Information Security Management

Cybersecurity Maturity

To effectively manage the adjustments and enhancements made to the cybersecurity strategy and cybersecurity defense system of each subsidiary, ASEH began implementing the NIST CSF maturity assessment mechanism in partnership with third-party consultants in 2019. The overall maturity level in cybersecurity was assessed based on five key indicators: Identify, Protect, Detect, Respond, and Recover. We have been gradually shifting our focus to refining and deepening our cybersecurity requirements. Each factory site can undertake individualized cybersecurity enhancements based on their own maturity assessment results and recommendations for improvement. We benchmark ourselves against the semiconductor industry and vow to understand our own cyber environment better. We assess the risks that impact each subsidiary in different cybersecurity areas, countries, or operations and consolidate resources to provide better guidance and support. Our goal is to implement and continuously improve the foundational cybersecurity management across businesses. In 2022, we proceeded with the last year’s maturity assessment mechanism and continued to collect data on individual subsidiary’s current cybersecurity management and control as well as cybersecurity frameworks and policies regarding NIST CSF’s five assessment dimensions. In addition, driven by the digital transformation, the convergence between IT and OT is becoming increasingly close. In particular, the scope of horizontal implementation is extending from IT to OT with the goal of aligning the cybersecurity maturity of OT closer to that of IT. This approach is adopted to gradually enhance the cybersecurity defense capabilities of critical operational systems within the company.

Cybersecurity Risk Identification and Management

ASEH commissions a professional third-party unit annually to conduct regular cybersecurity audit and assessments such as external audit, vulnerability scanning, and penetration testing to ensure that information system and the internet environment comply with safety standards. We strictly enforce cybersecurity policies and implement client privacy protection measures toavoid the unauthorized disclosure of the company’s confidential business information and client data. In the event of unforeseen external cybersecurity attacks, the cybersecurity team will convene immediate platform technical exchanges and response meetings to analyze and review relevant responses and defense measures, constructing a comprehensive defense network capable of information synchronization.

To respond to the emerging trends of digital transformation, in addition to continuously improving information technology (IT), we are also gradually transferring our IT cybersecurity experiences to operational technology and initiating phased planning and implementation of cybersecurity assessments in the OT domain. Through assessments and testing conducted by external experts,potential cybersecurity threats and risks in the OT environment can be reduced.OT cybersecurity assessments were completed at 4 four facility sites in 2023.

In addition to managing operational risks from the perspective of corporate governance, we try to increase employees’ cybersecurity awareness and enhance organizational operational capabilities as part of our focuses in cybersecurity management. All employees at ASEH must receive PIP cybersecurity educational training, including cybersecurity policy,cybersecurity management framework, cybersecurity control measures, etc. In 2023, a total of 110,123 individuals completed 53,862 hours of training courses. Additionally, occasional social engineering email drills were conducted to enhance employees' awareness of social engineering attacks through emails. Additionally, we will gradually introduce systematic management mechanisms to incorporate participation in cybersecurity meeting, educational training, incident management, confidential file labeling, antivirus/software security, and other cybersecurity-related projects in a systematic manner. Moreover,KPI monitoring and audits are conducted, extending the scope of management, and reaching every employee and every endpoint device. This will be integrated with employees’ performance to reduce penalties and legal liabilities resulted from violations against cybersecurity regulations, as well as the impacts on business operations.

Increasing Cyber Resilience

There were no serious cybersecurity incidents in ASEH in 2023. In addition to constructing a cybersecurity incident classification system and reporting/response procedures, we also conduct a cybersecurity incident drill annually to ensure fast responses in the event of incidents, reduce risks, and minimize the scope of damage. We also established the ASEH Information Security Management System to incorporate two major functions, cybersecurity information and cybersecurity incident reporting, to facilitate real-time acquisition,dissemination of cybersecurity information, and efficient handling of security incident reporting. Our goal is to gain a comprehensive understanding of the risk landscape, enhance the response and defense capabilities in the event of information security incidents, and establish a cross-functional cybersecurity collaborative defense mechanism. Furthermore, as cybersecurity risks have posed serious challenges to the company, ASEH purchased cybersecurity insurance as a backend defense mechanism. The insurance covers ASEH and its subsidiaries and allows ASEH to take immediate response measures and manage relevant damage when cybersecurity incidents occur. With the insurance coverage, we aim to reduce potential cybersecurity losses for ourselves, clients, and suppliers and facilitate the rapid restoration of normal business operations.

To ensure the sustainable operations of important businesses and prevent interruption of critical information systems as a result of material cybersecurity incidents, we conduct an incident recovery drill every six months which lays out the organizational structure diagram, scope, duration, critical information systems, participating units, participating personnel and their assigned tasks, backup personnel for the drill, implementation steps and processes of the drill, required resources, data recovery from backup, risk management during the drill, post-drill review and improvement processes, among others. The purpose is to ensure the company can leverage disaster response capabilities and disaster recovery mechanisms to quickly restore operations to a normal or acceptable level for the business, achieving the goal of uninterrupted operations of critical information systems. The drill will continue to be implemented to provide maintenance, management, and training to ensure the effectiveness of the backup systems.

Information Security Information Exchange

ASEH works closely with government agencies, local and international information security organizations including FIRST, Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC), and High-tech Information Security Alliance. As a member of the SEMI Semiconductor Cybersecurity Committee, we are actively driving the industry’s adoption of SEMI E187 – Specification for Cybersecurity of Fab Equipment, a Taiwan-initiated security standard. Adopting the relevant infosec regulations, standards and industry intelligence allow us to integrate our internal management systems and expertise, to develop a comprehensive set of capabilities that will further strengthen our resilience.

At the same time, we are committed to meeting the expectations from our upstream and downstream supply chains and stakeholders on matters related to information security. ASEH’s strong and robust security defense leads to a tightly-secured smart manufacturing environment and increases the company’s competitive advantage as a sustainable enterprise.

ASE Kaohsiung and the Kaohsiung division of the Ministry of Justice Investigation Bureau (MJIB) have signed a memorandum of understanding (MOU) on advancing information security resilience including the focus on trade secret protection and intelligence sharing. The MOU underscores both ASEH and the ministry’s ambition to enhance bilateral cooperation and risk assessment through the mutual exchange of infosec expertise as well as to explore the latest cybersecurity technologies and defense strategies together. The MOU also marks an important milestone on the collaboration between businesses and government agencies to strengthen corporate digital resilience, and build prompt and effective responses to cyber threats and attacks. These efforts will help to shape a more secure digital ecosystem at ASEH, and protect our precious corporate assets.

Supply Chain Cybersecurity Management

The digitization of the supply chain and the exchange of large volumes of data, have increased cybersecurity risks along the supply chain. In 2022, ASEH established the Supplier Cybersecurity Assessment System, which primarily focuses on critical suppliers and follows a four-step process –current situation, guidance for improvement, results confirmation, and follow-up evaluation. A total of 76 supplier cybersecurity assessments were conducted in the year, following. The scope of assessments will be gradually expanded and follow-up evaluations conducted every three years. We aim to construct a comprehensive cybersecurity management mechanism that provides stability for business operations, strengthens cybersecurity resilience, and raises the cybersecurity standards of the semiconductor industry.