Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Our Audit and Risk Committee of the Board is responsible for the oversight of risks from cybersecurity threats, including reviewing periodic reports from the head of Global Security Management function relating to our information technology and security matters, including any cybersecurity incidents, assessment of new and emerging cybersecurity risks and threats and their proposed improvement measures. Based on such reviews and their discussions with the head of Global Security Management function, our Audit and Risk Committee assists our Board to review, assess, and enhance the adequacy and effectiveness of our cybersecurity policies and procedures on an ongoing basis.

The head of our Global Security Management function assesses and manages the cybersecurity risk and reports to the Audit and Risk Committee. Our head of Global Security Management function has over 30 years of experience in cybersecurity and other professionals in our Global Security Management function have cybersecurity experiences or certifications. Our Global Security Management function regularly assesses the threat landscape and takes a holistic view of cybersecurity risks. We have implemented and continually

updated

rigorous cybersecurity measures to assess, identify and manage cybersecurity risks and to prevent and minimize harm caused by cybersecurity attacks. Such measures mainly include:

•

building a defense shield on the cloud that includes adopting advanced cloud solution against distributed

denial-of-service

(“DDoS”) attacks, implementing domain name system (“DNS”) service on secure cloud platform, securing internet access by cloud solution, and enhancing phishing mail defense;

•

certifying office computer security compliance and installing advanced malware defense solutions for critical computers and servers;

•

enhancing data center security by sunsetting insecure protocols, conducting network port security scans and enhancing server security hardening;

•

reviewing and enhancing fab and facility zone security controls;

•

improving software security by implementing security scanning and conducting effective vulnerability management and penetration tests; and

•

enhancing internal security assessment automation and conducting external red team testing and practicing responses to ransomware attacks.

To reduce supply chain risks, we collaborate with major suppliers to improve their security measures, share industry security events and best practices on demand and by schedule and conduct supplier security onsite audit. In 2024, we organized a cybersecurity workshop for suppliers, sharing network security defense solutions and practices. Nearly 800 participants from close to 500 suppliers attended the workshop, which received high recognition from the suppliers. Moreover, we have collaborated with Semiconductor Equipment and Materials Institute (“SEMI”) to set up a Semiconductor Cybersecurity Committee to promote security standards (SEMI E187) as well as security assessment methodology for improving the resilience of semiconductor supply chain. We also joined Semiconductor Manufacturing Cybersecurity Consortium (“SMCC”), which focuses on important cybersecurity topics and seeks to find solutions that will benefit the entire industry. Also, as we employ certain third-party service providers to help us and our affiliates worldwide conduct risk assessment, security defense testing and vulnerability scanning, we require such third-party service providers to strictly fulfill the confidentiality and/or internet security requirements in our service agreements.

To our knowledge, as of the date of this annual report, there is no material risk from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operation or financial condition.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The head of our Global Security Management function assesses and manages the cybersecurity risk and reports to the Audit and Risk Committee.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our head of Global Security Management function has over 30 years of experience in cybersecurity and other professionals in our Global Security Management function have cybersecurity experiences or certifications.