1.Information Security Governance Organization

The Company has established an Information Security Governance Organization to strengthen information security management and to ensure the confidentiality, integrity, and availability (CIA) of all corporate assets and information. This organization aims to comply with relevant laws and regulations and to safeguard the Company against intentional or accidental internal and external threats.

2.Information Security Policies

To provide sound information security governance and to protect the information assets of the Company, customers, and individuals from intentional or accidental internal and external damage, while fulfilling its duty of care for data processed, stored, or transmitted, the Company successfully completed the ISO/IEC 27001:2022 transition audit and certification at the end of 2025. This certification confirms that the Company’s Information Security Management System (ISMS) is capable of effectively addressing risks associated with the current digital environment and emerging threats. The validity period of the latest certificate is from January 14, 2026 to January 14, 2029.

The Company has established comprehensive information security policies and standards, and regularly monitors the appropriateness and effectiveness of its information security objectives. Information security-related operational procedures include the identification of critical business operations and their importance, information asset inventory and risk assessment, application system development and maintenance security, personal data protection policies, information security protection and control measures, management of outsourced information systems or services, incident reporting and response procedures, and continuous improvement and performance management mechanisms.

Relevant information security policies, management processes, and operating procedures are reviewed and revised annually. The Company ensures proper management of personnel, processes, and information technology, and promotes awareness and compliance with information security policies across all departments. Through continuous enhancement, the confidentiality, integrity, and availability of all information service systems are maintained to support information security and the Company’s commitment to sustainable operations.

In 2025, the Company issued its “AI Policy and Guidelines,” establishing a comprehensive governance framework covering data classification, AI tool categorization, responsible AI principles, and risk management. This framework ensures that the use of AI complies with information security, privacy protection, and regulatory requirements. The Company also promoted internal “AI Usage Guidelines” through electronic newsletters to enhance employee awareness of information security and ethical considerations related to AI use, requiring all AI-generated outputs to be reviewed and approved by humans.

Through the implementation of AI tool management mechanisms such as white lists, grey lists, and black lists, as well as comprehensive incident reporting and review procedures, the Company ensures that the adoption of AI technologies is secure, transparent, and trustworthy. This governance framework not only improves operational efficiency but also ensures that AI applications align with the Company’s commitments to sustainability and digital responsibility.

3.Information Security Awareness Promotion and Education

• All new employees are required to complete mandatory information security awareness training courses, covering emerging threats and attack techniques, information security concepts and protection measures, company policies and standards, phishing email identification, incident response and reporting procedures, and reward and disciplinary mechanisms.
• Information security seminars are conducted annually for senior management.
• All personnel who use information systems are required to receive annual information security awareness training.
• Supervisors and personnel responsible for information security must attend professional information security training courses annually.
• Personnel engaged in software development are required to complete Secure Software Development Life Cycle (SSDLC) training.
• Information security e-newsletters are distributed periodically to promote company policies, major domestic and international cybersecurity news, email security, remote work security, Internet of Things (IoT) security, cloud security, and emerging technology threats such as AI-related cybersecurity risks.
• Multiple phishing email simulations (social engineering exercises) are conducted annually to assess employees’ vigilance against cybersecurity threats. Employees who fail the assessments are required to attend email security training and submit a Root Cause and Corrective Action (RCCA) report for approval by center-level management.
• To continuously enhance cybersecurity literacy and risk identification capabilities, the Company organized the “Cybersecurity Challenge – Security Breakthrough” education program in 2025. The program adopted an online interactive, gamified challenge design featuring four scenario-based games to guide employees in recognizing and responding to common cybersecurity threats, including phishing, social engineering, and password security. This engaging approach effectively improved employee awareness and preventive behaviors. The overall satisfaction rate reached 90%, demonstrating strong employee recognition and serving as a key initiative to strengthen the Company’s cybersecurity culture and internal governance.

4.Information System Inventory and Risk Assessment

The Company conducts annual inventories of IT and OT information assets, updates the information asset register, and identifies asset value. Annual risk assessments are performed to identify and regularly review cybersecurity risks associated with core business operations and protected information assets, evaluating the potential impacts on confidentiality, integrity, and availability.

Appropriate administrative and technical control measures are implemented accordingly. The Company also identifies the likelihood and impact of potential business interruption events, clearly defines Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for core business operations, and establishes comprehensive backup mechanisms and contingency plans.

5.Information Security Protection and Control Measures

To continuously strengthen information security protection and management, the Company adheres to ISO/IEC 27001 control requirements and references relevant domestic and international regulations and standards, including the Cybersecurity Management Act, the Information Security Control Guidelines for Listed and OTC Companies, and the NIST Cybersecurity Framework (NIST CSF).

Every six months, the Company analyzes cybersecurity defense requirements using the Cyber Defense Matrix (CDM) and updates its three-year information security plan, optimizing cybersecurity budgets, governance processes, and protection measures.

For system vulnerability management, all systems and equipment undergo security hardening and security testing prior to deployment to meet baseline security requirements. Source code scanning, vulnerability assessments, and third-party penetration testing are conducted to validate system security. Emerging threat intelligence is continuously monitored, and investigations and remediation actions are promptly initiated for newly disclosed vulnerabilities.

To address advanced threats such as ransomware and cryptomining malware, the Company has implemented multiple security protection mechanisms, including next-generation firewalls, intrusion prevention systems, web application firewalls, advanced persistent threat (APT) protection, EDR, MDR, and multi-factor authentication (MFA), integrated with information security management procedures to ensure timely response. External cybersecurity risk rating services are also utilized to continuously collect and monitor cybersecurity risk indicators for ongoing improvement.

The Company continues to promote cybersecurity governance under a Zero Trust Architecture and has developed a three-year roadmap covering five domains: identity, devices, network, applications, and data. Core capabilities such as privileged access management, enterprise device management, network segmentation, API security, and data protection are being progressively implemented. Initiatives are executed in phases based on maturity levels, with continuous optimization through monthly working meetings and quarterly threat posture adjustments. As Zero Trust measures are progressively implemented, the Company’s maturity in threat detection, access control, and data protection continues to improve, enhancing overall operational resilience and ensuring robust protection of critical operations and customer data.

6.Information Security Incident Reporting, Response, and Threat Intelligence Management

The Company has established information security incident response and reporting procedures, including incident impact determination and damage assessment, internal and external reporting workflows, notification methods for affected parties, reporting channels, and contact mechanisms.

For key application systems directly related to operations, the Company conducts annual disaster recovery drills, including backup restoration, failover switching, and off-site recovery, to maintain response capabilities and business continuity. The drills cover critical application systems, network services, power supply, and air conditioning systems, all of which meet established RTO and RPO requirements.

7.Significant Information Security Incidents

The Company has not experienced any significant information security incidents resulting in business interruption, data damage, or data leakage during the most recent fiscal year or up to the publication date of this Annual Report.