Information Security

Information Security Policy & Purpose

In the face of business competition and globalization, information security and the protection of operational data are important cornerstones for sustainable development and maintaining core competitiveness. To ensure the stability, security, and availability of information systems, TCC is committed to strengthening information security management mechanisms and defense capabilities, establishing a secure and reliable computerized operating environment, ensuring the security of systems, data, equipment, and networks to protect the Company's important information assets and ensure the normal operation of information systems.

TCC Group Information Security PolicyAI PolicyPersonal Data Protection and Management Policy

The Scope and Target of Information Security

This applies to TCC Group, its domestic and overseas subsidiaries, invested companies, and other affiliates under the Group's effective control. It covers employees at all operational sites, as well as outsourcing vendors, contractors, and dispatch agencies with access to the Group's internal information.

Information Security Management Framework

Establish an information security management system and cross-departmental information security committee

In 2020, the Company obtained ISO/IEC 27001:2013 certification and adopted the PDCA (Plan-Do-Check-Act) model to establish and implement our Information Security Management System (ISMS).
Led by the General Manager, we established a cross-departmental 'Information Security Management Committee.' This committee meets annually to review the effectiveness of security planning and execution, deliberate on major security decisions, and coordinate resource allocation.
Furthermore, in December 2023, we successfully completed the transition to the ISO/IEC 27001:2022 standard to ensure compliance with the latest information security requirements.

Information Security Management Team

An 'Information Security Management Group' has been established under the Information Security Management Committee.
This group is primarily responsible for the planning, establishment, implementation, maintenance, review, and continual improvement of the Information Security Management System (ISMS) for our information systems. It also reports information security-related matters to the Committee.

Regular reviews and reporting

The Information Security Management Group holds regular meetings to review implementation status. It also reports the execution status and review results to the Board of Directors annually.

Strengthen information security system

Following a resolution by the Board of Directors on April 11, 2022, the Company announced the establishment of the Chief Information Security Officer (CISO) position and the Information Security Department.
The department consists of one dedicated supervisor and two dedicated members. It is primarily responsible for designing TCC Group's overall security architecture, managing operations and monitoring, and responding to and investigating internal and external security incidents. The department reports regularly to the CISO, who in turn reports to the Chairman and General Manager of TCC Group.
To demonstrate TCC Group's commitment to information security, the Board resolved in 2024 to establish the 'Information Security Management Committee,' appointing an Independent Director as the Chairman and Convener. Starting in 2025, the CISO will regularly report the annual information security implementation status to this committee.

Performance

  • Taiwan and Mainland China cement operations, subsidiaries OYAK CEMENT, and Molicel have obtained ISO 27001 certification.
  • Zero critical information security incidents occurred in 2025.
  • TCC requires 100% of new recruits worldwide to sign an information-security declaration. It also occasionally holds expert courses and distributes security policies and protective measures to enhance cybersecurity awareness among all employees. CIMPOR augments these efforts with CyberReady automated training and six SOC-led sessions each year for high-risk staff. Employee information security education and training reached 2,334 hours and 2,523 participants in 2025.
  • In 2025, a total of 8 information security health checks and 4 social engineering drills were completed, recording an overall violation rate of 3.49 percent. TCC maintains a management target of keeping violations below 3 percent.

Information Security Objectives and Management Program

Information Security Objectives
  1. Maintain the stability of TCC Group Holdings' business operations, avoiding operational losses caused by system interruptions or other information security incidents.
  2. Implement appropriate protective measures for sensitive data such as TCC Group Holdings' trade secrets to minimize the impact and risk of information security incidents including damage, theft, leakage, tampering, misuse, and infringement.
  3. Continuously enhance the confidentiality, integrity, and availability of various information assets within the TCC Group Holdings.
Management Program
  1. In 2022, we joined the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC) and the threat intelligence centers of leading cybersecurity firms, such as Trend Micro.
    We receive threat intelligence alerts via email, which allows us to assess whether our internal equipment or software is exposed to risks. If vulnerabilities are found, we require the responsible personnel to complete necessary patches within a specified timeframe.
  2. As of 2025, we have 5 dedicated security specialists and a security support team of 30. We regularly conduct information security training and social engineering drills for all TCC Group employees. Our goal is to foster a culture where every employee acts as a guardian of information security.
  3. As of November 2025, we have convened 38 weekly, 10 monthly, and 3 quarterly information security meetings. These sessions actively addressed the application of security tools, the status of ongoing projects, and manpower allocation.
  4. In line with TCC’s active transformation, we prioritize the protection of trade secrets in our energy business and have strengthened security controls. Key measures include preventing data storage on local devices, centralizing the management of sensitive information, and enhancing security for remote work.

Information Security Control Measures

  1. The TCC Group first obtained ISO/IEC 27001:2013 certification in 2021. In December 2023, we successfully completed the transition to the ISO/IEC 27001:2022 standard. The current certification is valid from January 2024 to January 2027.
  2. Information security is everyone's responsibility. To ensure high security awareness across the TCC Group, we conduct regular social engineering drills and training annually.
    In 2025, we carried out four social engineering drills, recording a failure rate of 3.49%. We also held two training sessions covering trending topics, such as AI-related security risks. These initiatives aim to strengthen employee vigilance and prevent security incidents caused by social engineering attacks.
  3. We review information security policies and regulations annually. In 2025, the Information Security Policy was revised once, and the Human Resources Department communicated the updated policy and requirements to all Group employees.
  4. All TCC Group employees, vendors, and subcontractors are required to sign a confidentiality agreement. Anyone with access to the Group’s information systems or business data is responsible for safeguarding these assets against unauthorized access, alteration, destruction, or improper disclosure.
  5. Annual asset inventories and risk assessments are conducted to drive security improvements. We also employ regular auditing tools to prevent unauthorized software installations and ensure intellectual property compliance.
  6. We conduct annual reviews of accounts for core business systems. Permissions are granted based on the principle of least privilege, and high-level access is secured using a Privileged Access Management (PAM) system.
  7. We have implemented a Mobile One-Time Password (MOTP) system as a two-factor authentication mechanism. This allows for fingerprint login, significantly reducing the risks associated with forgotten or compromised passwords.
  8. We utilize vulnerability scanning tools to regularly assess the Group's core systems. All identified medium-to-high risk vulnerabilities are remediated, followed by continuous tracking and re-scanning until all such risks are eliminated.
  9. Real-time monitoring (PRTG) is used on core systems to trigger immediate incident response. We maintain availability through regular backup and redundancy drills. Security is further ensured by routine vulnerability scans and penetration tests to identify and fix issues.
  10. All company workstations are equipped with antivirus software. We perform regular system patches and virus definition updates to mitigate the risks of cyberattacks and ransomware.
  11.  We have fully implemented DDI and EDR protection systems. Through MxDR services, we collaborate with external specialists to monitor the security of TCC Group's endpoint devices.
  12. We deploy OT security measures to protect production lines and prevent downtime from malware. We also employ antivirus USB drives to screen new machinery for viruses before they are connected to the intranet.
  13. We have implemented a sensitive file encryption system to safeguard core business data. This prevents the theft of trade secrets by hackers and mitigates potential operational impacts on TCC Group.
  14. We strictly control all outbound file transfer channels for TCC Group. This includes portable devices (e.g., USBs), cloud storage, Instant Messaging (IM) applications, File Transfer Protocol (FTP), and email systems.
  15. Network security is maintained through firewalls, secure VPNs, intrusion detection systems, and Web Application Firewalls (WAF). We also employ web monitoring to effectively reduce the risk of cyberattacks.
  16. We regularly review the audit trails of core systems and equipment to ensure there is no abnormal access activity from either internal or external sources.
  17. We have established standard procedures for responding to and reporting information security incidents. This ensures incidents are handled effectively to prevent further damage.
  18. We regularly conduct internal and external audits to monitor compliance with our information security policies. Corrective and preventive actions are implemented to address any audit findings.
  19. We have established an AI for Security framework. By leveraging Large Language Models (LLMs) to analyze system audit trails, we can promptly identify potential anomalies and ensure early threat prevention.
  20. We have implemented automated Red Teaming tools to simulate cyberattack scenarios and analyze potential attack paths. By integrating CVE vulnerability data, we enable administrators to effectively remediate security threats.

Information Security Control Measures

TCC Group Holdings has established the TCC Group Information Security Policy, which is available in the 「Investors - Company Regulations」section.

iconTCC Incident Reporting and Response Process

TCC Group Holdings Information Security Related Certificates

ISO/IEC 27001:2022