Logo

Developer of Innovative Materials

Home / Developer of Innovative Materials / Information Security and Customer Privacy

Information Security and Customer Privacy

Material Topic: Customer Privacy and Information Security

Our business involves advanced knowledge and technology and so do our customers; therefore, protecting the privacy of our customers and maintaining a highly secured information environment are the cornerstones for securing our long-term competitiveness and sustainable operation.

Effect and Impact

【Actual positive effect】

Economic:
Proper management of corporate intangible assets earns customer trust and helps to maintain cooperative relationships.

【Potential negative effect】

Economic:
With frequent occurrences of cyberattacks and hacking incidents, a leakage of confidential information would undermine the Company's competitive advantage and may result in customer claims or regulatory penalties.

Policy and Strategy

  • Through management in eight major aspects, we impose rules from the source to the end to ensure the confidentiality, integrity and availability of our information and assets, thereby protecting them against intentional or accidental threats, both internal and external, and complying with applicable laws and regulations.

Goal and Objective

【Short-term goals (2024)】
  • Transition to ISO 27001:2022 (current version: 2013)
  • - No litigation arising from customer privacy breaches and information security incidents
【Medium-term goals (2025-2027)】
  • Establish an information security incident management and tracking platform
  • Continuous implementation of personal data protection and management, and customer data protection
  • No litigation arising from customer privacy breaches and information security incidents
  • Ongoing ELN
【Long-term goal (2028~)】
  • Construct an automated information security system
  • No litigation arising from customer privacy breaches and information security incidents

Management Assessment Mechanism

  • Implement relevant risk management pursuant to ISO 27001, and perform stability assessment on critical internal systems.
  • Conduct information security audits of key customers and international certification systems for information security management.

2023 Goal and Achievement

【Established the position of CISO at the level above Vice President】
  • Achieved. The Company has established the position of CISO at the level above Vice President.
【Transition to ISO 27001:2022 (current version: 2013)】
  • Unachieved. CISO will lead the Information Security team to complete the transition to ISO 27001:2022 in 2024.
【No litigation arising from customer privacy breaches and information security incidents】
  • Achieved.

In addition, we achieved a system stability of 99.996%, passed the information security audits of key customers again, and obtained the ISO27001 certification for eight consecutive years in 2023. Also, the Group's information security was rated A (excellent) by the SSC, an external information security specialist.

Prevention or Remedy Measure

  • The Intangible Asset Security Committee regularly reviews the effectiveness of various information security procedures in order to enhance or strengthen relevant management mechanisms and prevent information security risks.

Information security risk management organization

With the development of information technology and smart manufacturing, modern enterprises extensively utilize information systems. In order to maintain corporate governance and reduce operational risks, we established the “Intangible Asset Security Committee” in 2015, where the heads of legal affairs, information, human resources and other units would carry out crossdepartmental communications and coordinate the planning of the Group's information security policy, information security risk management framework, specific action plans and resources required.

As a R&D-oriented company, Taiflex engages in numerous collaborative projects and exchanges with customers. Therefore, effective management of information security risks and protection of trade secrets are measures to protect customer privacy. The Company has taken one step further and established the Information Security and Knowledge Management Division in March 2022 for the planning, implementation, and risk management of policies related to information security and trade secret protection. The CISO along with the Information Security Officer report to the Board on information security issues and the effectiveness of relevant governance every year.

Management measures in eight major aspects

Information security risk exists in every corner of business operations and involves daily business of each department. Therefore, we require 100% of our employees to sign the Employment and Service Commitment for them to be fully informed of their confidentiality obligations when they join the Company. Upon termination of employment, employees shall return information acquired during the employment and fully comply with the confidentiality obligations.

In order to build an information security culture within the Company, we have monthly promotion of CIPP and conduct annual assessment on the Taiflex confidential information protection standards to ensure all employees of the Company and its subsidiaries are aware of relevant standards. We also encourage employees to use the information security hotline: (07)813-9989#70110/e-mail: IT_security@taiflex.com.tw to report potential information security hazards immediately.

The Company has implemented management measures in eight major aspects to minimize information security risks and achieve the goal of protecting customer privacy. In 2023, the Company did not identify any major cyberattacks or security breaches, nor was there any actual or potential issues which may have material adverse impact on the Company's operation.

Document Management

  • Establish a document management platform (DMP) and adopt file classification management.
  • Establish procedures for the retrieval and destruction of confidential documents and implement tracking and management measures.

Risk Management

  • Risk assessments and regular vulnerability scanning on computer facilities.
  • Regular disaster exercises and drills concerning cybersecurity

Information Operation Security

  • Enforce password rules and establish endpoint detection and response (EDR) software.
  • Set up remote and local backup/recovery services.

Device Security

  • Set up device security protection mechanisms (e.g., encryption), and monitor network and information access security.

Supply Chain Security

  • Units shall adopt the practice of signing non-disclosure agreements (NDAs) with suppliers.
  • Conduct supplier audits or visits to suppliers from time to time; use supplier audits (questionnaires) or online tools (Security Score Card) to understand the effectiveness of suppliers’ information security controls, thereby avoiding supply chain disruptions caused by information security incidents.

Premises Security

  • Implement controls over computers of guests/visitors as well as electronic devices, personal mobile phones and USB flash drives at production lines and laboratories.
  • Establish separate management mechanisms for office and restricted areas, implement access control at computer room as well as monitor abnormal events for review and continuous improvement.

Human Resource Security

  • All employees of the Company and its subsidiaries have signed the CIPP with a 100% signing rate.
  • Carry out cybersecurity education and training, and promote information security instructions company-wide.
  • Promote “Confidential Information Protection Policy” on the first day of each month to increase employees’ awareness of information security.

Information Security Assessment

  • The Company has obtained ISO27001 Information Security Management certification for consecutive years.
  • Passed the information security audits of key customers with improvement measures.
  • Internal audits and self-assessments; the Company continues to carry out periodic vulnerability and threat analyses and reports to top executives for approval.

Continuous improvement of operational security

The Company has introduced ISO 27001 Information Security Management Systems (ISO 27001:2013) in 2016 and been certified by external agencies for eight consecutive years, building the best security defense for the Company. The CISO is expected to lead the Information Security team to complete the transition to ISO 27001:2022 in 2024. With an effective information security management system, we ensure that all our information systems and digital assets can continue to operate in an environment that maintains confidentiality, integrity, and availability

The Intangible Assets Security Committee has established an information security management framework with predictive capabilities and responsiveness. It regularly conducts the iterative process of PDCA to review the effectiveness of various information security operations within the Company. It continuously strengthens various information operation management mechanisms to ensure proper protection of our data and intellectual property, and prevent the theft of trade secrets by malicious individuals, thereby strengthening our competitive advantage to maximize the interests of our customers, shareholders and employees.

A former employee of Taiflex was involved in a criminal case related to the violation of trade secret in 2021. The case was brought to trial in 2022 after the conclusion of investigations by prosecutors, and transferred to the criminal court of the Intellectual Property and Commercial Court in 2024. In view of the violation, our management measures are adjusted as follows:

  • For the violation of the Company's confidentiality policy by using personal devices to duplicate confidential information of the Company: In addition to the enhanced promotion on the use of information equipment and audits, employees are required to notify their supervisors as well as the legal and information security units immediately when they become aware of any violation.
  • For the former employee's improper acquisition of confidential information from other department in the capacity of a supervisor: We would strengthen control over files and system access. Checks on handover or irregularity shall be performed during job rotation. Also, we ask relevant supervisors to promote the need-to-know principle and employees are required to notify their supervisors as well as the legal and information security units immediately when they become aware of any violation
We use cookies to improve your user experience and for web traffic statistics purposes. By continuing to use this website, you agree to our use of cookies. Our Privacy & Cookie Policycontains more information on such use and explains how to disable cookies. I Accept