Information Security Management

Advantech recognizes that information security issues are critical to the Company's operational stability, product safety, and brand value as a global leader in the IoT industry. These factors are critical for stakeholders such as employees, customers, and investors. Furthermore, the FSC also amended regulations to mandate information security requirements for TWSE / TPEx listed companies. In the event of a major information security incident, they are required to publicly disclose material information.

The National Institute of Standards and Technology's (NIST) Cyber Security Framework (CSF) serves as the foundation for the Company's information security management strategy. The framework has five main functions:
Identification, protection, detection, response, and recovery primarily refer to the measures that need to be managed or adopted at each stage of a company being attacked: before the incident (identification and protection), during the incident (detection and response), and after the incident (recovery).

To safeguard Company and customer interests, we are dedicated to upholding information security, continuously evaluating the efficacy of information security management, and minimizing the frequency of information security incidents.

Recognizing the increasing importance of the positive impact of information security and supply chain information security in the technology industry, the Company's efforts in fortifying information security can raise customer confidence, enhance overall corporate risk management, and enhance resilience against operational risks.

Information security breaches can negatively impact business operations by leading to the breach of confidential information, system service disruptions, reputational damage, customer loss, and increased legal risks for the Company.

• The following actions and measures are implemented to respond to negative impacts:
• Implement a multi-layered defense-in-depth strategy through security mechanisms such as firewalls, endpoint protection, privileged account management, and two-factor authentication
• Continue to detect and monitor information security risks and establish an information security incident monitoring, response, and handling mechanism
• Implement 3-2-1 data backup for important systems and establish a remote disaster recovery mechanism.
• Introduce an information security management system to increase the overall sophistication of information security practices.
• Continue to organize information security awareness campaigns to reinforce employee information security awareness.

• Microsoft Security Score exceeds 70%
• Information security risk rating up to 78
• The availability of key application systems reached 99.9%
• Conducted Information security awareness courses, achieving a completion rate of 91.7%
• Following social engineering email testing, headquarters and overseas subsidiaries achieved a pass rate of 84.3% and 77.4%, respectively
• Quarterly information security newsletters are distributed, with information security contests organized for Advantech's global IT departments.
• Target coverage rate of 100% for web security filtering and zero trust network access are implemented at headquarters and in Taiwan.

• Information security risk rating up to 80
• IT operations in Europe, North America, and China achieve ISO 27001 certification: 2022 revised standard
• Target coverage rate of 100% for web security filtering deployment in Japan and Singapore
• Target coverage rate of more than 80% for Zero Trust Network Access and NAC deployment at headquarters and in Taiwan
• Continue to expand the deployment of vulnerability patching tools on host systems within IT machine rooms, with a target coverage rate exceeding 80%
• The information security management dashboard system becomes operational, enabling centralized monitoring of key information security indicators across the four major regions: Taiwan, China, North America, and Europe
• Azure cloud environment information security score exceeds 65%
• Complete the dual network project at Kunshan, China and major locations in Taiwan

• Advantech introduces global web security filtering and zero trust network access
• The information and cyber security risk rating score is higher than the industry standard, and the rating score remains no less than 85%
• Global Factories achieve compliance with the new ISO 27001: 2022 standard update

• Headquarters IT server room operations and maintenance, the backbone network, and OT operations and maintenance at the Linkou plant complete the transition to ISO 27001: 2022 standard
• Introduce Security Access Service Edge (SASE), a cloud architecture that integrates network security and access control to enhance the security and performance of Internet use
• Fortify the digital asset management system to better understand and address Advantech's global information security risks, while also assessing the security posture of outsourced third-party suppliers
• Develop the proprietary information security management dashboard system and complete preliminary testing and phased functional objectives by the end of 2024
• Form a Security Committee for product information security and convene regular meetings to discuss relevant topics and monitor work progress

• Continue to increase Microsoft Security Score to 70%
• Introduce information security risk rating tools, continuously monitor information security risk status, and take corresponding improvement measures to gradually improve the information security risk score to 78
• Headquarters passed the external audit by a third-party certification body, maintaining compliance with the requirements of the ISO/IEC 27001:2022 standard for operations within the certified scope

• Employees: Provide mandatory online courses on information security and complete tests.
• Customers: Respond to customer questionnaires and audits, and provide relevant supporting records as needed.
• Suppliers and contractors: All suppliers are required to complete the Information Security Management Declaration. Suppliers of critical components and system services must also submit a risk self-assessment form and undergo regular information security audits.
• Shareholders and investment institutions: The Company's major action plans and results for improving information security are disclosed through the Company's annual and sustainability reports.
• Partners: Report and address information security issues together.
• Government, public associations, and the media: Respond to inquiries from government units and relevant public associations, and provide supporting records as necessary.