Corporate Governance Practices
Information Security Organization Management
In order to effectively implement the Company’s information security management, the Company has set up an information security team, with the CRO acting as the convener, and under which there are the information security response center and the information security implementation team, responsible for the information security management, planning, supervision, and execution facilitation to reduce the Company’s operation and information security risks. In order to implement the information security maintenance plan, the Company has added an information security audit team in 2023.
The Information Security Committee shall meet regularly each year to review and examine the implementation of the Company’s information security management policies and report its findings to the Board of Directors. The last report was made on November 2, 2023.
Information security audit team:
It shall be assigned by the Information Security Committee or assisted by a third party to evaluate the implementation of the information security management system.
Information Security Organizational Structure and Job Responsibilities:
(1) Information Security Committee:
The CRO shall act as the convener of the committee, and the Information Security Response Center and the Information Security Implementation Team set under the committee are responsible for the implementation of resolutions related to the information security management system.
(2) Information Security Implementation Team:
The team is composed of the personnel assigned by the convener of the Information Security Committee that is responsible for planning and implementing various information security works.
(3) Information Security Response Center:
The Center is responsible for responding to unexpected information security events with corresponding solutions, as well as tracking collection and event identification. The “Risk Improvement Plan” shall be prepared, controlled, and tracked continuously until the improvement.
(4) Information security audit team:
It shall be assigned by the Information Security Committee or assisted by a third party to evaluate the implementation of the information security management system.
Information Security Policies and Specific Management
For the purposes of improving the security and stability of the Company’s information and communication, providing reliable information services, including the security precautions that must be controlled when using the network and information systems, preventing operational risks and hazards such as improper use, disclosure, tampering, and destruction of the Company’s information and data; and raising the awareness of information security on the clients, and the specific management measures are as follows:
| MANAGEMENT ITEM | MEASURE |
|---|---|
| Information Security Policy and Education Training | ● Formulate information security policy and raise information security awareness among employees through information security promotion |
| Network security management | ● Effectively manage the network environment according to operational requirements and security levels, and separate access control between internal and external network environments |
| System access control | ● Formulate system access control policy according to colleagues' business needs, specify the access authorization of users and personnel, and properly document the change process and preserve the records ● Separate the R&D from the general office environment to prevent unauthorized personnel from directly accessing confidential and sensitive data, and keep critical data from being disclosed |
| Terminal equipment management | ● Information security control for servers, PCs, and other devices, including software and hardware asset inventory, anti-virus, system patch update, and sensitive data access control |
| Data protection | ● Regularly schedule data preservation backups, including electronic files, documents, mail, server operating environment, personal computers, and network devices |
| Information Security Incident Management | ● Scan outsourced information system vulnerability and remedy vulnerability ● Provide solutions for unanticipated information security incidents, collect trace, and trace events to reduce the likelihood of occurrence and minimize operational impact |
Resources of Invested Information Security Management
The Company’s Information Security Committee holds regular meetings annually to review and evaluate the implementation of cybersecurity management. The most recent report to the Board of Directors was made on October 30, 2025. In 2025, there were no information security incidents hat affected the Company’s operations or reputation. The Company obtained certification for the ISO/IEC 27001:2022 (International Information Security Management System) from LRQA Limited in 2024 (Certificate No. ISO/IEC 27001-00043075), with a validity period from January 11, 2024 to January 10, 2027, in order to strengthen the information security incident management process.
2025 Implementation Status:
- Information security meeting: Conducted once annually.
- International certification: Successfully obtained ISO/IEC 27001︰2022 certification.
- Information security training: Conducted annual training for employees, achieving a 100% completion rate.
- Awareness campaigns: Issued monthly information security bulletins (12 in total).
- Social engineering drills: Conducted regularly twice per year.
- External website penetration testing: Conducted 1 annual test.
- Disaster recovery drill: Conducted regularly once per year.
- PC updates: Performed quarterly updates with a 99% update rate.
- Two-factor authentication: Two-factor authentication has been enabled for critical servers.
- Information security incident management: No material information security incidents occurred, and the Company continues to maintain the security of its information environment.
- Through network-based automatic discovery, all devices can be monitored and managed in real time, achieving 100% asset coverage.