Precision Governance｜Information Security

Nuvoton always explore new markets actively, continuously maintaining the profitability of the company's operations, and investing in strategic patent layouts. To ensure integrity in management and compliance with laws, it constantly monitors domestic and international policies and emerging risks that may affect the company. It regularly promotes the core values of integrity in management, establishes a robust corporate culture, and develops a sustainable new situation.

SDGS

SDG 9 Industry, Innovation and Infrastructure

100

Integrity management education and training

5.77

NTD

EPS

4954

Patents Granted

Accumulated approved patents globally

Operations and Governance

Climate Change

Business Integrity

ESG Risk Strategy

Information Security

Nuvoton has established the " Nuvoton Security Policy " and "Information Security Management Measures" to create a secure information management system and implement control measures. This ensures a safe information environment, protecting company and customer data from theft, cybercrime, industrial espionage, or other threats. Confidentiality agreements with partners and customers prevent unauthorized disclosure of sensitive information. Regular internal security audits ensure effective control measures. To reduce overall information security risks, Nuvoton enhances employee awareness with monthly security promotions and quarterly social engineering training.

In December 2022, we established the Chief Information Security Officer (CISO) position and formed a new dedicated information security unit—the Information Security Department. Its primary responsibility is to assist and lead the company in enhancing information security capabilities and maintaining the confidentiality, integrity, and availability of information systems, identities, and data. In 2023, to ensure our customers' confidence in collaborating with us, NTC implemented and validated the new ISO 27001:2022 International Information Security Management System certification (certificate validity:2027/07/01) in response to customer requirements. NTCJ acquired ISO 27001:2013 certification (certificate validity:2025/01/26) upon its establishment. Furthermore, due to its business in IC cards and automotive-related products, NTCJ has also obtained ISO/IEC 15408 and ISO/SAE 21434:2021 certifications.

2023 Information Security Risk Control Measures

Item	Specific Measures	Effectiveness in 2023
Enhancing Staff Awareness of Information Security	Monthly Information Security Awareness Campaigns Quarterly Information Security Education and Training (Social Engineering Training) Annual Personal Data Protection Education and Training Ad hoc Information Security Updates on Current Affairs or Major Events	NTC Social engineering education and training courses conducted 4 times Cybersecurity awareness conducted 12 times All employees received information security training, with a completion rate of 98% NTCJ Cybersecurity awareness: Conducted 6 joint morning meetings, published training materials 6 times, held 9 cybersecurity promotion committee meetings, and published meeting records All employees received information security training with a completion rate of 100%
Information Security Monitoring and Handling of Anomalous Events	Provide monitoring records and analysis reports weekly Hold weekly information security monitoring meetings to discuss events and take response measures	Strengthen notification mechanisms by automating antivirus alerts and abnormal logins to cloud services, enabling direct notification to the relevant parties for prompt resolution and faster response time No major cybersecurity incidents occurred in NTC and NTCJ in 2023
Weakness and Vulnerability Management	For on-premises servers, conduct quarterly vulnerability scanning operations and schedule regular maintenance shutdowns monthly Apply critical updates from Microsoft regularly For external services, monitor risks using the SSC cloud scanning tool	The average total score of the SSC cloud monitoring platform is > 90 points (Grade A), with a total of 51 risks remediated, including 13 high/critical risks
Identity Access Control	For cloud services, we utilize conditional access and multi-factor authentication, allowing access only to compliant devices and using specific programs For remote connections, we implement identity verification, multi-factor authentication, and device whitelisting, ensuring connection under specified conditions Regular password updates are conducted as well	For the information daily report on cloud login and remote access, analysis and investigation were conducted on unregistered devices and attempted login behaviors. No major incidents occurred in 2023
Physical Security Protection Code Security	Access to different areas is restricted based on employee roles, requiring the use of access cards for identity verification when entering each designated area	Complies with the access control security requirements of ISO 15408 Common Criteria international standard Nuvoton Japan has replaced the card reader and employee access cards
Code Security	The application department is required to conduct code security checks when launching new systems, external service systems, or major updates. High-risk code should be patched to enhance the security of the system upon deployment Regular updates to the code scanning database are performed to improve code detection efficiency	In 2023, a total of 13 new systems were launched, with a 100% improvement rate in fixing high-risk code issues. The program coverage for executing source code scanning was also 100%
Email security	Strengthen email server security configuration by setting up SPF to authorize mail sending hosts from our company, and implementing DKIM and DMARC settings to prevent email spoofing and tampering Utilize security add-ons for Outlook to check the recipient, body, and attachments when sending emails, in order to prevent the sending of erroneous emails	All emails must pass through a legitimate email server verification process, resulting in a 100% success rate for external deliveries Replaced with a new plugin containing additional features Nuvoton Japan utilizes the email monitoring feature of the IT equipment management tool (AssetView) to oversee the sending of inappropriate emails

Customer Privacy Protection

With the increasing cybersecurity threats, Nuvoton has implemented the ISO/IEC 27001 Information Security Management System in 2023 to ensure the protection of customer privacy and prevent theft or leakage of trade secrets and intellectual property rights. In addition to conducting regular internal control self-assessment audits, control points are established based on personnel, customer, and vendor data, with regular checks and records of control point execution. Annual review and audit operations are conducted to establish a comprehensive information security environment, aiming to prevent major incidents and penalties and maintain the reputation of the company and its customers.

Customer Privacy Protection Act

ISO 27001

Nuvoton regards customers as important strategic partners and strives to meet their needs and expectations. We also value the confidentiality and protection of customer information. Customer-related information, documents, and data exchanged with customers are strictly controlled and stored within Nuvoton's highly secure internal systems. We have also signed confidentiality agreements with important vendors or customers with whom we have dealings, requiring mutual protection of confidential information and prevention of the unauthorized disclosure of customer information, privacy, and trade secrets. Furthermore, we have established a more comprehensive information security protection system through the ISO 27001 Information Security Management System. In 2023, there were no reported cases of customer privacy infringement or loss of customer data.
Nuvoton Japan has published a privacy policy, which ensures obtaining consent from customers and business partners when handling personal information. When receiving or providing personal data to third parties, Nuvoton Japan adheres to the Personal Information Protection Act.

Privacy Protection Laws and Regulations

To ensure compliance with privacy protection laws, including the Personal Information Protection Act, the General Data Protection Regulation (GDPR) implemented in the European Union, and the California Consumer Privacy Act (CCPA) in the United States, Nuvoton Taiwan conducted "Personal Information Protection Act" training for all employees in 2023. The training content included an introduction to GDPR and Taiwan's personal data protection laws, with a 100% completion rate. Nuvoton Japan, on the other hand, published training materials on personal information, including GDPR, on the company's internal portal for easy access by all employees (e-learning format).

ISO/IEC 15408 Common Criteria

NTC obtained ISO/IEC 15408 Common Criteria EAL 4+ product security certification in 2014. The verification covers the stages of "Design & Development, Production, and Delivery" in the product lifecycle. This signifies that Nuvoton Taiwan's controls for product information security comply with the requirements of the international security organization Common Criteria. It enables the production of security products that meet international standards and protects customer information and assets.
NTCJ has also obtained ISO/IEC 15408 Common Criteria EAL 5+ product security certification in promoting IC card business.

Signing a confidentiality agreement

While enhancing customer service, we place greater emphasis on safeguarding customer privacy and intellectual property rights. We sign confidentiality agreements with customers to protect their confidential information and have established procedures for safeguarding confidential data, ensuring there is no risk of data leakage and properly protecting customer privacy.