MiTAC has set up an Information Security Promotion Committee in which the President serves as the chair, the Vice President of the Digital Development Center serves as the deputy chair, and the Chief Information Security Officer (CISO) serves in the position of executive secretary. The Company has a department dedicated to cyber security. An information security manager and several information security personnel were appointed to be responsible for promoting, coordinating, overseeing and reviewing matters in relation to cyber security management. The cyber security department reports on the implementation of cyber security measures to the management or the Board of Directors on a regular basis to ensure the appropriateness and effectiveness of the operation.

To continue enhancing the information security protection and management, MiTAC received the ISO 27001:2013 Information Security Management System certificate in 2019, and passes the audit every year. In 2022, MiTAC passed the audit conducted by a third-party verification institution to confirm the validity of the information security management system and relevant certificates.

MiTAC communicates the significance and necessity to observe the information security policy of the Company to the employees on an ongoing basis. All personnel using the information systems must participate in information security courses every year. The managers and personnel responsible for information security shall take part in professional information security training annually. Social engineering drills and relevant reviews are regularly arranged to constantly increase the employees’ awareness of information security,  and competitions related to information security are held to develop the employees’ competence of information security in an educational but entertaining manner.

We constantly gather various cyber security risk analysis indicators externally through external information security risk rating service to continuously monitor and lower information security risks. The CDM (Cyber Defense Matrix) is used to analyze and review the requirements for information security protection, in order to optimize the process of budget planning and control as well as protection measures for cyber security.

Cyber security incident response and threat intelligence  The information security incident response, handling and reporting procedures are established, including the assessment for impacts and damages caused by incidents, internal and external reporting procedures, methods for informing other affected departments, contact persons and methods for reporting of incidents.   The Company has participated in the Taiwan Computer Emergency Response Team & Coordination Center (TWCERT / CC) for receiving cyber security alerts as well as information security threat and vulnerability information in order to take preventive actions, improve information security protection capabilities and reduce the risk of being hacked.

Considering the endless emergence of domestic and foreign ransomware attacks that can easily cause serious impacts on the operation and production, the IT departments of the Group’s important production locations jointly carried out the emergency drill for response to the ransomware attacks in 2022. Through the scenario planning of the table-top exercise, we made sure that the Group could effectively handle disasters and reduce losses with its response structure and capability in case of emergency. The drill was performed to improve the personnel’s crisis management and response skills.

No business interruption, data corruption, data leakage or other material information security events occurred in 2022.

Taeget 2020 2021 2022 Events causing business interruption, data corruption, data leakage or other material information security events < 1 case. 0 No business interruption, data corruption, data leakage or other material information security events. 0 No business interruption, data corruption, data leakage or other material information security events. 0 No business interruption, data corruption, data leakage or other material information security events.