ensure the Company's information security.

Significant Information Security Incident:

Zero significant information security incident in 2023.