XML 23 R7.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Cybersecurity risk management is an integral part of our overall risk management program. Our board of directors has overall
oversight
responsibility for our risk management, and delegates cybersecurity risk management oversight to the information security management committee established by the CSC. The information security management committee is responsible for overall information security across all subsidiaries. Our vice chairman, who has participated in yearly professional courses relating to information security, has been appointed the chair of the committee, which is dedicated to enhancing information security, preventing and mitigating information security threats and risks by developing strategic plans for information security, establishing benchmarks for information security maturity assessments, promoting information security risk management in our subsidiaries, and coordinating internal and external technologies, resources and information. Our chief administrative officer and chief corporate governance officer, who previously taught technology law at the college-level, has been appointed as the chief information security officer of the committee, and assumes responsibility for establishing the information security management framework that covers conducting regular reviews with all subsidiaries and implementing incident response plans. The information security management committee provides a status report to the board of directors in the last quarter of each fiscal year. Our cybersecurity team maintains numerous active industry-recognized cyber certifications, including Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and ISO 27001 Lead Auditor.
In addition, our Corporate CSR division, established under the CSC, is responsible for promoting and executing information
s
ecurity-related work across ASE, SPIL and USI Group entities, and each subsidiary appoints its information security team as members of the committee, tasked with implementing information security operations as resolved by the information security management committee. We hold quarterly information security management committee meetings to report and discuss the progress of our information security work and invite external experts to share insights on information security trends and topics of concern.
We set a threshold for material information security incidents by following relevant regulations promulgated by the FSC. On an annual basis, our cybersecurity team engages a third-party company to conduct regular cybersecurity audit and assessments, such as external audit, vulnerability scanning, and penetration testing to ensure that our network and information comply with safety standards. In addition to managing operational risks from the perspective of corporate governance, we prioritize elevating employees’ cybersecurity awareness and enhancing organizational capabilities. All employees are mandated to complete Proprietary Information Protection (“PIP”) cybersecurity educational training, including training covering topics such as policy adherence, management frameworks, and control measures. Additionally, periodic social engineering email drills have been conducted to enhance employees’ awareness of email-based social engineering attacks. We have gradually introduced management mechanisms to foster active participation in cybersecurity initiatives, such as cybersecurity meetings, educational trainings, incident management, confidential file labeling, antivirus/software security, and other cybersecurity-related projects in a systematic manner. Regular monitoring and audits serve as an extension of our management scope, with compliance integrated into our employees’ key performance indicators to mitigate risks such as penalties, legal liabilities, and disruptions to business operations.
 
In 2020, initiated by the information security management committee of the CSC, information security committees of our subsidiaries worked together to integrate and strengthen the information security protection of each subsidiary. The committees also set up an information security risk alert system, through which we could conduct
on-site
operational inspections to minimize information security risks by hiring third-party experts. In addition, our major subsidiaries have obtained ISO 27001 certification (for information security management system) and ISO 22301 certification to strengthen crisis management and disaster response. In addition, our Kaohsiung facility has been facing accelerating digital transition and is the first semiconductor assembly and testing facility in the world to receive the ISO 21434 international automotive network security standard certification and has passed the mobile communication security certification standard and obtained the GSMA certification. We also have established management procedures for the reporting and handling of information security incidents which allow employees to report any security incidents to ensure prompt handling that will be followed by efficient responses in order to mitigate information security risks. In addition, we conduct an annual disaster recovery drill to mitigate the risk of service disruptions caused by impacts from major crisis events to our information systems. All employees participate in our annual proprietary information protection training courses, which include training on information security policy, management framework, and control measures.
Furthermore, we employ third-party service experts to conduct an annual audit and review of our information security performance. In the event of a sudden external cyberattack, our
on-site
safety teams would immediately hold a meeting to share information and discuss responses and countermeasures; external experts would be invited to join the meeting to conduct reviews and analyses if necessary.
In addition to focusing on information security technologies and capabilities of the semiconductor industry and high-tech manufacturing, in 2021, we joined the SEMI to jointly develop and launch the SEMI E187- Specification for Cybersecurity of Fab Equipment.
 
In terms of trade secrets management, we continuously train our employees to enhance the protection of trade secrets and mitigate the risk of infringement. Third-party service providers are required to strictly abide by our cybersecurity requirements, and are required to sign additional confidentiality or privacy agreements when necessary. Our management team provides regular reports to the board of directors on the progress of the management plan and its implementation, and sets forth improvement measures based on the board of directors’ recommendations at least once a year. We believe that our processes provide us with a comprehensive assessment of potential cyber threats, including those risks arising from threats associated with third-party service providers.
In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. While we actively take measures to manage information technology security risks, there can be no assurance that these measures will be sufficient to mitigate all potential risks to our system, networks, and data. For more information about these risks, see “Risk Factors – Cyber-attacks could harm our business, financial condition, and results of operations.”
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Cybersecurity risk management is an integral part of our overall risk management program.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Our management team provides regular reports to the board of directors on the progress of the management plan and its implementation, and sets forth improvement measures based on the board of directors’ recommendations at least once a year.
Cybersecurity Risk Role of Management [Text Block] Cybersecurity risk management is an integral part of our overall risk management program. Our board of directors has overall
oversight
responsibility for our risk management, and delegates cybersecurity risk management oversight to the information security management committee established by the CSC. The information security management committee is responsible for overall information security across all subsidiaries. Our vice chairman, who has participated in yearly professional courses relating to information security, has been appointed the chair of the committee, which is dedicated to enhancing information security, preventing and mitigating information security threats and risks by developing strategic plans for information security, establishing benchmarks for information security maturity assessments, promoting information security risk management in our subsidiaries, and coordinating internal and external technologies, resources and information. Our chief administrative officer and chief corporate governance officer, who previously taught technology law at the college-level, has been appointed as the chief information security officer of the committee, and assumes responsibility for establishing the information security management framework that covers conducting regular reviews with all subsidiaries and implementing incident response plans. The information security management committee provides a status report to the board of directors in the last quarter of each fiscal year. Our cybersecurity team maintains numerous active industry-recognized cyber certifications, including Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and ISO 27001 Lead Auditor.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our board of directors has overall
oversight
responsibility for our risk management, and delegates cybersecurity risk management oversight to the information security management committee established by the CSC.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our chief administrative officer and chief corporate governance officer, who previously taught technology law at the college-level, has been appointed as the chief information security officer of the committee, and assumes responsibility for establishing the information security management framework that covers conducting regular reviews with all subsidiaries and implementing incident response plans.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true