The Company established an Information and Cyber Security Office on September 1, 2022, with one information security officer and one dedicated information security personnel. To effectively promote the implementation and operation of the company's Information Security Management System (ISMS), the Information and Cyber Security Management Committee was established on December 18, 2024, with the General Manager serving as the convener. A deputy convener and an executive secretary were appointed to coordinate the various tasks of the Information and Cyber Security Management Committee. Information security management representatives from the management levels of various business divisions and functional units are responsible for assisting in promoting and supervising the information security work of each unit. An Information Security Working Group was set up, divided into the following subgroups based on responsibilities: (1) Incident Response Team, (2) Information Asset Risk Management Team, (3) Document Management Team, and (4) Audit Team. Regarding the implementation and operation of the Company's Information Security Management System (ISMS), the system was officially announced in February 2025. The verification team from BSI Taiwan completed the two-phase verification in April 2025. After final confirmation by BSI Taiwan and headquarters, the ISO 27001:2022 certificate was issued in May, 2025, which certification is valid from May 14, 2025 to May 13, 2028. Furthermore, in order to verify the continued effectiveness of ISMS operations and compliance with the standard requirements, the BSI Taiwan verification team conducted a surveillance audit on February 10, 2026. The audit concluded with a pass for the ISO/IEC 27001:2022 Surveillance Audit. The ISMS was assessed as having a high level of maturity, stable management mechanisms, and zero nonconformities, demonstrating the organization’s capability to continuously maintain ISO/IEC 27001 certification.
The Company has not only obtained the ISO 27001:2022 certification but has also partnered with AIG Taiwan and Fubon Insurance to implement a cybersecurity insurance program, which insurance period runs from 12:00 on December 1, 2025, to 12:00 on December 1, 2026, with a coverage amount of USD 5 million. This measure aims to strengthen our financial resilience and response capabilities, effectively reduce supply chain risks, and enhance trust and collaboration among upstream and downstream partners. In addition, the Company has joined the Taiwan Cybersecurity Management Alliance (CISO Alliance) and the Taiwan CERT/CSIRT Alliance to enhance cybersecurity governance through cross industry exchanges, participation in regulatory and policy discussions, promotion of supply chain security, threat intelligence sharing, incident reporting and coordination, and technical collaboration. These efforts strengthen our cybersecurity management, technical defense capabilities, and operational resilience, while aligning with the national cybersecurity joint defense framework to elevate our overall cybersecurity maturity.

Information and Cyber Security Management Committee Organizational Chart

Responsibilities of the Information and Cyber Security Management Committee:

1. Review the objectives and scope of the Information Security Management System.
2. Review the implementation and effectiveness of information security management-related operations and improvements.
3. Review information security-related policies and regulations, and coordinate the allocation and use of resources.
4. Supervise the conduct of business continuity drills.
5. Review the resources required for the implementation of corrective measures, including manpower, time, and budget.
6. Review the effectiveness of corrective measures.
7. Hold at least one management review meeting annually, with the option to convene additional meetings as necessary.

Information and Cyber Security Policy

In alignment with the core business characteristics of the Company, the Policy establishes a framework to protect the rights and interests of the Company and its stakeholders. (including but not limited to employees, customers, vendors/upstream suppliers, shareholders, investors and financial/securities institutions, non-vendor suppliers/contractors, and government/competent authorities and society). All employees and the Company are collectively responsible for fostering a safe information and communication environment, enabling information security to be embedded into its corporate culture. The Company will implement a tailored-information security policy to clearly define security objectives and establish compliance requirements which shall be consistently upheld. For detailed information, please refer to the "Information and Cyber Security Policy" published on the Company's official website (Approved by the Board of Directors on January 13, 2025).

Objectives and Guidelines

1. Each business unit of the Company shall comply with the provisions of relevant government laws and regulations (such as the Patent Act, the Copyright Act, the Personal Data Protection Act, and the Enforcement Rules of the Personal Data Protection Act) when conducting business and operations.
2. The Information and Cyber Security Management Committee has been established and shall be responsible for the establishment and implementation of the Company's information security management system.
3. The Company shall establish an organizational panorama evaluation mechanism to define the information security policy and the scope of implementation of the information security management system. The Committee/Company shall understand the needs and expectations of the stakeholders organizational level of.
4. Formulate guidelines on document control and management, and set the management principles for the formulation, revision, document coding, and issuance of documents related to the information security management system.
5. Establish a management mechanism for information assets to coordinate the allocation and effective use of limited resources to solve key security issues
6. Establish risk assessment management methods and identify the risks of various types of assets, so as to take appropriate risk treatment measures to control and mitigate risks to an acceptable level.
7. Regularly implement business-related information security training, and advocate information security policies and the implementation of regulations
8. Establish physical and environmental safety protection measures for the datacenters room, and regularly conduct relevant maintenance
9. Clearly specify guidelines of the use rights of information systems, network services, and sensitive information, to prevent unauthorized access.
10. Establish operational procedures for the acquisition, development and maintenance of information systems, with specific guidelines of the compliance of systems in development and outsourcing. An evaluation shall be conducted regarding information security-related issues prior to the establishment or launch of information systems or services to prevent situations that may endanger system security.
11. Establish and implement internal audit activities for information security to ensure the implementation of the information security management system. Corrective measures shall take place for any outstanding matters.
12. Establish an information security operation continuity plan and conduct actual drills to ensure the Company's operational continuity in the event of an emergency.
13. All personnel of the Company are responsible for maintaining information security and shall understand and comply with the relevant information security guidelines and policies, and implement such guidelines in their job duties.

Overview of Information and Cyber Security Education, Training, and Awareness in 2025

Procedures of Information and Cyber Security Incident Notification

In the year 2025, the Company did not incur any losses or experience any incidents affecting operations or reputation due to major information or cybersecurity events. Furthermore, there were no verified complaints regarding customer privacy violations or the loss of customer data.