Cyber Security Policy and Management
1. Cyber Security Risk Management Structure
The Company has established the Information Security Management Committee as the highest authority for overseeing information security.
Chaired by the President, the committee is responsible for strategic decision-making, reviewing, and resolving critical in-formation security matters. To ensure effective execution, an Information Security Officer, reporting to the President’s Office, provides dedicated support to the committee’s activities and initiatives.The IT Division acts as the operational unit for implementing information security measures. In alignment with the Company’s information security policies and guidelines, it establishes and maintains robust measures to effectively prevent and mitigate information security risks.
The Audit Office serves as the supervisory unit for information security. It conducts regular audits, and if any deficiencies are identified, the audited unit is required to promptly submit improvement plans to the Board of Directors. The Audit Office also monitors the progress of these improvements to reduce internal information security risks.Additionally, certified public accountants (CPAs) perform annual audits of the Company’s information operations. Any deficiencies identified are addressed through corrective measures, with follow-ups to ensure proper implementation.
Recognizing the critical importance of information security, responsible units provide regular updates to the Board of Directors on the Company’s information security governance and implementation status. The most recent report was presented on November 17, 2025.
2. Cyber security Policy and Management Program
To strengthen the cyber security management and ensure the availability, integrity, and confidentiality of information, as well as to protect it from intentional or accidental threats from internal and external sources, the Company’s cyber security facilities and management practices are categorized into six major items:
3. Commitment of resources to cyber security management
To fulfill the six major cyber security policies, the resources invested are as follows:
(1) Network hardware equipment such as firewalls, email anti-virus, spam filtering, Internet behavior analysis, and network management hubs.
(2) Software systems such as endpoint protection systems, backup management software, VPN authentication and encryption software.
(3) Telecommunication services such as multiple lines, cloud backup service, intrusion protection service, etc.
(4) Investment in manpower such as: daily system status check, weekly regular backup and backup media off-site storage implementation, at least two times a year cyber security publicity and education courses, annual system disaster recovery exercise, annual internal audit of the information cycle, accountant audit, etc.,
(5) Cyber security manpower: A dedicated cyber security head and a dedicated cyber security officer are responsible for cyber security structure design, cyber security maintenance and monitoring, cyber security incident response and investigation, and review and revision of cyber security policies; the dedicated cyber security officer reports to the board of directors at least once a year.
(6) System upgrade and data center migration: The company’s ERP system was upgraded to SAP, which features built-in multi-layered security mechanisms to meet modern requirements for high speed and enhanced security. Simultaneously, the company’s server room was migrated to an IDC (Internet Data Center) to comply with professional data center standards.
4. Losses and Measures for Significant Security Incidents in Recent Years
From January 2025 to December 2025, there were no significant security incidents.
5. Cyber Security escalation Procedure
In the event of a computer system abnormality, personnel should immediately notify the IT division for handling. When troubleshooting or addressing system abnormalities, IT personnel shall maintain cyber security awareness; any situation involving damage to the confidentiality, integrity, or availability of information systems must be reported to the head of the IT division. If a situation is categorized as a cyber security incident, the Executive Secretary of the Crisis Management Team (EST) shall be notified in accordance with crisis management procedures to assess whether it is a major cyber security incident.
6. Cyber Security Awareness
The company conducts company-wide cybersecurity training annually, incorporating cybersecurity education into new employee training courses to enhance employees’ cybersecurity awareness.
The Company conducts social engineering drills every year to raise employees’ awareness of cyber security. The latest social engineering drill was held on November 18, 2025, and employees who have not passed the social engineering drill have to go through compulsory training session.
