Information Security Management

Management Guidelines for Major Topics

Information Security Management

Item Explanation
Materiality
Materiality

As the threat of cyberattacks continues, information and cyber security has become one of the major risks to corporate operations around the world. Advantech recognizes that information and cyber security issues are critical to the company's operational stability, product safety, privacy, and brand value as a global leader in the Internet of Things (IoT). These factors are critical for stakeholders such as employees, customers, and investors.

Management Strategy
Management Strategy
  • Improvement of visibility of information security risks
  • Decrease in attack surface
  • Improvement of information security governance and risk awareness
  • Enhancement of application system resilience
Policy or commitment
Policy or commitment

To safeguard the Company's and customers' interests, we are dedicated to upholding information and cyber security, continuously evaluating the efficacy of information and cyber security management, and minimizing the frequency of information and cyber security incidents.

Impact description
Impact description

The positive impact of information and cyber security can strengthen the confidence of stakeholders, etc. in corporate risk management and sustainable operations. Advantech established an information and cyber security management organization and adopted the ISO 27001 standard to continuously improve the information and cyber security management system. On the other hand, the negative impacts of information and cyber security breaches on business operations include leak of confidential information, interruption of system services, resulting in damage to reputation, loss of customers, and legal risks to the Company. In terms of security, our company employs a multi-layered defense framework, deploying mechanisms such as firewalls, antivirus software, endpoint protection, privileged account management, and two-factor authentication to continuously assess information and cyber security risks and strengthen security architecture, thereby reducing the likelihood and severity of information and cyber security incidents. Furthermore, our critical systems have completed 8/12/24 3-Tier Snapshot data backups and established off-site backup centers to establish response and handling mechanisms for information and cyber security incidents, thereby mitigating their impact.

2023 Achievement Status
2023 Achievement Status
    The completion rate of the information and cyber security promotion courses was 89%. In addition, the following goals were all achieved the 2023.
    • Microsoft security score of 62%
    • Endpoint security protection (EDR) deployment coverage reached 83%
    • The deployment coverage rate of system vulnerability patching tools exceeded 91%
    • The availability of key application systems reached 99.9%
2024 Goals
2024 Goals
  • Web security filtering and zero trust network access are implemented in the headquarters and Taiwan region
  • Information and cyber security risk rating up to 80%
  • The headquarters and Linkou factory achieve compliance with the new ISO 27001: 2022 standard update
2025 Goals
2025 Goals
  • Introduce web security filtering and zero trust network access in the Asia Pacific region, including the headquarters and offices in Taiwan, China, Japan, Korea, Malaysia, and Singapore.
  • Information and cyber security risk rating up to 85%
  • China, Europe, and North America achieve compliance with the new ISO 27001: 2022 standard update
2030 Goals
2030 Goals
  • Advantech introduces global web security filtering and zero trust network access
  • The information and cyber security risk rating score is higher than the industry standard, and the rating score remains no less than 85%
  • Global Factories achieve compliance with the new ISO 27001: 2022 standard update
Action Plan
Action Plan
  • Introducing Security Access Service Edge (SASE), a cloud architecture that integrates network security and access control, to enhance the security and performance of Internet use.
  • Strengthen the digital asset management mechanism, grasp Advantech's global information and cyber security risks for improvement, and understand the security status of outsourced third-party suppliers.
Effectiveness assessment
Effectiveness assessment
  • Introduce information and cyber security risk rating tools, continuously monitor information and cyber security risk status, and take corresponding improvement measures to gradually improve the information and cyber security risk score.
  • Pass the external audit of a third-party certification company, and maintain operations within the scope of implementation in compliance with ISO 27001:2022 standards.
Stakeholder Engagement
Stakeholder Engagement
  • Employees: Provide mandatory online courses on information and cyber security and complete tests.
  • Customers: Respond to customer questionnaires and audits, and provide relevant supporting records as needed.
  • Suppliers and contractors: All suppliers are required to fill out the Information Security Management Declaration. Suppliers of major components and system services are required to complete the information security risk self-assessment form and conduct regular information security audits.
  • Shareholders and investment institutions: The Company's major action plans and results for improving information and cyber security are disclosed through the Company's annual report and sustainability report.
  • Business partners: Respond to partners' inquiries and provide supporting records as necessary.
  • Government, public associations, and the media: Respond to inquiries from government units and relevant public associations, and provide supporting records as necessary.

Information Security Policy and Organization

Information security forms an integral part of business operations and risk management. The implementation of information security requires management's awareness and adequate support. Advantech's President approves the information security policy and sets information security goals. Also, the confidentiality, integrity and availability of key systems and important equipment are considered. Moreover, each indicator item is regularly measured and reviewed at least once a year to ensure the effectiveness of the implementation of performance indicators.

Advantech's President Eric Chen, concurrently served as Chief Information Security Officer in order to demonstrate the Company's commitment to information security. Also, a cross-departmental information security governance group was established. The Quality Control and Information Security Team is responsible for promoting and coordinating information security-oriented issues, including computer information, physical environment, product information security, supply chain and regulatory compliance, etc. Also, the implementation status is reported regularly to the Risk Management Committee. Information security is integrated into the organization's operation management.

Organization Structure of Information Security Team

Organization Structure of Information Security Team

Advantech has achieved ISO/IEC 27001:2013 certification for its Information Security Management System (ISMS), expanding its scope in 2022 to include the management of the headquarters' information center and backbone network. In the same year, Advantech's information operations in Europe and the United States also obtained ISO/IEC 27001:2013 certification. Advantech continues to enhance and broaden the scope of its Information Security Management System, establishing standardized systems and processes across strategic, managerial, technical, and awareness aspects. This ongoing effort aims to continuously improve the depth and breadth of cybersecurity governance.

Information and Cyber Security Management Strategy

The National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) serves as the foundation for our information and cyber security development roadmap. The framework has five main functions:


Identification, protection, detection, response and recovery are mainly for the different stages of an enterprise's attack, that is, before the event (identification and protection), during the event (detection and response), and after the event (recovery), the measures needed to be taken control.


In response to the United States Securities and Exchange Commission (SEC)'s rules governing cybersecurity risk management, governance, and disclosure of related events for Listed Companies, we have policies and relevant procedures for cybersecurity risk assessments; also supervise the cyber security risks of third-party service providers, and has contingency procedures and cyberattack recovery plans in place for cybersecurity incidents.


Furthermore, we actively participate in the information security organization including Taiwan Chief Information Security Officer Alliance and Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC) to acquire cyber threat intelligence, cybersecurity threats, and vulnerability information. By integrating external cybersecurity vendors and expert resources, we continuously monitor new cybersecurity information, technologies, and trends to strengthen our security framework and measures, effectively blocking emerging cybersecurity threats.


In addition, our company continues to assess internal and external cybersecurity risks and trends to develop corresponding cybersecurity management strategies. Our current strategy focuses on reducing the attack surface, improving visibility of cybersecurity risks, enhancing cybersecurity governance and risk awareness, and strengthening cybersecurity resilience. The cybersecurity action plans and key achievements for 2023 will be explained subsequently.

Information and Cyber Security Management Strategy

Improvement of Information Security Governance and Risk Awareness

To enhance employees' awareness of information and cyber security, we have included information security as an annual compulsory course, providing e-Learning courses and online tests. In response to the increasing frequency of phishing email attacks, our company conducts social engineering drills to simulate phishing emails from hackers, testing employees’ awareness of information security risks. Additionally, we release a security newsletter every quarter. This newsletter includes updates on the latest information security trends, significant domestic and international cybersecurity incidents, important announcements, and more. These efforts are aimed at enhancing awareness and vigilance among our staff regarding information security.

Improvement of Information Security Governance and Risk Awareness

Enhancement of Information Security Resilience

Considering the possibility of IT services being affected due to internal or external disasters or human errors, Advantech planned a remote disaster recovery at the Linkou factory to achieve mutual remote disaster recovery and remote data backup between Neihu and Linkou through the Nutanix virtual machine. When the Neihu server room is unable to provide services, the remote disaster recovery mechanism in the Linkou server room will continue to provide services for the critical information system. After establishing the remote disaster recovery mechanism, Advantech's IT department completed two disaster recovery drills this year to verify the integrity of the overall architecture and system for disaster response and recovery procedures.


In addition, this year, Advantech introduced the information service incident management platform Statuspage to visualize the service health status of each system, enhance the tracking and reporting of IT service performance and usability, and optimize the process for reporting information service anomalies.

Status of Information Security Incidents in the Last Three Years

From 2021 to 2023, there were a total of 14 information security incidents, but they did not cause a material impact on the Company's business, and there were no instances where customers' personal data was affected or fines were imposed due to the leakage of confidential information. There were a total of 3 information security incidents this year, but they did not cause a material impact on the Company's business, and there were no instances where customers' personal data was affected or fines were imposed due to the leakage of confidential information. The causes of the incidents were cloud service interruption, computer virus attack, and equipment hardware failure. Suffering from cyberattacks (e.g.: hackers, viruses) incidents affecting 1 person, external service disruptions (e.g., utility power, internet connection, cloud service), 3500 people were affected, and equipment failure affected 3500 people.


After the root cause of the incident was investigated, an SOP has been established for handling cloud service interruptions, and equipment availability monitoring and regular maintenance have been enhanced to reduce the possibility of equipment failure affecting business operations. For incidents caused by computer viruses, the Company continues to refine the performance of endpoint protection and antivirus tools, and enhances personnel security awareness education.


Advantech has set up notification windows for product data security risks or loopholes to receive relevant reports from customers or information and cyber security companies, and then refer them to the product department for resolution. The patch will be announced on the Company's official website and reply to the reporting unit.

Status of Information Security Incidents in the Last Three Years