Financial Risk Management

WNC’s business focuses on R&D, manufacturing, and product sales. The company does not engage in high-risk or highly leveraged investment activities. WNC invests funds after considerable risk assessment while closely monitoring changes in bank lending rates on a regular basis. 98.44% of WNC’s revenue was from export sales in 2024, and most of the export sales amounts are quoted in U.S. dollars. Most of the material purchasing amounts are also quoted in U.S. dollars. Therefore, the majority of our foreign currency operating exposure can be offset through our frequent purchase and selling. For remaining situations involving foreign currency operating exposure, the foreign currency is converted to NT dollars depending on liquidity needs and market conditions.  WNC’s action plans to cope with the impact of changes in interest rates, exchange rates, and inflation are:

Business Risk Management

WNC complies with government decrees and regulations and adjusts its internal policies in accordance with changes in laws, thus ensuring the lawfulness of WNC’s operations. Regarding the Company’s operating status, in addition to regularly holding shareholders’ meetings and institutional investor conferences, the Company produces financial reports and sustainability reports to increase the transparency of company information, and actively invests in green product design and participates in social welfare activities, in order to meet its social responsibilities. To better secure customer and shareholders’ rights and react in a timely manner to the rapidly changing communications industry, WNC, while targeting overall sustainable development, performs risk and efficiency assessments when introducing new materials, new technologies, and new equipment so as to enhance total value of products through the most competitive quality, development speed, and cost. With strict control of expenses, operational costs and risk can also be well managed.

Business Continuity Management

WNC aims to ensure quick recovery of operations through rapid response to incidents. This is essential to ensure employee safety, prevent disruption to business operations, and to reduce the impact and loss that these incidents may cause to the environment, to WNC, or to our customers. WNC has therefore established a Significant Environmental Aspect Identification and Management Procedure, a Hazard Identification and Risk Assessment Management Procedure, a Contingency Plan Control Procedure, and a Business Continuity Plan based on major disaster scenarios. In 2024, no casualties or property losses caused by natural disasters or man-made disasters (including terrorist attacks or labor disputes) occurred at WNC headquarters or other sites.

Information Security

WNC strictly complies with the content and confidentiality commitment set forth in customer contracts. In order to implement the management of confidential information, WNC has established an Information Security Policy and an ISO/IEC 27001 information security management system and obtained external certifications. WNC (Taiwan), WNC’s sites in China and Vietnam, and the US and the UK subsidiaries have all completed certification, covering 75% of all locations. This ensures the confidentiality, integrity and availability of all information. In response to the release of the new version of ISO/IEC 27001:2022, WNC completed the transition to the new version and successfully passed the certification audit in October 2024.

Information Security Committee

WNC established an Information Security Committee in 2014, composed of top-tier supervisors of each unit, chaired by the President and CEO, and convened by the Chief Information Security Officer (the top-tier supervisor of the Digital Information Management Division). A management review meeting is held every six months. The Committee is responsible for formulating and promoting internal information protection measures, including risk assessment, operational impact analysis, drills of disaster recovery plans, user account permissions review, firewall rules reviews, information security promotion and training, vulnerability scanning, penetration testing, management meetings, and ad hoc social engineering drills. The function teams under the Committee are the Information Security Implementation Team, Emergency Response Team and Information Security Audit Team. The teams are led by the Chief Information Security Officer.

Information Security Management System

WNC’s information security management measures can be divided into external and internal security management. Externally, firewalls and threat defense systems have been implemented in order to prevent viruses and external hackers from accessing networks. WNC assesses suppliers’ security environments and control mechanisms through information security questionnaires and strengthens the mechanism for inspecting customer and supplier personnel or equipment entering the factory. Through outsourced red team exercises, WNC conducts technical evaluations of the effectiveness of its cybersecurity threat monitoring mechanisms. These exercises help identify potential risks and vulnerabilities, which are addressed through proactive remediation efforts, thereby continuously strengthening WNC’s cybersecurity defense. Internally, during the ISO/IEC 27001:2022 transition project, WNC reviewed its existing management, technical, and physical control mechanisms, conducted a comprehensive inventory and identification process, and refined the correlation between critical core systems, personal data, and business operations, further enhancing the overall robustness of the company’s information and cybersecurity environment. In 2024, WNC had no record of any lawsuits related to violations of confidential customer information, no complaints related to information security were received, and there were no major cybersecurity incidents.

Key Information Security Work Items in 2024 and 2025

Year Items
2024
  • Continue to strengthen the structure of WNC's information security protection networks.
  • Strengthen "blue team" information security talent.
  • Expand the scope of application of CISRT & PISRT teams and response mechanisms.
  • Expand the scope of application of the information security operations center (SOC).
  • Pass IEC 62443-4-1 Product Security Management System verification.
  • Red/blue team assessment.
  • Implement monitoring and alert mechanisms for non-IT network-connected devices throughout the entire facility.
  • Strengthen cybersecurity inspection mechanisms for customer and supplier site entry.
  • Conduct cybersecurity questionnaires and risk identification for key supply chain vendors.
2025
  • Continue expanding the scope of application of the information security operations center (SOC).
  • Strengthen "blue team" information security talent.
  • Establish product security testing service items and develop standardized procedures.
  • Continue conducting red/blue team assessment.
  • Deploy factory-wide monitoring and alert response mechanisms for non-IT production networked devices.
  • Establish and implement cybersecurity control processes and mechanisms for WNC's supply chain.
  • Enhance suspicious activity detection and monitoring network (MDR/XDR).
  • Establish an endpoint suspicious behavior monitoring network.

Risk Identification

WNC conducts risk assessment operations every six months. Each WNC site proposes risk issues and conducts risk assessments. If the result of the risk assessment exceeds the acceptable risk level, each site identifies and implements risk response measures and proposes improvement or enhancement solutions. In 2024, through red team exercises, WNC incorporated technical assessment approaches to identify risks and verify the effectiveness of controls, which also helped the company uncover potential vulnerabilities and areas for further improvement. Risk assessment results related to management and technical aspects are reported at the management review meeting of the Information Security Committee. Based on the risk assessment report, the Information Security Committee reviews, evaluates, and approves the acceptable level of risk at the company level and serves as the basis for continuous improvement and control.

Training Courses

2024 Information Security General Knowledge Courses

Course title Participants No. of times course was held Number of employees completing Training hours
Information security policies and regulations promotion (2024Q4) IDL 1 4,326 1,298
Information security general knowledge courses (2024/12-2025/01) IDL 1 3,481 844
Defenses against social engineering (2024Q2) Employees who fail phishing tests 1 339 339
ISO 27001: 2022 Standards Introduction (2024Q1) ISO27001 certification unit personnel 1 187 187
Information asset collection and risk assessment education and training (2024Q1) ISO27001 certification unit personnel 1 20 20