Information Security

Information Security Policy

BenQ Materials has established a secure and trustworthy computerized operating environment to ensure the security of data, systems, equipment, and networks, as well as to maintain uninterrupted operations. (For details, please refer to the Information Security Policy.) The ''Information Security Policy and Procedures'' were developed in accordance with the Cybersecurity Management Act, Personal Data Protection Act, Copyright Act, Electronic Signature Act, and based on international information security standards such as ISO 27001.

Information Security Management Policy:

1 Strengthen the company's information security management to establish reliable information application systems.
2 Protect electronic information assets to prevent and mitigate business losses.
3 Enhance business interests and ensure sustainable corporate operations.

Information Security Management Objectives:

1 Protect the security of the company's information services and ensure that information is only accessible to authorized personnel to maintain confidentiality.
2 Protect the security of the company's information services by preventing unauthorized modifications to ensure accuracy and integrity.
3 Establish a business continuity plan for information services to ensure uninterrupted operations.
4 Ensure that all company information services comply with relevant laws and regulations.

 

Information Security Management Committee Organizational Chart

In 2021, BenQ Materials established the Information Security Management Committee and appointed a Chief Information Security Officer (CISO) along with an Information Security Representative (Dedicated Security Manager) to strengthen its information security management framework.

To respond to evolving cybersecurity trends and comply with policies set by the Financial Supervisory Commission, the company holds at least one annual review meeting on information security management. In 2023, the role of CISO was officially instituted. In April 2024, the company further enhanced its cybersecurity governance by expanding the organizational structure of the IT department into the Digital Technology Center and establishing a dedicated cybersecurity unit—Information Security Section. This section is staffed with a dedicated security manager and one additional full-time security personnel. It operates under the Digital Technology Center and also encompasses the Smart Application Division and the Machine Vision Division of the Advanced Equipment
 

Information Security Management System

 

To ensure proper protection of information assets, BenQ Materials implements risk assessment procedures, establishes and enforces relevant regulations to determine the risk level of its information assets. Based on the results of these risk assessments and internal meetings, the company determines appropriate treatment measures—such as risk mitigation, transfer, elimination, or acceptance—to effectively manage risks.

BenQ Materials obtained ISO 27001:2013 certification in 2021. To further enhance the comprehensiveness of its information security management system, the company adopted the ISO 27001:2022 standard in 2024 and successfully passed the updated certification in 2025.

The scope of ISO 27001 certification covers major production sites in Taiwan and Mainland China, as well as key systems such as ERP, FEOL MES (Front End of Line Manufacturing Execution System), and FlowER (Business Process Management System). In 2024, beyond these data centers and systems, the company extended ISO 27001 principles to the Smart Application Division and the Machine Vision Division of the Advanced Equipment Development Department.

 

Information Security Risk Assessment

BenQ Materials, in accordance with its Information Security Risk Assessment and Management Procedures, defined the risk levels for Taiwan and Mainland China in 2022 and developed improvement plans for high-risk items. In 2023, the company conducted a reassessment of the information security systems in both Taiwan and Mainland China, completing the evaluation in the third quarter. Two higher-risk issues were identified and incorporated into the company's risk management operations, with improvement plans initiated in 2024.


 

Information Security Management Measures

 

Hardware Protection

• Equipment Inspection: Maintenance contracts are signed with vendors for important systems and equipment, and regular inspections of equipment status are conducted.
• Establish Data Backup Mechanism: A backup system has been set up, performing daily backup operations for servers and databases. In addition, a high availability (HA) mechanism has been established for important equipment.
 

Network Security Protection and Monitoring

BenQ Materials has established the ''Website Information Security Management Inspection Guidelines.'' Since 2021, the company has conducted vulnerability scans and remediation for key system hosts and websites. In 2024, the scope of scanning was further expanded by increasing both the number and frequency of scans on network devices and system hosts to enhance overall system security strength.

• Security Protection: Quarterly vulnerability scans and remediation are conducted on systems and network devices. Systems must be updated before going online to prevent outdated versions from being scanned during scheduled assessments.
• Monitoring Mechanism: In 2023, security assessments were conducted on equipment, hosts, and networks. The scope included malware scans, event analysis and response, and firewall policy reviews. Improvement plans were proposed based on the findings and tracked for implementation.
• Incident Monitoring and Response: In 2024, the company introduced Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) systems for realtime continuous monitoring, critical server data collection, and advanced correlation analysis to detect and respond to suspicious activities on hosts and endpoints. Managed Detection and Response (MDR) services were also adopted to provide external professional support and 24/7 monitoring, enabling rapid threat detection and response, including pre-incident alerts and mitigation.

Information Security Incident Response Plan

Annual Disaster Recovery Drills: In 2024, BenQ Materials conducted a disaster recovery drill for the shipping cycle system to strengthen its disaster response capability and minimize potential losses in the event of an incident.

 

Information Security Education and Training

 • Internal Training: Every October is designated as Cybersecurity Month at BenQ Materials. In 2024, the company conducted online cybersecurity courses for all employees and held dedicated cybersecurity seminars for mid- and senior-level managers. Awareness was further raised through posters and email announcements. Company-wide online cybersecurity training achieved a pass rate of 83%, while mandatory seminar courses for senior management saw a 78% pass rate. Efforts to improve participation and pass rates are ongoing through active promotion of relevant training.
• External Training: To enhance mid- and senior-level managers' awareness of cybersecurity risks, external consultants delivered a course on ''Case Study and Incident Response in Cybersecurity'' in 2024. Dedicated information security personnel also completed certifications including IEC 62443-2-1, ISO 27017 & 27018, and ISO 27001, ensuring cybersecurity concepts are embedded in daily operations.
 

Social Engineering Drills

Since April 2021, BenQ Materials has conducted monthly email-based social engineering simulations to educate employees on information security practices related to email usage. These exercises aim to reduce the risk of employees clicking on malicious emails and to strengthen awareness of email security.

In 2024, the drills were further enhanced by improving the realism of phishing emails and expanding participation to include subsidiaries. As a result of ongoing awareness campaigns and employee retraining, the click-through rate continued to decline during Q1 2024.


 

Group-Level Information Security Management

BenQ Materials has joined the cybersecurity governance structure of its parent company, Qisda, and complies with the corresponding security requirements. A cybersecurity maturity rating system has been established, and BenQ Materials, including its affiliated subsidiaries, is required to meet the parent company's cybersecurity evaluation standards, with continuous efforts made each year to enhance cyber resilience.
 

Supplier Information Security Management

In 2024, an information security risk assessment was conducted for the top 10 suppliers of each product business unit, covering a total of 71 suppliers. The purpose was not only to provide an external risk reference for the company but also to offer cybersecurity guidelines to suppliers to improve overall maturity and reduce potential risk exposure.
 

Supplier Information Security Evaluation

Each business unit ranked suppliers based on procurement amount and conducted selfassessment for the top 10. A total of 71 suppliers were subject to self-evaluation. The cybersecurity self-assessment guideline uses a weighted scoring system based on performance in various areas, with suppliers categorized as follows:

Grade A+ (Excellent) Supplier has a comprehensive and effectively implemented information security management system; weighted score ≥ 90%.
Grade A (Good) Supplier has a well-established information security management system; weighted score ≥ 80%.
Grade B (Fair) Supplier has a basic information security management system in place; weighted score ≥ 60%.
Grade C (Needs Improvement) Supplier lacks an implemented information security management system; weighted score < 60%.

The overall average cybersecurity rating for 2024 was 75.6 points, categorized as Grade B (Fair), showing improvement from the previous year. Suppliers rated as Grade C (Needs Improvement) were provided with information security guidelines and recommended actions to strengthen their cybersecurity measures.
 

Cybersecurity Insurance Arrangement

Since December 2020, BenQ Materials has procured corporate cybersecurity risk insurance to cover expenses incurred from information security incidents, such as business interruption, incident response, and recovery costs. The coverage includes subsidiaries in which BenQ Materials holds a majority shareholding, thereby mitigating potential losses from security breaches. In 2024, the company continued its cybersecurity insurance coverage.
 

Information Security Planning

Governance and Policy Framework: The company aligns its cybersecurity policies with the ISO/IEC 27001 international standard and obtained ISO 27001 certification in April 2022. In 2024, the company adopted the updated ISO/IEC 27001:2022 version and successfully obtained the renewed certification in 2025. In parallel, the company established key cybersecurity performance indicators to continuously strengthen and improve its cybersecurity governance mechanisms and enhance its ability to respond to and recover from cybersecurity incidents.

Technology Implementation: In 2024, the company implemented Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR), and Managed Detection and Response (MDR) systems to strengthen access control and enhance real-time detection and response capabilities. In 2025, BenQ Materials plans to further align with the cybersecurity rating requirements of its parent company by deploying a Security Operations Center (SOC), Security Information and Event Management (SIEM), source code scanning, privileged account management, and sensitive data governance mechanisms.

Business Continuity Management: Under its Business Continuity Management (BCM) framework, BenQ Materials aims to expand cybersecurity response drills to all business units in 2025. The objective is to ensure that, in the event of a natural disaster or human-caused incident, critical operations can be sustained without disruption from information system failures. This will enable the organization to maintain a minimum acceptable level of operations under all circumstances and reduce the risk of existential operational failure.