Precision Governance｜Information Security

Nuvoton always explore new markets actively, continuously maintaining the profitability of the company's operations, and investing in strategic patent layouts. To ensure integrity in management and compliance with laws, it constantly monitors domestic and international policies and emerging risks that may affect the company. It regularly promotes the core values of integrity in management, establishes a robust corporate culture, and develops a sustainable new situation.

SDGS

SDG 9 Industry, Innovation and Infrastructure

100

Integrity management education and training

5.77

NTD

EPS

4954

特許

Accumulated approved patents globally

Operations and Governance

Climate Change

Business Integrity

Information Security

Nuvoton has established the " Nuvoton Security Policy " and "Information Security Management Measures" to create a secure information management system and implement control measures. This ensures a safe information environment, protecting company and customer data from theft, cybercrime, industrial espionage, or other threats. Confidentiality agreements with partners and customers prevent unauthorized disclosure of sensitive information. Regular internal security audits ensure effective control measures. To reduce overall information security risks, Nuvoton enhances employee awareness with monthly security promotions and quarterly social engineering training.

In December 2022, Nuvoton established a dedicated information security unit and appointed a supervisor to oversee information security-related operations and ensure the effectiveness of the company's information security and risk management mechanisms. To assure our customers of secure collaboration with us, Nuvoton Taiwan launched an ISO/IEC 27001 information security management system project in September 2023. This project organization is supervised by Nuvoton's president, vice presidents of various business groups, and center supervisors, with related unit supervisors and colleagues forming project teams. Actively implementing the information security management system, Nuvoton Taiwan completed "information asset inventory," "business continuity exercises," "risk identification and improvement," and "information security control mechanisms" in 2023.

Additionally, in terms of product safety, Nuvoton Taiwan has passed the ISO/IEC 15408 Common Criteria certification by the international security organization, proving that the production process complies with international standards as reliable security products, thus protecting customer information and assets. Facing the increasing threats of cyber hacker attacks and the use of more complex and advanced attack methods, Nuvoton Taiwan has evaluated the implementation of Endpoint Detection and Response (EDR) solutions to enhance the monitoring and protection capabilities against hacker activities and malicious attacks. This aims to accelerate threat detection and automated response mechanisms, analyze potential hacker activities, improve the efficiency of investigating and tracking hacker activities, and comply with information security control trends and compliance requirements. After completing the EDR solution selection and functionality verification, a phased implementation and deployment plan was carried out to gradually strengthen the group's overall depth defense architecture and the breadth and depth of threat detection, as well as enhance the response mechanism and speed to hacker attack activities. Nuvoton Japan's EDR endpoint protection solution was completed in 2023.

2023 Information Security Risk Control Measures

Item	Specific Measures	Effectiveness in 2023
Enhancing Staff Awareness of Information Security	Monthly Information Security Awareness Campaigns Quarterly Information Security Education and Training (Social Engineering Training) Annual Personal Data Protection Education and Training Ad hoc Information Security Updates on Current Affairs or Major Events	NTC Social engineering education and training courses conducted 4 times Cybersecurity awareness conducted 12 times All employees received information security training, with a completion rate of 98% NTCJ Cybersecurity awareness: Conducted 6 joint morning meetings, published training materials 6 times, held 9 cybersecurity promotion committee meetings, and published meeting records All employees received information security training with a completion rate of 100%
Information Security Monitoring and Handling of Anomalous Events	Provide monitoring records and analysis reports weekly Hold weekly information security monitoring meetings to discuss events and take response measures	Strengthen notification mechanisms by automating antivirus alerts and abnormal logins to cloud services, enabling direct notification to the relevant parties for prompt resolution and faster response time No major cybersecurity incidents occurred in NTC and NTCJ in 2023
Weakness and Vulnerability Management	For on-premises servers, conduct quarterly vulnerability scanning operations and schedule regular maintenance shutdowns monthly Apply critical updates from Microsoft regularly For external services, monitor risks using the SSC cloud scanning tool	The average total score of the SSC cloud monitoring platform is > 90 points (Grade A), with a total of 51 risks remediated, including 13 high/critical risks
Identity Access Control	For cloud services, we utilize conditional access and multi-factor authentication, allowing access only to compliant devices and using specific programs For remote connections, we implement identity verification, multi-factor authentication, and device whitelisting, ensuring connection under specified conditions Regular password updates are conducted as well	For the information daily report on cloud login and remote access, analysis and investigation were conducted on unregistered devices and attempted login behaviors. No major incidents occurred in 2023
Physical Security Protection Code Security	Access to different areas is restricted based on employee roles, requiring the use of access cards for identity verification when entering each designated area	Complies with the access control security requirements of ISO 15408 Common Criteria international standard Nuvoton Japan has replaced the card reader and employee access cards
Code Security	The application department is required to conduct code security checks when launching new systems, external service systems, or major updates. High-risk code should be patched to enhance the security of the system upon deployment Regular updates to the code scanning database are performed to improve code detection efficiency	In 2023, a total of 13 new systems were launched, with a 100% improvement rate in fixing high-risk code issues. The program coverage for executing source code scanning was also 100%
Email security	Strengthen email server security configuration by setting up SPF to authorize mail sending hosts from our company, and implementing DKIM and DMARC settings to prevent email spoofing and tampering Utilize security add-ons for Outlook to check the recipient, body, and attachments when sending emails, in order to prevent the sending of erroneous emails	All emails must pass through a legitimate email server verification process, resulting in a 100% success rate for external deliveries Replaced with a new plugin containing additional features Nuvoton Japan utilizes the email monitoring feature of the IT equipment management tool (AssetView) to oversee the sending of inappropriate emails

Information security education and training

Company	Personnel type	Training Topics	Content	Frequency	Total training hours	Training Completion Rat
NTC	General personnel	General Information Security Awareness	12 issues	Once a month	4	100%
		General Social Engineering Awareness	Understanding Phishing Emails and Social Engineering Techniques	Once a quarter	4	97%
		General Personal Privacy Protection	Personal Data Privacy Protection	Once a year	1	100%
	Product security personnel	Product Security	Product Security Training	At least once a year	6	100%
	Information security personnel	Product + General + Professional Courses	Information Security Technology and Related Regulations	At least once a year	8	100%
NTCJ	General personnel	Information Security Awareness	Familiarity with Information Security Risks and Risk Mitigation Measures	Once a year	0.2	100%
		Email Self-audit	Considerations when sending emails	Twice a year	0.5	100%
		Self-audit on the handling of "Company Mobile/Smartphones"	Implementation Overview and Issues	Once a year	0.2	100%
		Self-audit on the handling of "Laptop Computers"	Considerations for taking laptop computers out of the office	Once a year	0.2	100%
	Information Security Promotion Committee members	New Member Training	Basic Status of Information Security Promotion	Once a year	0.5	100%

Customer Privacy Protection

With the increasing cybersecurity threats, Nuvoton has implemented the ISO/IEC 27001 Information Security Management System in 2023 to ensure the protection of customer privacy and prevent theft or leakage of trade secrets and intellectual property rights. In addition to conducting regular internal control self-assessment audits, control points are established based on personnel, customer, and vendor data, with regular checks and records of control point execution. Annual review and audit operations are conducted to establish a comprehensive information security environment, aiming to prevent major incidents and penalties and maintain the reputation of the company and its customers.

Customer Privacy Protection Act

ISO 27001

Nuvoton regards customers as important strategic partners and strives to meet their needs and expectations. We also value the confidentiality and protection of customer information. Customer-related information, documents, and data exchanged with customers are strictly controlled and stored within Nuvoton's highly secure internal systems. We have also signed confidentiality agreements with important vendors or customers with whom we have dealings, requiring mutual protection of confidential information and prevention of the unauthorized disclosure of customer information, privacy, and trade secrets. Furthermore, we have established a more comprehensive information security protection system through the ISO 27001 Information Security Management System. In 2023, there were no reported cases of customer privacy infringement or loss of customer data.
Nuvoton Japan has published a privacy policy, which ensures obtaining consent from customers and business partners when handling personal information. When receiving or providing personal data to third parties, Nuvoton Japan adheres to the Personal Information Protection Act.

Privacy Protection Laws and Regulations

To ensure compliance with privacy protection laws, including the Personal Information Protection Act, the General Data Protection Regulation (GDPR) implemented in the European Union, and the California Consumer Privacy Act (CCPA) in the United States, Nuvoton Taiwan conducted "Personal Information Protection Act" training for all employees in 2023. The training content included an introduction to GDPR and Taiwan's personal data protection laws, with a 100% completion rate. Nuvoton Japan, on the other hand, published training materials on personal information, including GDPR, on the company's internal portal for easy access by all employees (e-learning format).

ISO/IEC 15408 Common Criteria

NTC obtained ISO/IEC 15408 Common Criteria EAL 4+ product security certification in 2014. The verification covers the stages of "Design & Development, Production, and Delivery" in the product lifecycle. This signifies that Nuvoton Taiwan's controls for product information security comply with the requirements of the international security organization Common Criteria. It enables the production of security products that meet international standards and protects customer information and assets.
NTCJ has also obtained ISO/IEC 15408 Common Criteria EAL 5+ product security certification in promoting IC card business.

Signing a confidentiality agreement

While enhancing customer service, we place greater emphasis on safeguarding customer privacy and intellectual property rights. We sign confidentiality agreements with customers to protect their confidential information and have established procedures for safeguarding confidential data, ensuring there is no risk of data leakage and properly protecting customer privacy.