Operations

The TCC Group greatly values the importance of operational transparency and corporate governance. In accordance with the Company Law of the Republic of China, the Securities Exchange Law and other relevant laws and regulations, the Company has formulated an effective governance structure and implementation practices. The Company has implemented self-regulation more rigorous than the laws and regulations. The group adopts the international standards of corporate integrity and fairness to implement the company's operating information transparency and protect the rights and interests of all stakeholders.

Implementation of Corporate Governance
Establish Corporate Governance Supervisor
Information Security
Employee Training and Education

1. Information Security Objectives

Facing the challenges of commercial competition and globalization, information security and protection of business data are important cornerstones for the sustainable development and core competitiveness of a corporation. In order to ensure the stability, security and availability of its information systems, the TCC Group is committed to strengthening its information security management mechanisms and defense capabilities, establishing a secure and reliable computerized operating environment, and ensuring the security of its systems, data, equipment and networks, so as to protect the company's critical information assets and normal operation of its information systems.

2. Scope of Application of Information Security Policy

The TCC Group's Information Security Policy applies to all its subsidiaries in Taiwan, China and other jurisdictions, and other affiliates that are under the substantial control of the TCC Group, including all the employees of the TCC Group working in various offices around the world as well as any and all third-party suppliers, contractors, vendors and other business partners with access to the Group's internal information.

3. Information Security Risk Framework

  1. In accordance with the international standard of ISO/IEC 27001:2013, the Company established and implemented an information security management system in 2020 by adopting the operating model of the PDCA cycle. The inter-departmental Information Security Management Committee is convened by the general manager and meets once a year to review the effectiveness of the planning and implementation of the Company's information security systems as well as major issues pertaining to information security, and to coordinate the allocation of resources required to ensure information security.
  2. Under the Information Security Management Committee, the Information Security Management Team is responsible for planning, establishing, implementing, maintaining, reviewing, and continuously improving the information security management system, and reporting information security-related issues to the Information Security Management Committee.
  3. The Information Security Management Team meets regularly to review the workings of the Company's information security management system and reports the results thereof to the Company's board of directors on an annual basis.
  4. In response to the requirements of the competent authorities and the need to strengthen information security management, the Company appointed the Chief Information Security Officer and created a dedicated information security taskforce in 2022. The dedicated information security taskforce is responsible for designing the overall structure of the information security systems, operating, maintaining and monitoring the information security systems, responding to and investigating any and all internal and external incidents involving information security, and reporting regularly to the Chief Information Security Officer, who reports to the chairman of the board and general manager of the Company.

4. Information Security Policy Objective

  1. Maintaining the stability of the TCC Group's business operations and to avoid any operational losses caused by system outages or other information security incidents.
  2. Taking appropriate measures to protect confidential and sensitive information such as the TCC Group's trade secrets in order to reduce the impact and risk of information security incidents such as data destruction, theft, leakage, tampering, misuse and infringement.
  3. Continuously ensuring the confidentiality, integrity and availability of the TCC Group's information assets.

5. Information Security Controls

  1. The TCC Group has received the certification of ISO 27001:2013 for international standard of information security on January 1, 2021.
  2. Ensuring information security is the responsibility of each member of the TCC Group. In order to raise the awareness of information security, the TCC Group has been offering relevant training and education sessions to its employees from time to time and sharing with them recent cases of information security incidents in Taiwan and other countries to strengthen their knowledge and awareness regarding information security so as to prevent social engineering attacks and information security incidents.
  3. All the employees and third-party vendors and partners of the TCC Group must execute a confidentiality agreements to ensure that those who have access to the TCC Group's information systems or relevant business information are bound by the responsibility and obligation to protect the TCC Group's information assets obtained or used thereby from unauthorized access, alteration, destruction or improper disclosure.
  4. Taking stock of information assets every year and implementing risk management and improvement measures following the information security risk assessment mechanism in order to realize and ensure the proper management of information security.
  5. Reviewing the system accesses and privileges to the core business operations every year and granting appropriate accesses privileges based on the principle of Need-to-use, and the managing the security of the high-privileged accounts through the Privileged Access Management (PAM) system.
  6. Adopting two-factor authentication mechanism with mobile one-time passwords (MOTP) to reduce the risk of loss or cracking of passwords by using fingerprint recognition for logins.
  7. Deploying real-time monitoring and alerting tools (PRTG) on all the core business systems and equipment, so that system administrators can be notified in a timely manner in the event of any abnormalities; implementing appropriate redundancy or back-up mechanism and conducting regular drills to ensure the availability of the core business systems; performing regular vulnerability scans and penetration tests to identify weaknesses in the system and fix them in a timely manner.
  8. Installing anti-virus software on all PCs used in the office, and performing regular system and virus code updates to reduce the risk of hacking and ransomware; arranging for an external team of experts to monitor the security of the TCC Group's terminal devices by employing Managed Extended Detection and Response (MxDR).
  9. Establishing an encryption system for confidential and sensitive information to protect core business information and prevent hackers from stealing trade secrets and causing disruptions to the TCC Group's business operations.
  10. Implementing strict controls over the external file transfer channels, including portable devices (such as USB), cloud storage services, communications software, file transfer protocol (FTP), and mail delivery mechanisms.
  11. Establishing and maintaining network-related security measures, including firewall rules, remote access security configurations (VPN), intrusion detection and prevention mechanism, web application firewall (WAF) and online behavior monitoring tools to reduce the risk of external threats and hackers.
  12. Reviewing the audit logs of core systems and equipment regularly to identify any internal or external abnormal access.
  13. Implementing standard procedures for responding to and reporting information security incidents so as to appropriately handle any and all information security incidents and contain any potential damage therefrom.
  14. Conducting regular internal and external audits to monitor the implementation of the information security system and to take corrective and preventive measures for any issues found during the audits.

6. Implementation of Information Security Measures in 2021

  1. Conducted three rounds of education and training sessions on information security awareness and controls where approximately 300 employees of the TCC Group participated.
  2. Conducted one drill on switching to an off-site backup system, two vulnerability scans, and two drills on responding to social engineering attacks to strengthen the employees' information security awareness and incident response capability.
  3. Established a protected area for confidential and sensitive information to safeguard the TCC Group's intellectual properties by setting up a segregated storage space for design and R&D materials as well as personal data, and granting access thereto based on individual personnel's duties and responsibilities.
  4. No major information security incidents occurred in 2021.
  5. Passed the external auditor's review and maintained the validity of the ISO 27001:2013 certificate on information security in December 2021.
  6. Appointed the Chief Information Security Officer and created a dedicated information security taskforce (consists of an information security supervisor and two information security specialists). The dedicated information security taskforce is responsible for designing the overall structure of the information security systems, operating, maintaining and monitoring the information security systems, responding to and investigating any and all internal and external incidents involving information security, and reporting regularly to the Chief Information Security Officer, who reports to the chairman of the board and general manager of the Company.

7. Relevant Policies and Certifications

  1. The TCC Group has promulgated the Information Security Policy, which can be found on the TCC's website (Investors → Corporate Governance → Important Internal Regulations).
  2. The TCC Group has received the following two information security-related certificates: