|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 16K. Cybersecurity
As part of the enterprise risk management oversight, our Board of Directors, is the highest decision-making body, responsible for formulating risk management policy and organizational structure. The Risk Management Team is the competent authority for implementing risk management with Audit Committee supervising the implementation of risk management to ensure the effectiveness of the risk management mechanism, including information technology. The Information Security Team is composed of the team member of Information Security Office and each department management, which is assigned by each department head. The department management evaluates the frequency, impact and control degree of potential cybersecurity risks through identification, analysis, evaluation and other procedures. The department management also implements necessary procedures and cybersecurity works in compliance with the rules, and ensure that the known cybersecurity risks are controlled within the feasible scope and continue to monitor. Annually, the department management briefs the Information Security Team and Information Security Management Committee on the then current cybersecurity event environment facing the Company, the focus of the Company’s enterprise cybersecurity management, cybersecurity assessment and cybersecurity mitigation actions to be taken. Our Information Security Management Committee is responsible for the overall information security across all subsidiaries. This committee is composed of all first-level supervisors at each division, including the head of Information Technology Management (“I.T.M”) center. Currently, it is mainly led by the head of I.T.M. center and the information security manager, who are the subject matter expert on information security, privacy, information technology strategy and management. The Information Security Management Committee report to the Board of Directors at least once a year. If any, major incidents are escalated to our Information Security Team and our Information Security Management Committee, who may then inform our Board of Directors of the incident pursuant to our internal procedures. The primary objective is to strengthen governance by enabling direct oversight of cybersecurity risks and proposing related mitigation measures. In the three years through 2024, the Company has not experienced any material cybersecurity incidents.
Our information security manager of the I.T.M. center holds the following certifications: ISO 27001 LA, ITIL 4 Foundation and IPASS Information Security Engineer by Ministry of Economic Affairs. The Information Security Team members also possess international cybersecurity certifications such as ISC2 CISSP, EC-Council CEH, and CTIA. We arrange external training every year for our team to further enhance their knowledge and skills in the cybersecurity field.
In respect of the assessing and managing of cybersecurity from our management, we have formulated management policies in eight aspects including strategies and policies, legal compliance, information security risk assessment, information security technology investment, risk monitoring and reporting, information outsourcing supplier management, disaster emergency response and continuous improvement as below:
•
Strategies and policies: Management has formulated appropriate cybersecurity principles and policies to mitigate internal and external cybersecurity risks. Its content covers the formulation of information security policies, access control, data encryption, employee training plans and network security incident response procedures. The compliance and appropriateness of the policy will be reviewed and updated regularly.
•
Legal compliance: Management ensures that the organization's cybersecurity measures comply with applicable laws, regulations and industry best practices.
•
Information security risk assessment: Management is responsible for identifying and assessing the cybersecurity threats facing the organization. Understand potential threat sources, vulnerabilities, and system weaknesses and assess the potential impact of these threats on an organization’s business, finances, and reputation.
•
Information security technology investment: Management decided to invest in network security technology and tools to strengthen the organization’s security defense capabilities. This includes investing in security information and event management systems such as firewalls, intrusion detection systems, two-factor authentication and EDR protection.
•
Risk monitoring and reporting: Management has established an effective monitoring mechanism to regularly check the effectiveness of network security controls, respond to potential security incidents, and report network security performance and risk status to other stakeholders.
•
Information outsourcing supplier management: Management assesses and manages the cybersecurity risks associated with outsourcing. Ensure that suppliers and partners meet the organization's cybersecurity standards and take appropriate measures to protect the organization from supply chain attacks.
•
Disaster emergency response: Management develops and implements an emergency response plan for network security incidents. Ensure that the organization has appropriate response capabilities to promptly handle cybersecurity incidents and reduce the impact on business.
•
Continuous improvement: Management takes steps to continually improve the organization’s cybersecurity defenses. This includes regularly assessing the effectiveness of cybersecurity measures, as well as revising and updating cybersecurity principles and controls in light of new threats and vulnerabilities.
Our Corporate Information Security department regularly assesses the threat landscape to proactively prevent and minimize the damage caused by cybersecurity attacks. We have implemented and enhanced various cybersecurity measures, including implementing defense against Distributed Denial-of-Service (DDoS) attacks, strengthening protection for external web-based services (WAF), replacing EOS operating systems, improving computer security compliance, and installing advanced malware defense solutions for critical computers and servers and adopting ISO15408 (also called CC guidelines) to comprehensively enhance physical security controls.
In the event of a large-scale DDoS attack, the main impact is on the Anti-DDos devices, but backend servers will remain operational. Additionally, in response to more and more sophisticated hacking techniques, the company has arranged for external penetration testing to strengthen server security. We will also evaluate outsourcing red team exercises to enhance internal security at entry points and minimize risks and impact as much as possible.
In the trend of increasing global information security threats, information security risks are increasing, and new types of information security threats are constantly being introduced. Please see “Item 3. Key Information—Risk Factors” for a discussion of potential information security risks. The management has taken the above practical measures for the information security of the Company, and strengthened the key infrastructure and external information security. We cooperate and implement corresponding protective measures to reduce the risk of malicious attacks to maintain the Company’s information network security environment, avoid network attacks, and enable the Company to comprehensively protect the information environment.
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
As part of the enterprise risk management oversight, our Board of Directors, is the highest decision-making body, responsible for formulating risk management policy and organizational structure. The Risk Management Team is the competent authority for implementing risk management with Audit Committee supervising the implementation of risk management to ensure the effectiveness of the risk management mechanism, including information technology. The Information Security Team is composed of the team member of Information Security Office and each department management, which is assigned by each department head. The department management evaluates the frequency, impact and control degree of potential cybersecurity risks through identification, analysis, evaluation and other procedures. The department management also implements necessary procedures and cybersecurity works in compliance with the rules, and ensure that the known cybersecurity risks are controlled within the feasible scope and continue to monitor. Annually, the department management briefs the Information Security Team and Information Security Management Committee on the then current cybersecurity event environment facing the Company, the focus of the Company’s enterprise cybersecurity management, cybersecurity assessment and cybersecurity mitigation actions to be taken. Our Information Security Management Committee is responsible for the overall information security across all subsidiaries. This committee is composed of all first-level supervisors at each division, including the head of Information Technology Management (“I.T.M”) center. Currently, it is mainly led by the head of I.T.M. center and the information security manager, who are the subject matter expert on information security, privacy, information technology strategy and management. The Information Security Management Committee report to the Board of Directors at least once a year. If any, major incidents are escalated to our Information Security Team and our Information Security Management Committee, who may then inform our Board of Directors of the incident pursuant to our internal procedures. The primary objective is to strengthen governance by enabling direct oversight of cybersecurity risks and proposing related mitigation measures. In the three years through 2024, the Company has not experienced any material cybersecurity incidents.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|As part of the enterprise risk management oversight, our Board of Directors, is the highest decision-making body, responsible for formulating risk management policy and organizational structure. The Risk Management Team is the competent authority for implementing risk management with Audit Committee supervising the implementation of risk management to ensure the effectiveness of the risk management mechanism, including information technology. The Information Security Team is composed of the team member of Information Security Office and each department management, which is assigned by each department head.
|Cybersecurity Risk Role of Management [Text Block]
|
In respect of the assessing and managing of cybersecurity from our management, we have formulated management policies in eight aspects including strategies and policies, legal compliance, information security risk assessment, information security technology investment, risk monitoring and reporting, information outsourcing supplier management, disaster emergency response and continuous improvement as below:
•
Strategies and policies: Management has formulated appropriate cybersecurity principles and policies to mitigate internal and external cybersecurity risks. Its content covers the formulation of information security policies, access control, data encryption, employee training plans and network security incident response procedures. The compliance and appropriateness of the policy will be reviewed and updated regularly.
•
Legal compliance: Management ensures that the organization's cybersecurity measures comply with applicable laws, regulations and industry best practices.
•
Information security risk assessment: Management is responsible for identifying and assessing the cybersecurity threats facing the organization. Understand potential threat sources, vulnerabilities, and system weaknesses and assess the potential impact of these threats on an organization’s business, finances, and reputation.
•
Information security technology investment: Management decided to invest in network security technology and tools to strengthen the organization’s security defense capabilities. This includes investing in security information and event management systems such as firewalls, intrusion detection systems, two-factor authentication and EDR protection.
•
Risk monitoring and reporting: Management has established an effective monitoring mechanism to regularly check the effectiveness of network security controls, respond to potential security incidents, and report network security performance and risk status to other stakeholders.
•
Information outsourcing supplier management: Management assesses and manages the cybersecurity risks associated with outsourcing. Ensure that suppliers and partners meet the organization's cybersecurity standards and take appropriate measures to protect the organization from supply chain attacks.
•
Disaster emergency response: Management develops and implements an emergency response plan for network security incidents. Ensure that the organization has appropriate response capabilities to promptly handle cybersecurity incidents and reduce the impact on business.
•
Continuous improvement: Management takes steps to continually improve the organization’s cybersecurity defenses. This includes regularly assessing the effectiveness of cybersecurity measures, as well as revising and updating cybersecurity principles and controls in light of new threats and vulnerabilities.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Information Security Management Committee is responsible for the overall information security across all subsidiaries. This committee is composed of all first-level supervisors at each division, including the head of Information Technology Management (“I.T.M”) center. Currently, it is mainly led by the head of I.T.M. center and the information security manager, who are the subject matter expert on information security, privacy, information technology strategy and management.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our information security manager of the I.T.M. center holds the following certifications: ISO 27001 LA, ITIL 4 Foundation and IPASS Information Security Engineer by Ministry of Economic Affairs. The Information Security Team members also possess international cybersecurity certifications such as ISC2 CISSP, EC-Council CEH, and CTIA. We arrange external training every year for our team to further enhance their knowledge and skills in the cybersecurity field.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Information Security Management Committee report to the Board of Directors at least once a year. If any, major incidents are escalated to our Information Security Team and our Information Security Management Committee, who may then inform our Board of Directors of the incident pursuant to our internal procedures. The primary objective is to strengthen governance by enabling direct oversight of cybersecurity risks and proposing related mitigation measures. In the three years through 2024, the Company has not experienced any material cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef