Information Security

Enterprise Information Security Organization

The Company aims to enhance information security management by establishing a dedicated supervisor and personnel for information security. Under the Information Department, there is a subordinate information security team responsible for coordinating the formulation, implementation, risk management, and compliance auditing of information security policies. Information Security’s highest-level supervisor reports annually to the Board of Directors on the effectiveness of information security management, relevant security issues, and strategic directions. The internal announcement of the "THC International Information Security Policy" was made on March 21, 2023. The report on the effectiveness of information security execution in 2024 and the goals for 2025 was presented to the Board of Directors on May 9, 2025.

Cyber Policy

“To maintain the Company information security, conduct self-manage, and raise information security awareness.”

Cyber Security Risk Management Framework

The Information Security Team collaborates with information security teams from Taiwan and overseas subsidiaries to plan, execute, audit, and take action (PDCA cycle) to enhance information security management. They regularly review and optimize information security policies and protective measures to effectively implement security management.

Plan：Establishing cybersecurity policies and management practices.
Do：Multi-layered cybersecurity management (hardware, network, devices, access control, cybersecurity monitoring and operations)
Check：Continuous cybersecurity monitoring.
Action：Improving cybersecurity measures, implementing security tools, and conducting information security training and awareness campaigns.

Specific Management Measures

Plan Name	Plan Description	Execution Results
Social Engineering Exercises and Information Security Awareness	Regular social engineering drills and awareness programs to raise awareness of intrusion and malicious processes	In 2024, conducted 2 social engineering drills and 5 security awareness sessions, enhancing employees’ information security awareness
Establishing Multilayered Cybersecurity Defense Mechanisms	Deploying endpoint firewalls, intrusion detection, and email filtering systems; key servers equipped with anti-virus software and endpoint protection	Strengthened security of host systems, networks, and information through deep defense layers, reducing attack risks
Vulnerability Scanning and System Updates	Regular system updates, scanning and patching vulnerabilities on hosts and networks	In 2024, conducted 2 vulnerability scans and performed monthly system updates and patching to reduce attack risks
Information Security Monitoring	Implemented NDR to monitor and analyze network traffic, and MDR to detect endpoint threats	Information security personnel immediately detected abnormal behavior or attacks and responded quickly to prevent spread
Disaster Recovery Drills	Regular execution of backup recovery drills	Completed 2 disaster recovery drills in 2024
Training and Education	Technical training for information security managers and personnel	Completed 24 hours of information security management system training

Short-Term Information Security Goals

Continue to enhance phishing/social engineering drills and security awareness campaigns, deploy next-generation intrusion detection and prevention systems, strengthen vulnerability scanning and patching, Conduct regular disaster recovery drills for core systems.
No major information security incidents affecting operations in 2024

Information and Communication Security Risks and Countermeasures：

Risk Challenges: Cybersecurity threats are diverse and rapidly evolving, making them difficult to fully prevent and potentially causing system interruptions and reputational damage.
Current Mitigation Measures: Integrated with the TWCERT/CC cybersecurity platform, implemented IPS/MDR/NDR systems, and regularly conducted awareness training and disaster recovery drills to strengthen protection.
Future Enhancement Direction：Continue optimizing defense architecture, expanding professional personnel, and conducting internal certification training to comprehensively improve information security management efficiency.

Significant Information Security Incident:

Zero significant information security incident in 2024.