James Tu, Director of TSMC’s Corporate Information Security, shares information security management experience at Semiconductor Cybersecurity Global Summit. (Source: SEMI)
James Tu, Director of TSMC’s Corporate Information Security (in the middle), shares information security management experience at Semiconductor Cybersecurity Global Summit. (Source: SEMI)
TSMC works with SEMI to develop and promote the Specification for Cybersecurity of Fab Equipment and participates in the Semiconductor Cybersecurity of Fab Equipment conference. (Source: SEMI)

TSMC Supplier Information Security Management: Four Initiatives to Enhance Resilience of Information Security

Leon Chang
Y.C. Huang
Kun-Hsueh Chung
Kevin Liang

TSMC is committed to Information Security and Proprietary Information Protection for its customers, suppliers, and employees. To improve the information security level of the supply chain, TSMC collaborated with to establish the “Specification for Cybersecurity of Fab Equipment” and actively implemented four information security measures on information security regulations, information security evaluation and cooperation, promotion channels diversification, and risk management to strengthen supplier information security management. , the information security assessments have been completed with 639 suppliers and a total of more than 7,000 cases of have been improved.。

By continuously implementing information security and proprietary information protection measures, building direct communication and reporting channels, and collaborating with suppliers to enhance protection mechanisms, TSMC protects its competitive advantage in the semiconducting industry and the interests of its partners.

- J.K. Lin, Senior Vice President of Information Technology and Materials Management & Risk Management at TSMC

Four Directions to Enhance Supplier Information Security Management

Two-pronged Approach of Internal and External Evaluations to Upgrade Suppliers' Information Security

More smart manufacturing technologies have been introduced to meet the demands brought by the advancement of semiconductor process technology. To improve the resilience of suppliers' information security, TSMC's Corporate Information Security organization worked with its Material Supply Chain Management Division to establish an information security assessment team in 2021. TSMC created a supplier information security self-assessment questionnaire based on the "Supplier Information Security Assessment Standards," and suppliers can identify potential risks and security weaknesses through the examination in 12 different categories. In February 2022, TSMC further introduced a systematic third-party evaluation of supplier information security. Based on the , TSMC assists suppliers in developing improvement plans and regularly tracks the execution status to review and improve information security measures through the dual evaluation mechanism. As of November 2022, 418 out of the 639 suppliers have obtained the A-level in the evaluation, and 277 have improved their information security levels by 1-2 within 6 months.

TSMC Collaborates with SEMI to Strengthen Information Security Resilience and Amplify Its Influence in the Industry

In addition to strengthening supplier information security protection measures, TSMC collaborated with SEMI to set up Semiconductor Cybersecurity Committee, with the goal of promoting “” information security solutions and improving supply chain resilience. SEMI Cybersecurity Committee is established to realize the vision of building supply chain resilience through cybersecurity and developed four strategies to focus on that include establishing and promoting semiconductor equipment information security standards (SEMI E187), increasing cybersecurity awareness, conducting supply chain cybersecurity questionnaire and assessment, and assessing supply chain information security weaknesses and risks. TSMC will continue to collaborate with SEMI to lead the industry with the goal of sharing valuable experiences and helping supply chain strengthen information security measures.

Four Strategies of SEMI Cybersecurity Committee