Information Security Policy
To strengthen information security protection and management mechanisms, TYC has established a dedicated information security unit, staffed with appropriate professional personnel and resources. The Company has formulated information security policies, management procedures, and standards, and implements risk control measures to achieve its information security management objectives.
TYC is committed to safeguarding the interests of its stakeholders by strengthening information and communications security management systems, enhancing technical safeguards, and protecting sensitive information. These efforts are aimed at safeguarding the interests of customers and business partners and maintaining the Company's competitiveness.
Purpose:
By ensuring the security of its data, systems, equipment, and networks, the Company strengthens its information security management and operates as a secure and trustworthy global intelligent automotive lighting manufacturer to safeguard the interests of customers and partners.
In accordance with applicable laws and regulations, including the "Regulations Governing Establishment of Internal Control Systems by Public Companies," the "Guidelines for Information and Communications Security Controls for TWSE/TPEx Listed Companies," and the "Personal Data Protection Act," TYC Brother Industry Co., Ltd. (hereinafter referred to as "the Company") hereby establishes this policy for all employees and stakeholders to follow.
Objectives:
To promote enhanced information security management across all units and foster the concept that "Information Security is Everyone's Responsibility," the Company aims to reduce the likelihood of security incidents, and control the impact of such incidents within an acceptable level.
The Company will comprehensively strengthen its business continuity management and information security resilience to ensure stable and reliable business operations, and protect the interests of customers and partners.
Scope:
■ This policy applies to the security management of the Company’s information assets, including confidentiality, integrity, and availability.
■ All employees, suppliers, contractors, consultants, temporary workers, customers, and other third parties involved in the Company’s information operations or data usage shall comply with this policy.
Principles:
■ All information security management standards and procedures shall comply with applicable government laws and regulations (e.g., Criminal Code, National Security Act, Patent Act, Trademark Act, Copyright Act, Personal Data Protection Act, and the Information Security Control Guidelines for Listed Companies, etc.).
■ Establish an information security governance organization and clearly define its responsibilities and authorities to promote, maintain and audit information security management.
■ Formulate information security polices and procedures to protect the confidentiality, integrity, and availability of personnel, data, information systems, equipment, and networks.
■ Convene information security management meetings regularly to review the latest developments in internal/external risks, technology trends, and business requirements, and to adopt corresponding countermeasures.
■ Conduct regular information security inspections and audits to assess risks within the information environment and implement continuous improvements.
■ Deploy information security protection systems and monitoring equipment to continuously enhance the overall security of the information environment and mitigate security risks.
■ All systems and data access must be properly authorized. Access rights shall be granted based on the principle of least privilege required for business operations.
■ Establish appropriate data backup and disaster recovery mechanisms for information systems, and conduct regular emergency response and recovery drills to strengthen service resilience against threats.
■ Establish response and reporting procedures for information security incidents to improve internal capabilities for responding to and coordinating unexpected situations.
■ Conduct regular information security education and training to continuously enhance employees' information security awareness.
■ All employees and stakeholders share responsibility for maintaining information and communications security and shall comply with relevant security management requirements.
Key Focus Areas for Information Security Management and Execution:
To prevent and reduce information security risks, the Company implements and continuously updates robust security measures, such as deploying advanced virus scanning tools to protect factory equipment from infection; strengthening network firewalls and access controls to prevent viruses from spreading across machines and plants; installing antivirus protections and advanced malware detection solutions on company computers; and improving security deployment timelines to strengthen data center security.
In addition, the Company establishes and regularly reviews information security performance indicators; introduces new technologies to enhance data protection; strengthens phishing email detection and regularly conducts employee awareness tests. The Company also leverages AI technologies to build an integrated and automated security operations and maintenance platform and enhance automation of incident detection and response. Cybersecurity incident response procedures are continuously tested through regular drills, and external experts are engaged to conduct periodic information security assessments.
Annual information security implementation priorities:
1. Network security management
2. Asset management and data protection
3. Access control
4. IT operations and maintenance security
5. Personnel and physical security
6. Application security
7. Information security incident response and management
8. Supply chain security
9. Personnel informationsecurity management and awareness training
10. Internal/external security assessments and risk management
Information Security Incident Handling and Reporting:
The Company has established an enterprise risk management mechanism and standard procedures for information security incidents handling. These procedures clearly define incident reporting procedures, the designation of responsible personnel to handle major information and communications security incidents; the assessment of potential losses and necessary response measures, as well as the evaluation of the possible impact of information security risks on the Company's financial condition and operations, along with corresponding mitigation and remediation measures.
Information Security Organization:
The Company has established a dedicated information security unit, the "Information Security Systems Center," which is responsible for overseeing and implementing information security operations. Its key responsibilites are described below:
| Mission and Responsibilities | |
| Management System and Compliance | Establish information security policies, management procedures, planning, and strategic roadmaps that comply with audit and information security regulatory requirements. |
| Monitor and verify the effectiveness of information security controls to ensure the sustained and effective operation of the information security management program. | |
| Continuously track domestic and international information security compliance requirements and update the management systems accordingly. | |
| Project Management and Outsourcing Management | Build information security best practices in response to the needs of business units. |
| Support digital forensics activities and legal and regulatory compliance requirements. | |
| Coordinate cross-departmental information security matters and communicate and promote information security management requirements. | |
| Information Security Risk Management | Lead and promote risk assessment of information assets to identify potential risks and requirements. |
| Define and manage information security risk management processes. | |
| Provide risk consulting services and risk management solutions to business units in compliance with information security risk management policies and procedures. | |
| Security Solution Evaluation | Assist in selection and evaluation of information security products and solutions. |
| Provide professional technical research and consulting services on information service security and related solutions. | |
| Security Review and Supervision | Review and verify the effectiveness of information security execution. |
| Evaluate corresponding information security risks and applicable control measures in line with corporate strategy and regulatory requirements. | |
| Security Monitoring | Define, adjust, and plan audit trail retention for infrastructure and application systems. |
| Monitor and analyze logs, and investigate and respond to suspected abnormal behaviors. | |
| Threat and Vulnerability Management | Collect and manage intelligence on external cyber threats and internal system vulnerabilities. |
| Establish vulnerability management service procedures for IT infrastructure and applications. | |
| Incident Response Management | Monitor and provide feedback on information security incidents, including collecting incident-related information for monitoring operations, summarizing suspected risks, and proactively reporting incidents. |
| Plan and conduct cyber attack and defense drills (red/blue team exercises), track results, and implement continuous improvement actions. | |
| Digital Forensics | Collect records of abnormal activities to support forensics needs. |
| Collect, analyze, and preserve forensic data. | |
| Produce periodic reports. | |
Information Security Audit (task-force approach may be adopted) | Inspect and review the management effectiveness of the Information Security Management System and all control measures. |
| Plan and execute information security audit programs (including internal, external, and third-party audits), issue audit reports, and track corrective actions. | |
| Security Education and Promotion | Guide information security activities of each unit to ensure compliance with information security policies and procedures. |
| Plan and conduct information security awareness and education training programs. | |
| Execute the Information Security Management System and all control measures. | |