The TCC Group greatly values the importance of operational transparency and corporate governance. In accordance with the Company Law of the Republic of China, the Securities Exchange Law and other relevant laws and regulations, the Company has formulated an effective governance structure and implementation practices. The Company has implemented self-regulation more rigorous than the laws and regulations. The group adopts the international standards of corporate integrity and fairness to implement the company's operating information transparency and protect the rights and interests of all stakeholders.
1. Information Security Objectives
Facing the challenges of commercial competition and globalization, information security and protection of business data are important cornerstones for the sustainable development and core competitiveness of a corporation. In order to ensure the stability, security and availability of its information systems, the TCC Group is committed to strengthening its information security management mechanisms and defense capabilities, establishing a secure and reliable computerized operating environment, and ensuring the security of its systems, data, equipment and networks, so as to protect the company's critical information assets and normal operation of its information systems.
2. Scope of Application of Information Security Policy
The TCC Group's Information Security Policy applies to all its subsidiaries in Taiwan, China and other jurisdictions, and other affiliates that are under the substantial control of the TCC Group, including all the employees of the TCC Group working in various offices around the world as well as any and all third-party suppliers, contractors, vendors and other business partners with access to the Group's internal information.
3. Information Security Risk Framework
- In accordance with the international standard of ISO/IEC 27001:2013, the Company established and implemented an information security management system in 2020 by adopting the operating model of the PDCA cycle. The inter-departmental Information Security Management Committee is convened by the general manager and meets once a year to review the effectiveness of the planning and implementation of the Company's information security systems as well as major issues pertaining to information security, and to coordinate the allocation of resources required to ensure information security.
- Under the Information Security Management Committee, the Information Security Management Team is responsible for planning, establishing, implementing, maintaining, reviewing, and continuously improving the information security management system, and reporting information security-related issues to the Information Security Management Committee.
- The Information Security Management Team meets regularly to review the workings of the Company's information security management system and reports the results thereof to the Company's board of directors on an annual basis.
- The Board of Directors of our company resolved and announced the establishment of a Chief Information Security Officer (CISO) and a dedicated information security taskforce on April 11, 2022. The information security taskforce comprises a dedicated information security manager and two information security members. Their main responsibilities include designing the overall information security architecture of TCC Group, maintaining and monitoring information security operations, responding to and investigating internal and external information security incidents, and regularly reporting work progress to the CISO. The CISO will report to the Chairman of the Board and the General Manager of TCC Group, and provides an annual report on the information security activities to the Board of Directors every year (the annual report to the Board is scheduled for late February 2024).
4. Information Security Policy Objective
Information Security Objectives:
- Maintaining the stability of the TCC Group's business operations and to avoid any operational losses caused by system outages or other information security incidents.
- Taking appropriate measures to protect confidential and sensitive information such as the TCC Group's trade secrets in order to reduce the impact and risk of information security incidents such as data destruction, theft, leakage, tampering, misuse and infringement.
- Continuously ensuring the confidentiality, integrity and availability of the TCC Group's information assets.
Management Plan:
- In 2022, TCC joined the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC) to periodically receive threat intelligence through emails. This allows the evaluation of whether internal equipment or software is exposed to threats, with responsible parties required to timely address any issues.
- As of 2023, the Information Security Unit consists of 6 dedicated members, supported by a team of 28 people. The aim is to promote information security awareness among all employees of TCC Group through educational training and social engineering exercises, achieving the goal of making everyone responsible for information security.
- By October 2023, we have convened 40 weekly information security meetings, 10 monthly sessions, and 3 quarterly meetings, actively discussing the application of information security tools, the current status of information security projects, and the allocation of information security personnel.
- In response to TCC's proactive transformation, we place significant emphasis on protecting business secrets in the energy sector and strengthening information security control measures. These measures include the implementation of data localization, centralized management of sensitive information, and enhanced security for remote work.
5. Information Security Controls
- TCC Group obtained the ISO/IEC 27001:2013 international information security standard certification in January 2024. The certification is valid from January 2024 to January 2027.
- Information security is everyone's responsibility. To ensure that TCC Group employees are aware of information security, regular social engineering exercises and security education training are held annually. In 2023, a total of 5 social engineering exercises and 4 security-related training sessions were conducted. Recent domestic and international information security incidents were shared to enhance employees' awareness and prevent information security incidents caused by social engineering attacks.
- Annual reviews of information security policies and regulations are conducted. In 2023, the information security policy was revised once and communicated to all employees in the group to ensure awareness.
- Confidentiality agreements are required for all TCC Group employees, external contractors, and their subcontractors. This ensures that those who access or use TCC Group's information services or related business have the responsibility and obligation to protect the information assets they obtain or use from unauthorized access, tampering, destruction, or improper disclosure.
- An annual inventory of information assets is conducted, and risk management and improvement are carried out according to an information security risk evaluation mechanism. Information asset management tools are regularly used to effectively audit software and hardware information, preventing the installation of unauthorized software or software that violates intellectual property rights.
- Annual reviews of system permissions for core business systems are conducted. Appropriate permissions are granted based on a need-to-use basis, and high-privilege accounts are managed through a Privileged Access Management (PAM) system.
- A Mobile One-Time Password (MOTP) system has been implemented as a two-factor authentication mechanism. Login via fingerprint recognition reduces the risk of password forgetfulness or compromise.
- A vulnerability scanning tool has been implemented, with regular scans performed on core systems of the group. Identified medium to high-risk vulnerabilities are promptly addressed and remediated, with ongoing follow-up scanning until no such vulnerabilities remain.
- Real-time monitoring and alert mechanisms (PRTG) have been established for core business systems and equipment. Any anomalies are immediately reported to system administrators for emergency handling. Backup or redundant mechanisms are in place and regularly tested to ensure the availability of core business systems. Regular vulnerability scans and penetration tests are also conducted to identify and remedy system vulnerabilities.
- Disaster recovery exercises (DR) for core systems are conducted annually to ensure systems can operate normally when switched to an off-site data center.
- Antivirus software is installed on all office computers, with regular updates to systems and virus definitions to reduce the risk of hacking and ransomware attacks.
- Comprehensive measures for malicious connection and internal spread protection (DDI) and Endpoint Detection and Response (EDR) have been implemented. Managed Detection and Response (MxDR) is used, leveraging external expert teams to monitor the security of TCC Group’s endpoint devices.
- Protective measures have been deployed for production environments (OT) to safeguard production line safety and prevent equipment from being infected, leading to operational disruptions. Antivirus USB drives are procured to scan new equipment before connecting to the internal network.
- A sensitive file encryption system has been introduced to protect core business data, preventing hackers from stealing trade secrets and impacting TCC Group operations.
- Strict controls are in place for external file transfer channels, including portable devices (such as USB drives), cloud storage, instant messaging software (IM), file transfer protocols (FTP), and email sending mechanisms.
- Network-related security operations are established and maintained, including firewall management, secure remote connection settings (VPN), intrusion detection and prevention mechanisms, WAF application firewalls, and internet behavior monitoring to reduce the risk of external hacking.
- Regular audits of core system and equipment logs are conducted to ensure no unauthorized internal or external access.
- Standard procedures for responding to and reporting information security incidents are in place to appropriately handle incidents and prevent further damage.
- Regular internal and external audits are conducted to monitor the compliance of information security practices, with corrective and preventive actions taken for audit findings.
6. Relevant Policies and Certifications
- The TCC Group has promulgated the Information Security Policy, which can be found on the TCC's website (Investors → Corporate Governance → Important Internal Regulations).
- The TCC Group has received the following two information security-related certificates: