Management Guidelines for Major Topics
Information Security Management
Item | Explanation |
---|---|
Materiality | |
Materiality | As the threat of cyberattacks continues, information and cyber security has become one of the major risks to corporate operations around the world. Advantech recognizes that information and cyber security issues are critical to the company's operational stability, product safety, privacy, and brand value as a global leader in the Internet of Things (IoT). These factors are critical for stakeholders such as employees, customers, and investors. |
Management Strategy | |
Management Strategy |
|
Policy or commitment | |
Policy or commitment | To safeguard the Company's and customers' interests, we are dedicated to upholding information and cyber security, continuously evaluating the efficacy of information and cyber security management, and minimizing the frequency of information and cyber security incidents. |
Impact description | |
Impact description | The positive impact of information and cyber security can strengthen the confidence of stakeholders, etc. in corporate risk management and sustainable operations. Advantech established an information and cyber security management organization and adopted the ISO 27001 standard to continuously improve the information and cyber security management system. On the other hand, the negative impacts of information and cyber security breaches on business operations include leak of confidential information, interruption of system services, resulting in damage to reputation, loss of customers, and legal risks to the Company. In terms of security, our company employs a multi-layered defense framework, deploying mechanisms such as firewalls, antivirus software, endpoint protection, privileged account management, and two-factor authentication to continuously assess information and cyber security risks and strengthen security architecture, thereby reducing the likelihood and severity of information and cyber security incidents. Furthermore, our critical systems have completed 8/12/24 3-Tier Snapshot data backups and established off-site backup centers to establish response and handling mechanisms for information and cyber security incidents, thereby mitigating their impact. |
2023 Achievement Status | |
2023 Achievement Status |
|
2024 Goals | |
2024 Goals |
|
2025 Goals | |
2025 Goals |
|
2030 Goals | |
2030 Goals |
|
Action Plan | |
Action Plan |
|
Effectiveness assessment | |
Effectiveness assessment |
|
Stakeholder Engagement | |
Stakeholder Engagement |
|
Information Security Policy and Organization
Information security forms an integral part of business operations and risk management. The implementation of information security requires management's awareness and adequate support. Advantech's President approves the information security policy and sets information security goals. Also, the confidentiality, integrity and availability of key systems and important equipment are considered. Moreover, each indicator item is regularly measured and reviewed at least once a year to ensure the effectiveness of the implementation of performance indicators.
Advantech's President Eric Chen, concurrently served as Chief Information Security Officer in order to demonstrate the Company's commitment to information security. Also, a cross-departmental information security governance group was established. The Quality Control and Information Security Team is responsible for promoting and coordinating information security-oriented issues, including computer information, physical environment, product information security, supply chain and regulatory compliance, etc. Also, the implementation status is reported regularly to the Risk Management Committee. Information security is integrated into the organization's operation management.
Organization Structure of Information Security Team
Advantech has achieved ISO/IEC 27001:2013 certification for its Information Security Management System (ISMS), expanding its scope in 2022 to include the management of the headquarters' information center and backbone network. In the same year, Advantech's information operations in Europe and the United States also obtained ISO/IEC 27001:2013 certification. Advantech continues to enhance and broaden the scope of its Information Security Management System, establishing standardized systems and processes across strategic, managerial, technical, and awareness aspects. This ongoing effort aims to continuously improve the depth and breadth of cybersecurity governance.
Information and Cyber Security Management Strategy
The National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) serves as the foundation for our information and cyber security development roadmap. The framework has five main functions:
Identification, protection, detection, response and recovery are mainly for the different stages of an enterprise's attack, that is, before the event (identification and protection), during the event (detection and response), and after the event (recovery), the measures needed to be taken control.
In response to the United States Securities and Exchange Commission (SEC)'s rules governing cybersecurity risk management, governance, and disclosure of related events for Listed Companies, we have policies and relevant procedures for cybersecurity risk assessments; also supervise the cyber security risks of third-party service providers, and has contingency procedures and cyberattack recovery plans in place for cybersecurity incidents.
Furthermore, we actively participate in the information security organization including Taiwan Chief Information Security Officer Alliance and Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC) to acquire cyber threat intelligence, cybersecurity threats, and vulnerability information. By integrating external cybersecurity vendors and expert resources, we continuously monitor new cybersecurity information, technologies, and trends to strengthen our security framework and measures, effectively blocking emerging cybersecurity threats.
In addition, our company continues to assess internal and external cybersecurity risks and trends to develop corresponding cybersecurity management strategies. Our current strategy focuses on reducing the attack surface, improving visibility of cybersecurity risks, enhancing cybersecurity governance and risk awareness, and strengthening cybersecurity resilience. The cybersecurity action plans and key achievements for 2023 will be explained subsequently.
Improvement of Information Security Governance and Risk Awareness
To enhance employees' awareness of information and cyber security, we have included information security as an annual compulsory course, providing e-Learning courses and online tests. In response to the increasing frequency of phishing email attacks, our company conducts social engineering drills to simulate phishing emails from hackers, testing employees’ awareness of information security risks. Additionally, we release a security newsletter every quarter. This newsletter includes updates on the latest information security trends, significant domestic and international cybersecurity incidents, important announcements, and more. These efforts are aimed at enhancing awareness and vigilance among our staff regarding information security.
Enhancement of Information Security Resilience
Considering the possibility of IT services being affected due to internal or external disasters or human errors, Advantech planned a remote disaster recovery at the Linkou factory to achieve mutual remote disaster recovery and remote data backup between Neihu and Linkou through the Nutanix virtual machine. When the Neihu server room is unable to provide services, the remote disaster recovery mechanism in the Linkou server room will continue to provide services for the critical information system. After establishing the remote disaster recovery mechanism, Advantech's IT department completed two disaster recovery drills this year to verify the integrity of the overall architecture and system for disaster response and recovery procedures.
In addition, this year, Advantech introduced the information service incident management platform Statuspage to visualize the service health status of each system, enhance the tracking and reporting of IT service performance and usability, and optimize the process for reporting information service anomalies.
Status of Information Security Incidents in the Last Three Years
From 2021 to 2023, there were a total of 14 information security incidents, but they did not cause a material impact on the Company's business, and there were no instances where customers' personal data was affected or fines were imposed due to the leakage of confidential information. There were a total of 3 information security incidents this year, but they did not cause a material impact on the Company's business, and there were no instances where customers' personal data was affected or fines were imposed due to the leakage of confidential information. The causes of the incidents were cloud service interruption, computer virus attack, and equipment hardware failure. Suffering from cyberattacks (e.g.: hackers, viruses) incidents affecting 1 person, external service disruptions (e.g., utility power, internet connection, cloud service), 3500 people were affected, and equipment failure affected 3500 people.
After the root cause of the incident was investigated, an SOP has been established for handling cloud service interruptions, and equipment availability monitoring and regular maintenance have been enhanced to reduce the possibility of equipment failure affecting business operations. For incidents caused by computer viruses, the Company continues to refine the performance of endpoint protection and antivirus tools, and enhances personnel security awareness education.
Advantech has set up notification windows for product data security risks or loopholes to receive relevant reports from customers or information and cyber security companies, and then refer them to the product department for resolution. The patch will be announced on the Company's official website and reply to the reporting unit.