Zyxel Group is committed to optimizing cyber security, driving digital transformation, and creating a trustworthy and secure online world through technological innovation and close collaboration with key partners. As a major network communication company with information security software and hardware equipment and technical capabilities, and has the industry's most extensive and diverse information security solution portfolio, we have obtained ISO 27001 information security certification in the face of increasingly severe information security threats. Continue to strengthen the integration of network and information security, ensure product information security, at the same time enhance employee information security awareness, evaluate supplier information security and protect the intellectual property security of customers and partners.
From 2020 to 2023, there were no significant cyber security incidents, and there were no instances of confidential information leakage impacting customer and employee personal data, as well as any occurrences of fines.
| Material Issues Strategies and Goals | |||
|---|---|---|---|
| Material Issue | Operational Influence | Promotion Strategy | Management Approach |
| Information security | The confidentiality of the information assets is ensured in compliance with the laws to gain customer trust |
|
|
| Material Issues Strategies and Goals | ||
|---|---|---|
| 2024 Achievement | 2025 Medium-term goal | 2030 long-term goal |
|
|
|
Information Security Management Framework
In order to strengthen information security management, Zyxel Group establishes a safe and reliable digital operation platform to ensure the sustainable operation of data, systems, equipment and networks. And while taking into account information security and work efficiency, the security control mechanism for data processing, transmission and storage has been implemented, and a complete information security management framework has been established, with governance, promotion, and inspection as the three management directions. Information security policy, awareness raising, and passing ISO 27001 information security certification audit regularly to ensure compliance measures and track improvements.
Information Security Organization
The Group PSIRT Committee" was established in the "Information and Product Safety Management Office", under which the information security and product safety management departments are respectively under the jurisdiction of the chairman's office to continuously monitor potential external threats and respond to security issues immediately.
Information Security Risk Management
To assure the sustainable business operations and prevent our important information systems from leading to the risk of unsustainable services due to major disasters or incidents, the Company regularly conducts information security risk assessment to adjust our sustainable management policies, reviews laws and regulations, and evaluates and revises the internal information security regulations in order to ensure their legal compliance and effectiveness.
When information security incidents occur, swift notification and responsive actions are taken to restore normal operations of various business functions as quickly as possible. Adopting advanced persistent threat (APT) monitoring and security operations center (SOC) operational mechanisms, in collaboration with external cybersecurity experts, the Information Security Operations and Response Team rapidly assesses information security alert notifications and incident intelligence, thereby enhancing and expediting the detection and response mechanisms.
The results of drills in the past three years have all achieved the company's set objectives. Detailed statistical data is provided in the following table.
|
A critical annual practice involves conducting disaster recovery simulations for key application systems to ensure uninterrupted business operations. |
Goal | 2022 | 2023 | 2024 |
|---|---|---|---|---|
| RPO <= 10 hrs | 7 hrs | 5 hrs | 5 hrs | |
| RTO <= 24 hrs | 19 hrs | 20 hrs | 20 hrs |
note2:RTO: Recovery Time Objective
Online information security courses in 2024: Courses titled “Introduction to Network Security; Windows Security Protection; Email Social Engineering and Protection” were provided. A total of 1,919 employees took the courses, with a training completion rate of 99.5%.
Product Information Security
In an effort to monitor potential external threats continuously and cope with security issues immediately, Zyxel Group has formed the “Product Security Incident Response Team” (PSIRT). The team maps out and executes product safety control measures, identifies procedures and guidelines required to be improved together with our product safety representatives, and makes flexible and continuous revisions. It has established safety framework design principles and carried out source code security testing and product safety verification to solve root problems and integrate product design with information security.
The Company joins the CVE Community as a CVE Numbering Authority (CNA) of the MITRE’s Common Vulnerabilities and Exposures (CVE) Program to not only self-manage, but also analyze product vulnerabilities. We hope to facilitate the internalization of product safety and accelerate the achievement of security by design with an external force obtained by acquiring the international membership. Compliance with the safety design principles is required throughout the R&D process to ensure the confidentiality, integrity and availability of the Company's information security management system. In February 2023, Zyxel was evaluated by NIST CNA and awarded the Contributor level.
Intellectual Property Protection
With the evolution of network technology and the growth of market demand, Zyxel Group actively develops various network technology and other products. In order to maintain Zyxel Group's competitive advantage in innovative technology capabilities and protect the interests of all stakeholders, we prioritize the protection and control of intellectual property and confidential information.
All our employees must also complete our CSR courses involving the protection of intellectual property rights every year. They are required to maintain the confidentiality of the confidential information of the Company and customers, are obligated to protect the information, and shall not communicate or obtain such information for internal and external individuals, companies or organizations unauthorized to access it.
Completion rate for courses on business secret protection regulations in 2024: 99.7%
Data Privacy and Protection
We place the highest priority on personal data protection and are committed to safeguarding the privacy and legal rights of data subjects. In accordance with Taiwan’s Personal Data Protection Act, the EU’s General Data Protection Regulation (GDPR), and applicable privacy laws in the regions where we operate, we have established our Corporate Privacy Policy. This policy serves as the supreme guiding principle for personal data protection within our corporate governance and legal compliance framework.
Through a robust governance structure, internal management systems, and advanced information security measures, we mitigate risks such as data breaches, loss, or misuse. The following are our key performance indicators and quantitative achievements for 2025:
- ◆ Employee Data Protection Training
Completion Rate: 99.3% - ◆ Supply Chain and Partner Management
We require all suppliers to sign the Supplier Code of Conduct. Suppliers must comply with all privacy and data security laws and regulatory requirements when collecting, storing, processing, transmitting, and sharing personal data. - ◆ Internal Management and Technical Defense
- Conducted at least two internal audits per year for customer personal data.
- Performed two comprehensive reviews of data access permissions annually.
- Successfully passed the 2025 BSI Third-party Audit with zero major non-conformities.
- ◆ Incident Management
Total Privacy Complaints in 2025: 0 cases