In keeping with the GIGABYTE philosophy of “Upgrade Your Life”, corporate information security governance has been introduced to our continued pursuit of corporate sustainability. The Information Security Committee was set up to devise an information security policy and management framework that takes international standards, regulatory requirements, privacy protection, risk management, and crisis management into account. A total approach to information security management, planning, oversight, and execution has been put into place. The Committee also reports regularly to the President on information security management activities and the overall effectiveness of the management organization.

Governance Organizational Framework

Information Security Policy

  1. Information security management rules are reviewed and updated every year in accordance with international information security standards (NIST Cybersecurity Framework) and domestic/overseas information security regulations.
  2. Ensure the Confidentiality. Integrity) and Availability of information so that they can be applied to the planning, management, and execution of Group business targets in a secure, proper, appropriate, and reliable manner.
  3. To continue providing customers with a safe and quality product experience, GIGABYTE must ensure that our information security management for R&D processes, product development, cloud services, and manufacturing supply chain all comply with our information security policy. The goal is the effective reduction of management risk and continued improvement to the overall maturity of information security.
  4. Conduct regular offensive and defensive information security drills, strengthen internal information security awareness through employee training, and implement information security throughout all processes.

Management Goal and Outcome in 2022

Management Framework

  • Information security management standards based on the National Institute of Standards and Technology Framework for Improvement Critical Infrastructure Cybersecurity (NIST CSF) were introduced across the board in accordance with our security policy. An information security management framework and Information Security Incident Response Team were set up to support identification, protection, detection, response, and recovery. These five core functions cover the entire information risk management cycle.
  • Establishment of high-security protection mechanisms and introduce multi-factor authentication (MFA) to ensure information operations are secure and accurate while employees work from home during the COVID-19 pandemic.
  • Establishment of regulations on supplier cybersecurity risk assessment to help suppliers protect their information security, thereby strengthening our collaboration with suppliers on cybersecurity to bolster the competitiveness of the entire supply chain.

Information Security Drill

  • Conduct vulnerability scanning and penetration testing to systematically and comprehensively verify security defense capability.
  • Carry out a drill in information security incident notification and response to fulfill responsibility division and improve handling proficiency.

Information Security Training

  • In response to the rising number of BEC incidents, build anti-fraud email protection measures in systems, conduct information security education and training to 711 employees, and implement social engineering drills 2 times with a total of 4,795 person times involved.

Information Security Incident

  • In 2022, no incidents of information security intrusion occurred, and neither customers, consumers, nor employees were affected.
  • One of the software suppliers discovered an information security vulnerability in December 2022. Following the announcement of the Information Security Bulletin, GIGABYTE immediately assisted our customers in updating their systems to improve their information security defenses. There were no significant losses for customers afterward.

Customer Privacy Protection

GIGABYTE respects the personal information and privacy of our customers. A Personal Information Protection and Management Committee is established in accordance with the government’s “Personal Information and Protection Act” to define and enforce the “Personal Information Protection and Management Regulations”. Proposals for making future improvements to personal information risks are also developed ad hoc to protect customer information. There were no leaks of customers’ personal information in 2022.

Privacy Protection and Management Regulations

GIGABYTE formulates a privacy policy that governs all Company operations, including suppliers and third-party service providers. All risk management measures are also reviewed to ensure they comply with the Company’s security policy and procedures. Compliance reviews include the periodic review and updating of the privacy policy to ensure that its harmonization with the applicable laws and regulations, and complies with the latest compliance requirements. We also continue incorporating industry best practices such as GDPR and CCPA into our privacy policy. For more information, please refer to Privacy Policy.