Excellence in Governance｜Information Security

Nuvoton always explore new markets actively, continuously maintaining the profitability of the company's operations, and investing in strategic patent layouts. To ensure integrity in management and compliance with laws, it constantly monitors domestic and international policies and emerging risks that may affect the company. It regularly promotes the core values of integrity in management, establishes a robust corporate culture, and develops a sustainable new situation.

SDGS

SDG 9 Industry, Innovation and Infrastructure

SDG 12 Responsible Consumption and Production

SDG 16 Peace, Justice and Strong Institutions

100

Integrity management education and training

0.52

NTD

EPS

5100

Patents Granted

Accumulated approved patents globally

Operations and Governance

Climate Change

Business Integrity

ESG Risk Strategy

Information Security

Nuvoton has established the "Nuvoton Security Policy" and "Information Security Management Measures," and implemented control measures accordingly to maintain a secure information environment, protecting Nuvoton and customer information from theft, cybercrime, industrial espionage, or other forms of harm and loss. Confidentiality agreements are signed with manufacturers and customers to mutually protect sensitive data and prevent the improper disclosure of confidential information. Furthermore, the Company carries out yearly internal audits in accordance with its information security internal control system, convenes regular meetings to manage information security, where it reviews and monitors enhancements in information security operations, and routinely conducts risk assessments for both internal and external stakeholder topics, such as customers, suppliers, employees, and regulatory bodies.

In December 2022, Nuvoton Taiwan established the dedicated Information Security Department, and it was upgraded to a division-level organization and renamed as Information Security Division in March 2024. It is mainly responsible for the group's information security governance, enhancing employees'data security awareness and information security, preventing the leakage of sensitive information, strengthening data security defense and threat detection capabilities, and integrating internal and external resources to implement information security risk management, in order to ensure the information security resilience and continuous operation of the Nuvoton Group. In 2024, to ensure customers that can collaborate with us with confidence, Nuvoton Taiwan implement the new version of the ISO 27001:2022 international information security management system in response to customer requirements. Nuvoton Japan also upgrade the certification to the new version ISO 27001:2022 in 2024. Additionally, due to its involvement in IC card and automotive-related products, Nuvoton Japan has obtained ISO/IEC 15408 and ISO/SAE 21434:2021 certifications.

Information Security Risk Control Measures

Item	Specific Measures	Achievements in 2024
Enhancing Staff Awareness of Information Security	Monthly Information Security Awareness Campaigns Quarterly Information Security Education and Training (Social Engineering Training) Annual Personal Data Protection Education and Training Ad hoc Information Security Updates on Current Affairs or Major Events	Nuvoton Taiwan Conducted 6 sessions of information security trainings. Nuvoton Japan Information security campaigns: Promoted information security in the morning meetings, distributing training materials, and announcing the Information Security Promotion Committee meeting minutes.
Information Security Monitoring and Handling of Anomalous Events	Provide monitoring records and analysis reports weekly Hold weekly information security monitoring meetings to discuss events and take response measures	In 2024, both Nuvoton Taiwan and Nuvoton Japan didn't occur major information security incidents or impacts.
Weakness and Vulnerability Management	For on-premises servers, we conduct quarterly vulnerability scanning , schedule regular maintenance on monthly basis, and apply critical updates from Microsoft regularly For external services, we employ Panorays cloud service to monitor cybersecurity risks	Nuvoton Taiwan The cybersecurity posture scored by Panorays cloud service is greater than 90 points averagely, 34 risks are mitigated including 19 high/critical risks.
Identity Access Control	For cloud services, we utilize conditional access and multi-factor authentication, allowing access only to compliant devices and using specific programs For remote connections, we implement identity verification, multi-factor authentication, and device whitelisting, ensuring connection under specified conditions Regular password updates are conducted as well	We enhanced user login notifications, where users receive real-time alerts for successful logins , users can confirm whether the login activity was performed by themselves. We added a notification for VPN login multi-factor authentication failure. If the user is aware of any abnormal activities upon receiving the notification, they can report it to the Information Security Division for handling.
Physical Security Protection Code Security	Access to different areas is restricted based on employee roles, requiring the use of access cards for identity verification when entering each designated area	Complied with the access control security requirements of the ISO 15408 Common Criteria international standard.
Code Security	The application department is required to conduct code security checks when launching new systems, external service systems, or major updates. High-risk code should be patched to enhance the security of the system upon deployment Regular updates to the code scanning database are performed to improve code detection efficiency	Nuvoton Taiwan In 2024, a total of 22 new systems were launched. The fixing rate for high-risk code was 100%, and the program coverage rate for source code scanning was also 100%.
Email security	Strengthen email server security configuration by setting up SPF to authorize mail sending hosts from our company, and implementing DKIM and DMARC settings to prevent email spoofing and tampering Utilize security add-ons for Outlook to check the recipient, body, and attachments when sending emails, in order to prevent the sending of erroneous emails	Nuvoton Taiwan All emails must pass through a legitimate email server verification process, resulting in a 100% success rate for external deliveries. Nuvoton Japan The security features of Outlook were updated.
Supplier information security management	Nuvoton Taiwan The supplier review schedule is planned on an annual basis, and suppliers are required to complete the supplier information security questionnaire quarterly according to the planned content. If the evaluation score falls below 90, suppliers will be asked to make mprovements, and the improvement status will be monitored. Nuvoton Japan Since 2022, information security checks have been performed on the supply chain, with ongoing partners being reassessed at least once a year, and guidance and improvement recommendations offered.	Nuvoton Taiwan In 2024, suppliers with scores above 90 accounted for 70%, and suppliers with scores below 90 accounted for 30% and 0% of the suppliers with scores below 90 made improvement. Nuvoton Japan Safety inspections were conducted on 28 suppliers in 2024.

Customer Privacy Protection

With the increasing cybersecurity threats, Nuvoton has implemented the ISO/IEC 27001 Information Security Management System in 2023 to ensure the protection of customer privacy and prevent theft or leakage of trade secrets and intellectual property rights. In addition to conducting regular internal control self-assessment audits, control points are established based on personnel, customer, and vendor data, with regular checks and records of control point execution. Annual review and audit operations are conducted to establish a comprehensive information security environment, aiming to prevent major incidents and penalties and maintain the reputation of the company and its customers.

Customer Privacy Protection Act

ISO 27001

Nuvoton regards its customers as important strategic partners and is committed to meeting their needs and expectations. We also place great importance on protecting customer confidentiality and information. All documents, data, and other business information exchanged with customers are strictly safeguarded within Nuvoton's internal high-level protection systems. Furthermore, all major vendors or customers who collaborate with Nuvoton are required to sign confidentiality agreements to ensure mutual protection of confidential information and prevent any leakage of customer privacy or trade secrets. Through the implementation of the ISO 27001 Information Security Management System, Nuvoton has established a more comprehensive information security protection framework. In 2024, Nuvoton did not receive any complaints regarding violations of customer privacy or the loss of customer data.

Privacy Protection Laws and Regulations

To ensure compliance with privacy protection regulations, such as the Personal Data Protection Act, the General Data Protection Regulation (GDPR) in the European Union, and the California Consumer Privacy Act (CCPA) in the United States, Nuvoton Taiwan conducted training on the Personal Data Protection Act for all employees in 2024. The training included an introduction to GDPR and Taiwan's Personal Data Protection Act, with a completion rate of 100%. In Nuvoton Japan, training materials on personal information, including GDPR, were published on the Company's internal portal (e-learning), allowing all employees to access them at any time.

Signing a confidentiality agreement

While enhancing customer service, we place greater emphasis on safeguarding customer privacy and intellectual property rights. We sign confidentiality agreements with customers to protect their confidential information and have established procedures for safeguarding confidential data, ensuring there is no risk of data leakage and properly protecting customer privacy.