As cybersecurity threats become increasingly complex, enterprises must continuously enhance their protective mechanisms to ensure the security and stability of their business operations. In 2017, the Group's IT Center implemented and obtained certification for the "ISO 27001 Information Security Management System." This achievement established the Plan-Do-Check-Act (PDCA) management process to fulfill the objectives and requirements of the management system. After the expiration of the original certificate in 2023, a new certificate was obtained, valid until July 19, 2026.
In 2024, information security management will continue to evolve towards a "Zero Trust" framework, which enhances identity verification, device security, and network isolation. By utilizing the People, Processes, Technology (PPT) model, we will enhance information security maturity and strengthen resilience through key measures, thereby ensuring the sustainable development of digital transformation and business operations.
Information Security Organizational Structure
Chicony Electronics has established an "Information Security Management Committee," chaired by the Chief Information Security Officer. The committee comprises unit supervisors and includes a total of 35 information security personnel. Regular meetings are held to review and assess the implementation status, with annual reports presented to the Board of Directors. The primary focus for 2024 was on strengthening system management regulations, upgrading network security, optimizing access control, and enhancing cloud applications. This ensures that information security aligns with both internal corporate requirements and international standards.
Information Security Organizational Structure
Information Security Management
To ensure the Company's information security and to mitigate potential associated risks, we have established a comprehensive information security management framework in accordance with international standards and best practices. This framework is based on the ISO 27001 Information Security Management System (ISMS) and the five core areas of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, thereby ensuring effective management of cybersecurity risks both internally and externally within the organization.
The Company conducts social engineering and recovery drills biannually, along with information security awareness training on a quarterly basis. Starting in June 2023, it has been further emphasized that all new employees are required to participate in online information security training and to sign a confidentiality agreement. In addition to certification training, information security personnel will also receive regular professional development training.
Furthermore, to understand industry dynamics, the Company has joined the Taiwan Computer Emergency Response Team and Coordination Center (TWCERT/ CC), the Information Security Officer Alliance, and the Taiwan Chief Information Security Officer Alliance. This collaboration enables us to share information security intelligence and strengthen our overall information security defense and response capabilities.
5 Major Areas of Information Security and Key Measures SOC
Results of Information Security Promotion
1
Revision of the Regulations for the Management of Computer
Operation Cycles
- Optimize processes related to information system development, maintenance, operation, and access management to improve management transparency.
- Ensure that information security strategies align with ISO 27001 and the NIST cybersecurity framework to reduce operational risks.
2
Update the VPN System to Incorporate Multi-Factor
Authentication (MFA)
- Enhance the security of remote work and access, preventing account theft and unauthorized access risks.
- MFA effectively reduces cybersecurity risks associated with password leaks and improves user authentication security.
3
Update Firewalls and Strengthen Cloud Application and Email
Security
- Deploy next-generation firewalls (NGFW) to enhance intrusion detection and prevention (IDS/IPS), improving real-time response capabilities to network attacks.
- Enhance the integration and management of the cloud service platform while strengthening data protection mechanisms.
- Provide advanced threat protection to effectively guard against malicious emails, phishing attacks, and ransomware, ensuring secure corporate communications.
4
Continuous Improvement of Employee Information Security Literacy
- In 2024, all employees participated in a 1-hour basic information security training session.
- Two phishing social engineering drills were conducted, with a click rate of 7%. Employees who clicked were required to attend additional training and pass a test to ensure understanding of the Company’s information security policies. The goal for 2025 is to further improve and reduce the overall click rate to below 7%.
5
Information Security Protection and Offsite Backup Drills
Response and Management
Chicony prioritizes information security incidents, ensuring immediate response and damage control while actively implementing management framework to maintain customer trust and stabilize business operations.
When an incident occurs, the response mechanism is promptly activated. The handling process includes response measures at both the network and system levels, while concurrently conducting forensics and preserving evidence. We place high value on information transparency and legal compliance. Upon an incident, stakeholders and the legal department are promptly notified for risk assessment, and material disclosures are made in accordance with government regulations. Internally, employee awareness is continuously reinforced. In case of anomalies, staff are instructed to disconnect from the network and shut down their devices immediately, and to seek assistance from the Group's IT Center to prevent further damage.
Information Security Incident Notification Process
Response to Material Information Security Incident in 2024
Personal Data and Privacy Protection
Chicony Electronics established the "Personal Data and Privacy Protection Policy" in 2025. The scope of protection covers the personal data of suppliers or customers' personnel, visitors (including website visitors), investors, contracting and litigation parties, job applicants, and users of products or services (collectively referred to as "Data Subjects"). Following the completion of the policy in 2025, education and training sessions were conducted based on its contents. A total of 189 employees received the training, with cumulative training hours reaching 94.5 hours.
