Download ESG Report

Information Security

Cyber Security Organization

THC establishes the information security supervisor and personnel, are in charge of information security policy formulation, implementation, risk management, and compliance audits, with an Information Security Team under its supervision. The highest manager of the MIS office delivers reports on information security management performance, related issues, and directions to the Board of Directors every year. In March 2023, THC announced the "THC Information Security Policy", and will report the executive results and the 2023 targets to the Board of Directors in May 2023.

Cyber Policy

“To maintain the Company information security, conduct self-manage, and raise information security awareness.”

Cyber Security Risk Management Framework

An Information Security Team let the Company's concept of information security take root through the “Information Protection Working Committee.” The Committee, which covers all organizations with Taiwan plants and overseas subsidiaries, convenes regular meetings to keep track of situations and utilizes the Plan-Do-Check-Act (PDCA) cycle to inspect the policy applicability and measures such as information protection.

information en
  • Plan:Refer to relevant information security systems, and formulate information policy and management measures.
  • Do:Multi-layer information security protection: and management (physical security, network security, device security, access management, and information security maintenance and operation.)
  • Check:Information security monitoring
  • Action:Review and improvement on information security measures, introduce the new information security protective tools, and training programs and promotion campaigns on information security

Concrete Management Programs

Multi-layer information security protection

Network Security

  1. Deploy IPS intrusion detection protection system between the intranet and internet.
  2. Strengthen network firewall and network control, shut down non-essential networks and services to reduce the risk of malicious attack.

Device Security

  1. Monthly patch updates for the Windows operating system.
  2. Endpoint anti-virus measures based on computer type.

Host and Application System

  1. Enhance system and software vulnerability remediation.
  2. Implemented intrusion protection system for important host computers: conducted two disaster recovery exercises for core systems.

Education, Training and Disseminate

  1. Conduct information security promotion and social engineering drills regularly to cultivate employees’ information security awareness.

Investments in Resources for Cyber Security Management

In 2022, the corporate information security measures implementation results:

  1. The core system to conduct disaster recovery drills: 2 times
  2. Conducted email social engineering drills: 2 times
  3. Information security Lectures: 4 times
  4. Participate in the service of enterprise information security held by the industrial development bureau, ministry of economic affairs, and assisted by information security grades, information security checks, lectures, and other resources.
  5. MIS managers participate in industry information security advanced practice education training.
  6. Zero significant information security incident in 2022.

Information and Communication Security Risks and Countermeasures:

  1. Although the company has implemented extensive measures to ensure the security of its network and computer-related information, it cannot guarantee immunity against new risks and attacks that may emerge in the constantly evolving landscape of information security threats. These threats may include cyber-attack launched by third parties that could paralyze the company's systems responsible for crucial corporate functions. Malicious hackers may attempt to infiltrate the company's network system with computer viruses, destructive software, or ransomware to disrupt the company's operations, blackmail, or gain control over the computer system. Such attacks may result in operational disruptions and financial losses, necessitating costly remedial and improvement measures to strengthen the company's network security system.
  2. To avoid and reduce the damage caused by such attacks, the Company implements improvements and updates its systems regularly. First, we join the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC), Taichung Port Technology Industrial Park [Information Security Sharing], Chunghwa Telecom HiNet SOC, etc., to receive information security notifications and intelligence. Second, strengthen system and software vulnerability repairs, introduce an intrusion protection system to important hosts, strengthen network firewall and network control, and set up endpoint anti-virus measures based on the computer type. Third, THC also conducts regular information security promotion and social engineering drills to train and cultivate sound information security awareness among employees. At last, the core system has established a backup mechanism and conducts disaster recovery drills twice a year to ensure the viability of essential information systems.
  3. Future target: Complete the information security system of each plant to strengthen network security protection. In the future, in addition to the expansion of information security personnel, we plan to conduct regular training and certification to improve the company's information security in terms of human resources and capability to ensure the Company's information security.

Significant Information Security Incident:

Zero significant information security incident in 2022.