Sustainability Governance Structure

Board of Directors

ASUS Board of Directors values high efficiency, transparency, and professionalism to strengthen the Company’s administration. After considering professional skills including the operation judgments, accounting and financial analysis, operation and management, crisis handling, industrial knowledge, international market outlook, leadership, and decision-making, the shareholders selected 13 board members for the 11th Board Members according to the Regulations on Board Member Election in the shareholders meeting held in July, 2016, and all members are male. Chairman Jonney Shih does not hold the position as President.

The name and education of each Board member as well as the holding positions of other companies are shown in the Annual Report.

Responsibility of Board of Directors

The Board of ASUS convenes at least once quarterly. Under the leadership of Chairman Jonney Shih, the Board members hold a serious attitude in performing their duties of guidance and supervision in due diligence. In addition, all of them duly observe applicable legal rules, ensure financial transparency, and make timely disclosure of materiality for the best interest of the shareholders. ASUS invites external professional every year to give lectures to the Board members so as to enrich their professional knowledge and legal awareness.

The System of the Avoidance of Conflicts of Interest

All members of the Board of ASUS are highly disciplined to avoid any conflict of interest, and the relevant statement is clearly stated in "ASUS' Rules Governing the Conduct of Board Meetings".
In case the Directors or Managers of ASUS undertake the business operation within the scope of business run by ASUS for themselves or in favor of a third party, they are required by law to obtain the approval of the General Meeting of shareholders in advance.

According to the "Corporate Governance Evaluation System" of Taiwan, the average attendance rate for board meetings needs to reach 80%.
A total of 9 board meetings were hole in 2018, with an average attendance rate of 89.74%.

Audit Committee

To promote quality and integrity among the supervision of accounting, audit, the financial reporting process, and financial control of Board members, ASUS established the "Audit Committee" in July 2016 in place of supervisors. The Audit Committee is composed of 3 independent Board of Directors.

A total of 5 board Audit Committee meetings were hole in 2018, with an average attendance rate of 100%.

Remuneration Committee

The Remuneration Committee aims to assist the Board of Directors in the implementation and evaluation of the Company's overall remuneration, benefits policies, and remunerations of Directors and Managers, and to ensure that the Company's remuneration arrangements are in compliance with the relevant laws and are sufficient to attract talented people. The variable compensation of Directors and Managers is based on financial indicators such as profit.

Please visit Corporate Governance/Board Committees of Investor Relations website for further informaion.

Sustainability Governance Structure

"To become among world-class green high-tech leaders and to provide valuable contributions to humanity" is the business philosophy of ASUS. Thus in 2009, the body established a dedicated unit for sustainable development to grasp the global trends of sustainable development and analyze sustainability issues such as governance, environment, and society, and integrating business core, product innovation and service to promote and formulate sustainability strategy. The unit is named "Sustainability & Green Quality Management Division" with a Chief Sustainability Officer who is responsible for grasping the global continuation of pulsing, managing sustainability policy, objectives and actions, and regularly submitting the annual key projects and performances to the Board of Directors for verification..

ASUS has been focused on key issues such as products, supply chain and organization operations that are highly influential to corporate sustainable operation. We have established the "GreenASUS & SERASUS Steering Committee", which is authorized by the CEO to be the management representative and is held every 2 months. The members of the Committee come from the business operation unit, procurement department, customer service, administration, legal and other departments. The horizontal communication and coordination are carried out across the units, thus the resources can be effectively allocated. All ASUS people can work in a consistent and sustainable direction and combine the sustainability and core of business to become the competitiveness advantage.

On the other hand, ASUS Board of Directors has an Audit Committee with 3 independent directors who oversee accounting, audit, financial/nonfinancial reporting processes, quality and integrity in operational control. The Risk Management Platform was under the Audit Committee. In addition to independent directors conducting the risk assessment to the issues of concern from external stakeholders, the Risk Management Platform holds regular crosssector meetings to research the approaches on the topics identified as material risks. The Audit Committee would decide whether to report to the Board of Directors according to the materiality of the risk reports.

Internal Audit System

Audit Office assists Board of Directors and the top management to independently, objectively assess the completeness, validity and implementation of ASUS Group internal control system.
It properly submits improvement proposals to assure that the internal control system proceed continuously. In accordance with the assignments by Board of Directors and the top management, Audit Office conducts relevant investigation, assessment or consultation to assist Board of Directors and top management to fulfill responsibilities.

Audit Office is under Board of Directors with a Chief Audit Executive to manage company audits and supervise Audit Office . The appointment and dismissal of Chief Audit Executive shall be approved by Board of Directors. There are several auditors to conduct periodical, irregular audit, as well as and special projects of ASUS Group.

Internal Audit Operation provides Asus Group the following services:

  • Annual audit of headquarter: Internal auditors shall frame annual audit proposals in accordance with risk assessment, and relevant regulations Audit proposals shall be approved by Board of Directors prior to implementation. The annual audit includes but not limited to operational audit and compliance with law audit.
  • Special project audit: In accordance with the operational and managerial need of the Board of Directors and the top management, irregular special project auditing would be executed.
  • Annual self-assessment of internal control system: Audit Office annually coordinates "selfassessment of internal control" that requires the executors of the department to periodically evaluate the rationality of, implementation of, and the effectiveness of all operational control items. Through the reviews of the "self-assessment of internal control" report by Audit Office, the evaluated result is submitted to Board of Directors and the top management.
  • Subsidiary audit: In accordance with the annual audit plan or the request from Board of Directors, Audit Office conducts periodical or irregular audit to evaluate and assure the business objective achievement, reliability of financial reporting and adequacy of internal control system. Audit office assists to assure the performance enhancement of, regulation compliance of and effectiveness and efficiency of operations of a subsidiary.
  • Consulting service: Audit Office provides operational effectiveness improvement advice and internal control system consulting service in order to enhance effectiveness and efficiency of business operations.

For above duties, Audit Office shall submit reports and working papers including evaluation of internal control systems and business operations. In order to determine the appropriateness of current regulations and control procedures, and the rationality of the implementation of internal control and of the advantage for managerial and operational units, Audit Office shall provide improvement proposals adequately.

The auditors shall uphold detached independence, objective fair stance, truth-seeking spirit and modest, honest, diligent, agile, brave attitude to perform duties. The auditors shall ensure that the internal control system is implemented continuously and effectively, and assist the managerial level to fulfill obligations.

Please visit Corporate Governance/Internal Audit of Investor Relations website for further informaion.

Information Security Management

In the era of information technology and the Internet of Things, enterprises must ensure that information security and personal data protection are incorporated into the company's management and governance goals, establish relevant policies, system management, and prevention mechanisms, and ensure security of information infrastructure, information application systems, and product information, as well as safeguard client data security and implement information security management as required.

We has formulated the “Information Security Policy” in compliance with relevant laws and with reference to ISO27001/CNS27001 and relevant regulations as a basis for compliance. This policy aims to protect information assets, including data, software, and hardware equipment from alteration, disclosure, destruction, or loss due to external threats or improper management and use by internal personnel, so as to ensure the confidentiality, integrity, and availability of all business information and reduce operational risks reasonably. The effectiveness of this policy is extraordinary.

To implement the Information Security Policy, a security management system is established:

  1. Establish an information asset evaluation mechanism; conduct information asset evaluation at least once a year, and deal with matters with risks to properly protect the information assets and prevent any damage to the assets caused by unauthorized or operational negligence at work
  2. All information security incidents or suspicious security weaknesses shall be reported via appropriate reporting procedures and investigated and handled properly to ensure that the weaknesses are repaired early and will not be taken advantage of
  3. Review, test, and examine the business continuity plan at least once a year to ensure that the core operational system will be available throughout the year
  4. Regularly implement information security education and training every year, and implement irregular education and training depends on the situation to ensure that all employees at the company have the information security knowledge that is up to date and can be applied to daily work
  5. Review the Information Security Policy and management system annually to ensure that information security measures or regulations are in compliance with current laws and regulations

Achievement in 2018:

Risk Assessment
  The management goals of information security - confidentiality, integrity, and availability - can be adopted to identify the value of the assets and conduct risk assessment, so as to have a clear picture of the possibility of potential threats and vulnerabilities, analyze relevant impacts, and determine risk levels. Risks are divided into four levels from A, the highest risk to D, the lowest risk. There is no level-A risk portfolio in the 2018 assessment results of information assets.
Business Impact Assessment
  Business impact assessment is conducted with the asset value and availability of information assets considered. Based on the identified business processes, how critical each business process is, how great an impact is allowed, and recovery needs are analyzed to prioritize the company's emergency responses in the event of complete business disruption, while a relevant business continuity manual is being developed.
Product and Information Security Reporting Management Platform
  We make every effort to ensure the security of our products to protect the privacy of our valued customers. We are committed to improving our security and personal information protection practices in accordance with all applicable laws and regulations, and we welcome clients to provide all reports on product-related security or privacy issues. Therefore, a product and information security reporting management platform was established for clients and security experts or researchers to have exclusive channels for reporting security loopholes or problems in ASUS products or information systems.
The automatic case management system has been incorporated into this platform to maintain the management quality of case reporting and response. Through this platform, ASUS issues an announcement on the security of our products from time to time, allowing consumers to have a channel to understand the upgrade in the security of the products, and enabling ASUS to maintain positive communication and interaction with security experts or researchers on the social media through this platform.
Information Service System Monitoring Operations
  To maintain the high availability of the information service system, the monitoring operations included servers, network nodes, and their devices associated with the information service system, so that the maintenance personnel can be notified and alerted immediately when the information system is interrupted abnormally.
Operational Continuity of Information Services
  Important information service system is set up in both the information service room at the company’s headquarters and a rented backup information service room in a different location and operates in the active-active mode, to ensure that when there is an operational interruption at one site, the information service at the other information service room will start running immediately without interrupting the operation of the service.
Exercise on Email Usage Security
  In recent years, the rampant ransomware, commercial email frauds, and APT attacks that adopt the social engineering and email phishing technology have more extensive impact. To enhance the awareness of information security with regard to malicious email, 4 exercises on email social engineering were carried out in 2018. Relevant incidents and fraud techniques were announced to teach employees how to report and handle them.

Statement on the Security Incidence of the ASUS Live Update Tool in Early 2019:

Live Update is an automatic update software for ASUS notebooks. One version of the software on certain notebooks was loaded with malicious code uploaded to the download server by hackers in an attempt to launch attacks on a few specific objects. ASUS took the initiative to contact the impacted users and provided them with product testing and software version update services. The customer service personnel assisted the customer to solve problems and continued to track the process to ensure that there was no problem with the product. In response to this attack, ASUS upgraded the new multi-authentication mechanism of the Live Update software to enhance end-to-end key encryption for all the possible loopholes in software version updates and transmission paths, while updating the server-end and user-end software architectures, to make sure that such an attack will not happen again. We also provided a test program for consumers to check on their own.

Personal Data Protection and Information Security Committee

To continue to promote personal data protection and management among global consumers and ASUS employees, we established the “Personal Data Protection and Information Security Committee” (PI Committee) in April 2012 in accordance with the instructions of the top management. In response to changes in the law, the new version of ASUS' guideline "General Personal Data Protection Policy" on the management of personal data was formulated and implemented in the ASUS Group in 2018 on collecting, processing, and using personal data and establishing and implementing information asset security protection.

To ensure the implementation of the company's policies, the PI Committee currently meet every 2 weeks to implement and review the annual work and adjust the methods of implementation, as well as to handle matters related to personal data and security through ad hoc meetings. By the end of 2018, 197 regular meetings have been held.

Achievement in 2018:

Management operations in response to the European General Data Protection Regulation (GDPR):

Data inventory review
  Review the nature of the category of all data collected, processed and used by the company to confirm the scope of compliance.
Process Improvement
  The PI Committee discussed with each relevant department of the company the procedures that needed to be adjusted and improved in accordance with the provisions of GDPR. From November 2017 to the end of 2018, 90 workshops were held for 15 departments. The procedures at the departments that needed to be improved were also completed by the end of May 2018.
Update on ASUS Privacy Policy
  In response to changes in the law, the necessary information to be disclosed to data subjects were added into the ASUS Privacy Policy, which updated version was launched at the end of May 2018, and a notification letter was sent to the global ASUS member regarding the update of the ASUS Privacy Policy.
Education and Training
  In response to changes in the law, in 2018, the new ASUS “General Personal Data Protection Policy” was announced, and employee education and training was launched simultaneously. In addition to the employees at the headquarters, in 2018, the main targeted training audience was employees in the European region. The PI Committee and the external attorneys went to the offices in Europe and completed 9 education and training sessions.
Joint audit of cooperation partners
  To ensure that ASUS’ cooperation partners understand and implement its policy on personal data protection, the PI Committee conducts on-site audits with the customer service center at cooperation partners’ work site and proposes improvement suggestions and tracks the process of making improvements.。
Annual internal audit
  In conjunction with the company's internal auditing operations, the business or functional units involved in the management of personal data has been included in the scope of audit. With the self-assessment within departments and audits by the PI Committee, the audit findings at each department will be assisted to perform corrective action, ensuring the implementation of the company’s personal data-related policies and management regulations.
Annual vulnerability scan on websites collecting personal data
  To strengthen the security of websites and consumers’ data, the PI Committee provides the lists of public websites collecting personal data to the MIS department to implement vulnerability scan of the websites. Based on the vulnerability scan evaluation report produced by the MIS department, the progress of the vulnerability correction process will be tracked, and the management of the vulnerabilities is inspected. If there is a deficiency, the responsible department will be required to improve it.
Education and training
 
  • In response to the new version of ASUS “General Personal Data Protection Policy”, in 2018, the main targeted training audience was employees in the European region. The PI Committee and the external attorneys completed nine training sessions in the offices in Europe.
  • Education and training for new employees: New employees are provided with education related to the knowledge of personal data and information security. By the end of 2018, a total of 19 classes of employees completed education and training courses. The total number of trainees were 1,143.
  • Periodic physical class: At least one awareness training course on personal data and information security is offered to all employees every year.
  • Irregular class: courses focusing on personal data protection and information security are offered based on the business needs of each department.

The 2019 plan of the PI Committee:

  • Improve the personal data-related interface available for data subjects to apply and exercise their rights under applicable laws as well as the internal data processing procedures
  • Review and improve the degree of compliance in response to the new personal data-related laws and regulations in the United States and Brazil
  • Increase personal data-related auditing at ASUS overseas offices and assist relevant departments to conduct audits on cooperation partners

Intellectual Property Management

We are committed to innovative research and development, with intellectual property rights are one of the key achievements. The number of patent applications filed worldwide is increasing stably every year. By the end of 2018, 3,787 patents have been obtained in countries around the world. In 2018, the number of patents we obtained in Europe and the United States increased by 67% compared with 2017. In addition, efforts has been made to the development in the high-end communications market recently, and the number of patent applications in the communications field in 2018 is 342. Of them, there are a total of 21 cases of standard essential patents in line with the promulgation by the European Telecommunications Standards Institute (ETSI). It is expected that the number of patent applications for standard essential patents filed in 2019 will exceed one hundred.