Corporate governance

Risk management

To manage the uncertain factors that may threaten the company's operations, the Board of Directors approved the "Risk Management Practical Guidelines" on November 23, 2022. These guidelines serve as the highest guiding principles for the company's risk management. By considering various risks during the operational process, we have established a risk management mechanism that includes early identification, accurate quantification, effective supervision, and strict control to ensure the achievement of the company's strategic objectives.

Information Security Management

Information Security Risk Management Framework

● The IT department is responsible for information security-related affairs, enhancing information security management and inspections to ensure the confidentiality, integrity, and availability of information assets, thereby providing a reliable information environment for continuous business operations.
● Relevant policies and management mechanisms are established, regularly reviewed, and reported to the Board of Directors.

Information Security Policies

● Manage and maintain the confidentiality, availability, integrity, and access rights of information assets.
● Ensure the stability of information services to support continuous business operations.

Specific Management Plans

● Periodically conduct awareness programs on information security and personal data protection. All new employees must sign confidentiality agreements.
● Outsourced vendors must sign confidentiality agreements to ensure that those using the company’s information services or performing related information tasks have the responsibility and obligation to protect the company's information assets from unauthorized access, alteration, destruction, or improper disclosure.
● All user computers are equipped with antivirus software, with regular updates of virus definitions, and the use of unauthorized software is prohibited.
● Users are required to be responsible for the safekeeping and use of their accounts, passwords, and access rights, and to change their passwords regularly.
● Important information systems or equipment are equipped with appropriate backup or monitoring mechanisms, with regular drills to maintain their availability.
● Internal audits are conducted annually to ensure the effectiveness of information security and personal data protection management systems.

Management Resources and Actual Implementation

● The IT department is responsible for promoting information security policies and resource allocation. On November 23, 2022, the Board of Directors discussed the establishment of a dedicated information security unit and reviewed information security policies. One dedicated information security officer and one dedicated staff member are responsible for information security-related affairs.
● In 2023, an information security awareness campaign was conducted to enhance employees' understanding and management of information security.
● In 2022, NT$143,000 was spent on antivirus software; in 2023, NT$163,000 was spent on an ERP firewall; and NT$199,000 was spent on backup hardware equipment, all dedicated to information security management.