Information Security Management

Information Security Risk Management Framework

● The Information Department is responsible for information security–related matters, strengthening information security management and controls to ensure the confidentiality, integrity, and availability of information assets, thereby providing a secure environment to support business continuity.
● Relevant policies and management mechanisms are established, reviewed periodically, and reported to the Board of Directors.

Information Security Policy

● Information assets are managed to ensure confidentiality, availability, integrity, and appropriate access control.
● The stability and reliability of information services are ensured to support continuous business operations.

Specific Management Measures

● Information security and personal data protection awareness activities are conducted on a non-regular basis. All new employees are required to sign confidentiality agreements.
● External vendors are required to sign confidentiality agreements to ensure that any party using the Company’s information services or performing information-related operations fulfills its responsibility to protect the Company’s information assets and prevent unauthorized access, alteration, destruction, or improper disclosure.
● All user computers are equipped with antivirus software, with virus definitions regularly updated, and the use of unauthorized software is prohibited.
● Users are required to take responsibility for the safekeeping and proper use of their accounts, passwords, and access privileges, and to change passwords periodically.
● Critical information systems and equipment are supported by appropriate backup and monitoring mechanisms, with regular drills conducted to maintain system availability.
● Internal audits are conducted annually to ensure the effectiveness of information security and personal data protection management systems.

Management Resources and Implementation Status

● The Vice President is responsible for the promotion of information security policies and the allocation of related resources. Following a resolution by the Board of Directors on November 11, 2022, a dedicated information security unit was established, along with a review of information security policies. One Chief Information Security Officer and one dedicated staff member were appointed to oversee information security affairs.
● In August and November 2025, information security awareness programs were conducted to strengthen employees’ understanding and management of information security.
● In September 2025, a four-hour personal data protection awareness program was conducted, including sessions on “Information Security Protection Practices for Small and Medium Enterprises” and “Prevention and Identification of Social Engineering Attacks.”