The business world is progressing further with digitalization, ushering in growing complexity and sophistication in business activities and supply chain operations. Cybersecurity threats hence evolved as one of the critical risks that could hinder corporate stability and sustainable competitiveness, leaving the global community to ponder ways of upholding business continuity and risk controllability amid capricious times, which has become a crucial task in corporate governance.

Driven by the urgency of information security governance, FENC established the Information Security Department in 2022 based on the Regulations Governing Establishment of Internal Control Systems by Public Companies and Information Security Control Guidelines for TWSE/TPEx Listed Companies. Headed by the Chief Information Security Officer, the department oversees organizational and systematic implementation of information security and risk control tasks, internalizing information security as part of the corporate governance and internal control framework, adding reinforcement to digital resilience and highlighting FENC’s deliberate attention and lasting commitment to safeguard information security.

Building a Resilient Information Security Organization

1.Information Security Department

On November 9, 2022, the Board approved the establishment of the Information Security Department to spearhead the implementation of information security tasks, such as indicator setting, performance tracking and information security protection and training, working in tandem with the Information and Technology Center on information security management.

Information Security Management Framework

 

2.Information Security Joint Defense Team and Committee

To implement and bolster information security, FENC established the Information Security Joint Defense Team and Committee. While the Information Security Department is in charge of the implementation and monitoring of information security as well as applications of new technology, an information security defense team is established under each unit to reinforce the defense shield. Units with such a team in place include the Corporate Staff Office as well as the Human Resources, Accounting, Finance, Legal, Secretarial, Shipping, Labor Safety and Health Departments under Corporate Management. Information security staff from each unit provide assistance in implementing information security tasks, creating an integrated interdepartmental shield against cyber threats. The Audit Department conducts internal audits over information security undertakings to ensure compliance with the internal control system as well as governmental regulations. The Information and Technology Center is in charge of the maintenance and repair of the information security facilities.

3.Establishing Information Security Sub-Committee of Far Eastern Group

In December 2023, FENC formed the Information Security Sub-Committee (ISSC) with multiple affiliates under Far Eastern Group (FEG), including Far EasTone Telecommunications Co. Ltd., Asia Cement Corporation and Far Eastern International Bank. Initiating its operation in 2024, ISSC is tasked with coordinating the joint defense of information security and resource allocation within FEG. ISSC also improves the overall defense by leveraging synergistic effects through policy exchanges, emergency support, incorporation of technologies and equipment as well as talent development.
 

Strengthening Information Security Management Mechanisms

1.Information Security Management System and Business Continuity Management

FENC and its overseas subsidiaries started incorporating the ISO 27001 Information Security Management System (ISMS) in 2014, establishing concrete management schemes regarding information authorization, data backup, system development, supplier management, and intellectual property rights. Since 2016, external third-party verifications have been conducted every three years. Given the rapid changes in the information security landscape, the Company proactively aligns with the latest international standards and completed the transition to the ISO 27001:2022 certification ahead of schedule in July 2024. The certificate remains effective until September 2028, demonstrating a high level of commitment to information security protection. The Company continues to implement the PDCA (Plan-Do-Check-Act) objective-based management cycle to advance its ISMS, while also striving to learn and adopt the NIST (National Institute of Standards and Technology) Cybersecurity Framework to strengthen network security. 

Additionally, FENC has been implementing the ISO 22301 business continuity management system. In December 2023, FENC’s subsidiary, Shanghai Far Eastern IT Company, obtained the ISO 22301:2019 certification, which is valid until December 2026. Obtaining the certification requires the integration of the ISMS and business continuity management to create a comprehensive security and operational shield, which is a testament to FENC’s commitment to business continuity and information security.

2.Establish Information Security SOP

FENC joined Taiwan CERT/CSIRT Alliance (see note 1), SP-ISAC and Taiwan Chief Information Security Officer Alliance, and established the SOP for dealing with information security incidents. The SOP delineates applicable procedures and measures, including reporting proceedings and staff accountability. The goal is to eliminate information security incidents within the least amount of time and establish correction and prevention plans accordingly. In 2024, there were no major information security incidents (see note 2) at FENC and no financial losses caused by information security incidents.

Note 1:CERT/CSIRT refers to Computer Emergency Response Team (CERT) and Computer Security Incident Response Team (CSRIT). SP-ISAC refers to Science Park Information Sharing and Analysis Center.
Note 2: A material information security incident is defined based on the frequently asked questions regarding the Taiwan Stock Exchange Corporation Procedures for Verification and Disclosure of Material Information of Companies with Listed Securities.

3.Implement Information Security Incident Reporting and Handling

Services for the monitoring and surveillance of information security incidents have been incorporated to consolidate security logs from multiple sources, including the firewall, intrusion-detection system, anti-virus software system and end-point detection and response. The incidents are detected, collected, analyzed and managed to effectively avert potential cybersecurity threats. Information concerning data security is consolidated and managed to effectively provide alerts before, real-time warnings during and analysis after the incident. The services ensure a proper protocol to be followed in the case of such incidents and minimize the harm and damages to the key information systems, assets and operations.

4.Implementing Supply Chain Information Security Management

To strengthen cyber resilience across the supply chain and build a safe and reliable cybersecurity network, FENC created the FENC Supplier Information Security Agreement based on the Cyber Security Guidelines for TWSE/TPEx-Listed Companies. The Company also performed a stocktake for its core systems and designed a rating matrix, classifying suppliers’ information security maturity according to the management, defense, detection and response capabilities as a reference for supplier management and risk control.

A monitoring system has also been adopted to observe supply chain information security, including risk rating and external exposure among external suppliers and partners, which enables the visualization and quantification of supply chain risks. Information security incidents or anomalies occurring at the supplier’s end would trigger FENC’s information security defense immediately, which activates emergency response and monitoring through the entire duration to safeguard operational stability and cybersecurity.  
 

Information Security Management and Training 

1.Information Security Training

FENC actively invests in information security training to strengthen employee awareness. At the same time, system developers and managers are required to adhere to the standards governing system establishment and security management to reduce cybersecurity risks. To enhance the awareness and risk response capabilities among all employees, in 2025, FENC's Human Resources Development Center and dedicated information security units hosted 43 professional training sessions domestically and overseas. A total of 3,288 participations were recorded through diverse channels, including in-person, online streaming, and digital sessions. The information security courses are designed based on different organizational levels and business needs, offering customized content and case studies. Topics include cloud service security management, information security risks for emerging technologies, IoT information security controls, as well as information security risks at the operational level, effectively cultivating information security awareness among all employees.

2.Social Engineering Drills

As a measure to enhance employees’ ability to safeguard information security, FENC conducted phishing drills for 2,085 employees in 2025. The drills simulate actual network attacks to enhance risk response towards social engineering threats. The majority of the participating employees stayed alert towards the phishing emails and did not respond. However, a few did click on the link and provided personal information. Enhanced training was provided to improve their information security awareness.

Honing Cybersecurity Capabilities with Responsible AI

While ramping up the application of AI in operational and innovative initiatives, FENC also underscores the importance of responsible AI and governance among employees. On June 5, 2024, FENC enacted the Rules Governing the Use of Generative AI, specifying the principles for application as well as risk control and ethical requirements in order to keep the development of AI at FENC in line with corporate governance, regulatory compliance and sustainability goals.