Enterprise Risk Management

UMC is well aware that Cyberattacks may not only expose the Company to the risks of data leakage and ransom threats, but also interrupt the production system, causing serious operating losses or even damaging the reputation of the Company. Facing the ever-changing and diverse external threats, it is critical to strengthen corporate information security. Correctly responding to the changing environment with limited resources is an important task.

“Enterprise Information Security Committee” is responsible for information security management system planning, establishing and maintenance. The Independent Board Director Jyuo-Min Shyu oversees information security and cyber security strategy. Mr. Shyu was the Minister of the Ministry of Science and Technology and the President of Cloud Computing & IoT Association in Taiwan, and led multiple information security projects such as National Information & Communication Security Taskforce as Vice Chairperson and IoT Information Security SIG (Special Interest Group) initiation.

Senior Vice President TS Wu managing the Digital Function serves as the Chief Information Security Officer (CISO), who is responsible for establishing and maintaining the information security strategy and processes that protect information assets.

To effectively address the constantly evolving threats to information security, UMC has established and implemented the following policies to create a secure digital environment and comprehensively safeguard the Company's information security.

1. Establish information security management systems that comply with regulations, international standards, and customer requirements, and continuously improve security measures.
2. Develop an information security culture and enhance employee awareness to ensure everyone understands their responsibility and actively participates in security practices.
3. Protect confidentiality, integrity, and availability of information belonging to UMC and our customers.
4. Implement multi-layer defense measures, monitor and respond to information security threats in real-time, and provide a secure production environment.
5. Strengthen information security incident response plan and procedures to ensure business continuity.
6. Require third parties (suppliers) to meet UMC's information security standards.

• Enhance the security of networks, endpoints, and applications, improving detection and defense capabilities against suspicious behaviors.
• Implement multi-layered secure measures to enable early detection and block potential cyberattacks optimizing security and stability of information systems.
  
  

• Conduct regular information security system checks to identify and address potential risks.
• Establish cybersecurity incident response plans and conduct business continuity drills to ensure rapid escalation and recovery, minimizing impact of any incidents.
  
  

• Develop comprehensive information security management systems that comply with international standards such as ISO 15408 and ISO 27001.
• Utilize the Plan-Do-Check-Act (PDCA) cycle and annual recertification to continuously improve information security management processes.
  
  

• Adhere to information classification principles including “need to know” and “least privilege” to ensure the confidentiality, integrity, and availability of information.
• Manage information throughout entire lifecycle - from creation and usage to disposal – under proper authorization to prevent information leakage or other potential damages.

• Acquire information security insurance as a measure to manage risks and minimize potential losses.

• Conduct company-wide training and social engineering phishing tests to ensure that every employee recognizes the importance of information security and implements cybersecurity best practices in daily operations.

• Ensure all suppliers comply with UMC’s information security regulations.
• Participate in cybersecurity defense organizations, contributing to overall cybersecurity defense efforts and fulfilling corporate responsibility in protecting information security.