Corporate Governance

The Company has created an IT Department under its Management Center as an enhanced measure for information security management. The IT Department is responsible for the planning, supervision and enforcement of information security within the Company, and its presence has proven useful at improving the Company's defense against security threats and promoting proper security consciousness and awareness among employees.

✥ Scope of information security policy

• Use and maintenance of PCs and network resources.
• Reasonable use of corporate IT equipment by employees.
• Prohibition against unreasonable use of corporate IT equipment by employees.

✥ Information security management solutions

The Company's information security management solutions have been implemented to address 12 main issues. They are intended to protect the Company against risks and hazards caused by manual error, misconduct or natural disaster, as well as misuse, leakage, alteration or corruption of data. Below are the major aspects of the Company's management solutions：
(1) Security policy
(2) Information security organization
(3) Personnel information security
(4) Access control
(5) Physical and environment safety
(6) Operational safety
(7) Acquisition, development and maintenance of information system
(8) Communication security
(9) Supplier relations
(10) Management of information security incidents
(11) Business continuity management concerning information security
(12) Compliance
All employees, suppliers and visitors are bound to comply.

✥ Information security management measures

　　The effectiveness of preventive measures (such as promotion of information security policy, review of access rights to key information systems, compulsory change of login password etc.) and security policies is reviewed regularly (quarterly) in department meetings and adjusted accordingly. Outcome of information security governance is reported to the board of directors on a regular basis (at least once a year).

In light of prevailing security threats such as DDoS, ransomware, social engineering and fake websites, the Company has taken pro-active steps to promote employees' information security awareness and engage world-renowned security consultants on annual rehearsals against DDoS. These measures are intended to enhance employees' response to crisis so that threats can be detected and blocked at the first instance.

The Company has not purchased information security insurance out of consideration that the insurance is still a relatively new product, and that most of them contain exclusion clauses that limit claims to incidents of certain security level or require approval from claim adjustor. In the absence of insurance coverage, the Company currently focuses on ensuring compliance with information security laws, enhancing security policy, conducting security evaluations, adopting security protections, and training information security personnel.

✥ Information security audit system

(1) The IT Department is required to maintain logs on uses of IT system including e-mail, and monitor on an ongoing basis in order to identify abnormal conducts. The IT Department shall also pay constant attention to information security incidents occurred around the world, evaluate the causes and consequences of such incidents, and take corrective/preventive measures to improve the overall security environment while at the same time minimize chances of information security incident. (2) Internal auditors are required to conduct audits on information security according to risk assessment outcomes, and prepare audit report of their findings as a means to enhance security management in employees' computer and Internet usage. (3) Under extraordinary or special circumstances, the IT Department may coordinate with internal auditors and personnel from Legal Affairs to conduct project audit on specific areas, units or personnel.

Date of report to the board	Information security governance
2019.11.12
2020.11.13
2021.11.08
2022.11.10