Ethical governance

• Revised policies, namely the Sustainable Development Best Practice Principles and Treating Customers Fairly Principles, to reflect low-carbon transformation and sustainability trends and support efforts by the competent authorities.
• Completed the climate risk quota adjustment mechanism, which will be used for the approval of transaction quotas in the future.

Sound Board structure

In accordance with the Company’s Articles of Incorporation, the Board of Directors of the Company shall consist of 7 to 12 directors, at least three of whom must be independent directors. As of Dec. 31, 2022, the current 27th Board of Directors of the Company comprises nine directors, including four independent directors, in line with the Articles of Incorporation requirements. All independent directors serve as members of the Audit Committee and Risk Management Committee under the Board, and all members possess the professional competencies required for their committee roles. The duties of each functional committee are set out in the organizational rules of each committee, and the resolutions they propose are submitted to the Board of Directors for consideration. The committees are accountable to the Board of Directors. Board members have a wide range of backgrounds in academia and industry, with substantial insurance, investment, legal, finance, and risk management expertise as well as practical experience.
In order to fulfill the functions of the Board of Directors, the Company holds a Board meeting every month. All directors actively participate in discussions, while business units are required to execute important Board resolutions and report the progress to the Board on a regular basis. In addition, an annual Board meeting schedule is established for routine proposals focusing on key motions in order to facilitate the follow-up and improve decision-making efficiency.

Appointment of directors

The Company is a public company owned by a single corporate shareholder, CTBC Holding, which appoints all of its directors in accordance with the laws and regulations. CTBC Holding enacts Principle of selecting directors and supervisor of subsidiaries. CTBC Holding' s Nomination Committee strictly reviews the professional competence of Taiwan Life Board members. Members of the Board of Directors of the Company are not managers, and their composition is diverse in terms of academic background, professional skills, and industrial experience. In order to ensure the function and independence of independent directors, all independent directors are required to have rich academic and practical experience and may not serve more than three terms. To maintain the diversity, professionalism and experience sharing of Board members, CTBC Holding has established a director database in order to facilitate its succession planning as follows

• 1.Seek suitable directors from various parties.
• 2.Build the CTBC Holding group director database and refer to the talent database of independent directors.
• 3.Invite the current directors, appropriate external organizations, and consultants to propose suitable directors.
• 4.Reference the results of Board performance evaluations in determining whether to nominate the Company’s directors for re-election.

Board and corporate governance guidelines

To support the competent authority’s promotion of Corporate Governance 3.0-Sustainable Development Roadmap and in preparation of the review of self-regulatory standards (e.g., amendments to the Corporate Governance Best Practice Principles), Taiwan Life relevant guidelines and procedures are reviewed constantly and revised as required to ensure sound corporate governance. In 2022, we revised the following corporate governance-related rules and regulations: the Articles of Incorporation; Corporate Governance Best Practice Principles; Standards for the Division of Authority of the Board of Directors, Chairman and President; Regulations Governing Board Performance Evaluations; Management Guidelines for Part-time Directors and Presidents; Operational Manual for the Claim and Reimbursement of Directors' Travel Expenses; Risk Assessment of Dishonest Behavior Regulations; Independent Directors Remuneration Policy; Non-Independent Directors Remuneration Policy; Operating Guidelines for Appointment of Directors and Supervisors for Subsidiaries; and Rules and Procedures for Board of Directors Meetings.

Ethical management

We are deeply committed to ethical management, which we strive to foster in our corporate culture by placing integrity, transparency, and responsibility at the core of our self-evaluations and ethics requirements and enabling directors, managers, and employees to have an accurate understanding of relevant laws, regulations, and ethical behavior. The Company incorporates the Ethical Corporate Management Best Practice Principles into the training materials for new employees, and holds annual training sessions for directors, managers, and employees (excluding dispatched staff and those with special circumstances) in order to promote the Company’s corporate culture of ethical management. In 2022, Company and subsidiary employees participated in 10,188 training sessions, with a completion rate of 100%.

Whistleblowing channel and system

We have established Procedures for Handling Reporting of Illegal and Unethical or Dishonest Conduct. The Procedures assign the Compliance Department as the contact window for whistleblowing reports, and a dedicated committee has been set up to investigate and review these reports. To protect whistleblowers’ right to work, the aforementioned procedures clearly stipulate the confidentiality obligations of those who handle and investigate whistleblowing cases and prohibit any adverse treatment of whistleblowers.
We provide various whistleblowing channels, including email, phone and post, through which illegal and unethical or dishonest conduct may be reported, and reports can be made anonymously. Our website provides a reporting form for whistleblowers to submit reports as well as discloses the protections and rewards available for whistleblowers. Through the whistleblowing mechanism, we aim to foster an ethical and transparent corporate culture.

Taxation plays an important role in achieving the SDGs and is a key mechanism for organizations to contribute to the economies in which they operate. Taiwan Life follows the guidelines of sustainability reporting standards to establish tax governance policies to implement in its daily operations.
In terms of tax strategy, Taiwan Life acts in accordance with the requirements of all relevant tax laws and regulations. In addition to complying with these laws and regulations, effectively managing our tax risks, fulfilling our tax responsibilities, and supporting global economic development, we are fully committed to constantly enhancing the transparency of our tax-related disclosures. We do so both in response to the growing global focus on anti-tax avoidance as well as to foster effective corporate governance and achieve sustainable development.

1.Internal control system
In order to strengthen its internal control system, Taiwan Life evaluated its management supervision and control culture, risk identification and evaluation, control operation and management, information and communication, and supervision activities and corrective measures. Based on the results, it established three lines of defense for its internal controls, namely a self-assessment system, a compliance system and risk management mechanism, and an internal audit system. In addition, to encourage staff to proactively promote the three lines of defense, we take the internal control system, information security, and compliance system into account when conducting annual employee performance evaluations.

2.Internal audit system
We have established an internal audit system in accordance with the Regulations Governing Implementation of Internal Control and Auditing System of Insurance Enterprises. We have also set up an independent internal audit unit directly under the Board of Directors to assist the Board and management in evaluating the effectiveness of the internal control system and to provide timely improvement recommendations. The internal audit unit conducts a routine audit on the business operation and compliance system implementation for each unit at least once a year, and conducts ad hoc audits as needed. Audit deficiencies are constantly tracked and reviewed, with follow-up reports submitted to the Board of Directors for oversight. Furthermore, the Board regularly reviews internal control deficiencies and discusses related action plans with the internal audit unit.

Taiwan Life continues to enhance its compliance system and relevant measures, and conducts compliance self-evaluations every six months to ensure that all businesses and operations comply with the regulatory requirements. We have formulated Compliance Risk Assessment and Reporting Guidelines and completed a Compliance Risk Assessment Report in March 2022. The assessment results and optimization measures were reported to the Board of Directors. Each unit is required to comply with external laws and regulations when conducting business. If there is any violation, the Compliance Department is responsible for supervising each unit to analyze the reasons for the deficiency, evaluate the potential impact, and put forward improvement plans. The Chief Compliance Officer also reports to the Board of Directors and the Audit Committee every six months, so that the Board of Directors and relevant senior management are informed of the implementation status of legal compliance matters. In addition to meeting the regulatory requirements at the time of appointment, the Chief Compliance Officer, Compliance Department personnel, and the compliance officers of each Taiwan Life department also receive over 20 hours or over 15 hours of on-the-job training every year. In 2022, the Company has not been subjected to any significant penalties set forth in Article 2 of the Regulations of the Financial Supervisory Commission for Handling Significant Penalties for the Violation of Financial Laws and Regulations.

AML/CFT compliance

In accordance with the Money Laundering Control Act, Counter-Terrorism Financing Act, and Regulations Governing Anti-Money Laundering of Financial Institutions, Taiwan Life has formulated relevant internal policies and guidelines to improve its AML/CFT systems. The Company also actively promotes education and training. Senior supervisors are required to attend the training every year, and Taiwan Life requires all employees to regularly participate in common AML courses. Moreover, we have established an AML/CFT Committee, which is chaired by the President, with the division-level supervisors of relevant units serving as members. The committee meets once every quarter. Four regular meetings and one ad hoc meeting were held in 2022 to ensure that the risks associated with AML/CFT were well-controlled and the implementation AML/CFT mechanisms were implemented.

Personal information protection

The Information Security Department is designated to be responsible for information security and personal data protection, and to promote the integration of information security and personal data management from the perspective of risk assessment, system regulation, operation process, and personal data usage trajectory, and to maintain the effectiveness of BS 10012 personal data management certification. We obtained the ISO 27701 privacy information management standard certification in 2022 to establish a comprehensive personal information management system and ensure customer privacy security.

Protection of intellectual property rights

To facilitate the development of Taiwan Life’ fintech and innovation services, we engage external consultants to help us handle patent applications, stay on top of industry developments, and provide us IP-related insights. As of the end of 2022, Taiwan Life had obtained eight domestic invention patents, 22 utility model patents, and two design patents, for a total of 32 patents supporting the Company’s online insurance, underwriting, claims, and other insurance operations. In addition to these, nine trademarks have been obtained. In terms of IP management, the Company has an Intellectual Property Management Policy and reports regularly to the Board of Directors on the implementation of IP management. We have also installed smart IT computer asset management software on each computer; this software collects data on the installation and use of software and hardware across the Company and manages computer resources in order to ensure that only legally licensed software is used. The software also regularly scans and checks the computer software programs of each unit to avoid IP right violations.

For the purpose of regulatory compliance and promoting the sound operation and development of the Company, in accordance with Risk Management Best Practice Principles for the Insurance Industry and CTBC Holding’s Risk Governance Core Policy, we have formulated the Risk Governance Policy as the framework for the overall business risk management of the Company and its subsidiaries. The Company and its subsidiaries have established the policies for market risk, credit risk, insurance risk, asset–liability matching risk, and operational risk as the basis for daily risk management.
In line with the Risk Governance Policy, Taiwan Life’s Risk Management Department regularly prepares a Risk Integration Report and submits it to internal management as well as to CTBC Holding’s Chief Risk Officer (with a copy to the Risk Management Department of CTBC Holding), thus ensuring that those at the decision-making levels can grasp relevant information in a timely manner and facilitating CTBC Holding to consolidate and monitor material risk-related information of the subsidiaries.

Group risk appetite statement

Taiwan Life and its subsidiaries are expected to uphold the spirit of this risk appetite statement and establish quantitative or qualitative objectives for monitoring and reporting according to their business nature and management requirements to ensure that it is carried out in daily operations.

• 1.Taiwan Life and its subsidiaries shall undertake risks that are identifiable and manageable in line with the corporate sustainability strategy.
  In terms of risk decision-making and risk taking, changes in the political and economic environment must be clearly understood, and all risks must be carefully considered from the Company’s overall perspective. In balancing risk and reward, various potential risks and their influence on capital requirements and capital allocation shall be objectively evaluated.
• 2.Taiwan Life and its subsidiaries shall undertake various types of risk in a prudent and reasonable manner, and shall not conduct business activities that undermine the value or image of the Company.
• (1)The Company shall maintain a balanced asset–liability structure and shall not be overly exposed to high risk or single target.
• (2)The Company shall avoid price-cutting competition or predatory loans and shall carry out prudent product pricing strategy and target customer selection to avoid systemic risk or procyclical phenomena.
• (3)The Company shall prudently evaluate the business undertaken, and the enterprises or industries it deals with, in order to avoid potential negative impacts on the environment and society, and follow the following principles:
• i.For enterprises or industries that are highly sensitive to environmental or climate change risks (including but not limited to carbon-intensive, high natural resource or energy consumption, high pollution, and non-compliance with environmental regulations industries), it is advisable to reduce the exposure or decline to undertake the business if the related risk cannot be controlled or managed after careful assessment.
• ii.Business involving pornography, violence, illegal organizations, or terrorist activity that affects social and public safety is prohibited. No assistance will be provided to customers engaging in illegal, extra-legal, fraudulent, whitewashing, tax-evasion, or money-laundering transactions. Controversial business that may violate human rights (including labor rights) shall be avoided, and careful consideration shall be given to business related to politics and military affairs. For customers planning to engage in related party transactions or unconventional arrangements, whether they are reasonable and legal shall be examined.
Note: Taiwan Life is subject to the Human Rights Policy of CTBC Holding; please refer to CTBC Holding’s official website for details.

Risk management organization structure

The Company’s risk management organizational structure is jointly participated in, promoted, and implemented by the Board of Directors, all levels of management, and employees.

• 1.The Board of Directors is the highest risk management decision-making unit of the company. It recognizes various risks associated with the Company’s operations, ensures the effectiveness of risk management and takes the ultimate responsibility for overall risk management. To facilitate the Board of Directors’ approval or oversight of various risk management issues, the Risk Management Committee is established to assist the Board of Directors in making final decisions.
• 2.Our Risk Management Department follows CTBC Holding’s guiding principles of risk management as well as the approved risk management policy to maintain the independent management mechanism of the second line of defense. It is also in charge of the planning of the Company’s risk management system as well as the monitoring of the implementation of the first line of defense and the effectiveness of the operation of the mechanism. In addition to reporting directly to its Board of Directors, the risk management unit of the subsidiary is also required to report to the Risk Management Department of Taiwan Life on a regular basis in order to facilitate the control of overall risk in a timely and effective manner.

Three lines of defense in risk management

Risk management is a shared responsibility among all relevant units within the Company. Through full coordination across units, the three lines of defense mechanism for risk management is formed.

Risk management operational framework

Based on the Company’s business strategies and objectives, and taking into account business growth, risks, and rewards, the Risk Management Department assists in formulating the Company’s overall risk appetite for the year and submits it to the Risk Management Committee for review and the Board of Directors for approval. In addition, based on the major risk characteristics and the Company’s risk appetite, risk limits are set. The Risk Management Department is also responsible for the risk management system, covering market risk, credit risk, insurance risk, liquidity risk, asset-liability matching risk, and operational risk. Risk management policies, guidelines, and procedures are formulated to control various types of risks. The Risk Management Department monitors the risk limits and operating status of each business unit in accordance with the policies, establishes guidelines and procedures, and regularly reports the monitoring results to the Risk Management Committee.

Emerging risk management

In the face of global changes in the business environment and development trends, the establishment of emerging risk identification and management procedures will help the Company identify potential risks as soon as possible and ensure that relevant units have developed control mechanisms to achieve the goal of sustainable corporate governance.

Climate change risk

Governance

The Company has formulated a governance mechanism for risks and opportunities related to climate change in accordance with the Guidelines for Climate-related Financial Disclosures for the Insurance Industry promulgated by the competent authority. The Board of Directors bears the ultimate responsibility for managing climate-related risks. The Company has included the management status of climate-related risks in its Risk Integration Report, which is submitted to the Board of Directors. Furthermore, the Company has established a Risk Management Committee under the Board of Directors. The committee is in charge of reviewing, establishing, and approving matters related to risk management. Matters related to the management framework and policy of climate-related risks and opportunities as well as climate-related risk appetite and other relevant matters all need to be submitted to the Risk Management Committee and then the Board of Directors for review. Moreover, in line with the aforementioned policy, the Company has established a Climate Change Risk Management Committee under the supervision of the President as well as formulated the committee’s charter. The committee convenes quarterly meetings. Its purpose is to compile and integrate the reports, suggestions, and decisions on issues related to climate risks from the Company and subsidiaries in order to assist management to fully realize its supervisory functions and ensure compliance. The committee is also in charge of reviewing management's progress in regularly reporting climate risk management to both the Risk Management Committee and the Board of Directors. By establishing a three-tiered management framework comprising the Board of Directors, the Risk Management Committee, and the Climate Change Risk Management Committee, we are ensuring effective climate governance.
Three lines of defense in risk management: The first line of defense is the business units and supporting units to ensure that their business activities are in compliance with the risk management regulations and risk controls are put into practice in daily operations. The second line of defense is the Compliance Department, Risk Management Department, and other dedicated units, which are responsible for planning risk management systems and monitoring the implementation of the first line of defense and the effectiveness of risk management mechanisms. The third line of defense is the audit unit, which is responsible for reviewing the compliance with various risk management regulations and mechanisms. With these well-established risk defense lines, the Company and its subsidiaries are able to manage various operational risks effectively.

Strategy

CTBC Holding’s Board of Directors has incorporated the goal of net-zero emissions by 2050 into the group’s long-term sustainable development roadmap. As one of its major subsidiaries, Taiwan Life supports this goal. We proactively identify and evaluate short-, medium-, and long-term climate risk factors and opportunities, integrating them into our relevant businesses, products, and investments. By conducting scenario analyses, we can seize strategic business development opportunities. For instance, the Company uses the group’s "list of high carbon-emitting industries" to determine whether an obligor operates in a high carbon-emitting industry. In such cases, the Company will adjust the credit limit accordingly, utilizing the latest carbon footprint data (carbon emissions generated per unit of revenue) as announced by Reuters for reference. If an obligor demonstrates a consistent improvement in its carbon footprint over three consecutive years, the Company may consider increasing its credit limit. Conversely, if actual conditions warrant, the Company reserves the right to decrease the credit limit. Through these measures, we aim to ensure that our operations are aligned with our net-zero emissions goal while actively managing climate risks and seeking out sustainable growth opportunities.
In 2018, we invested in Copenhagen Infrastructure Partners (CIP) Funds in order to understand the industrial development, risks, and practices of offshore wind power generation. In 2019, in partnership with CIP Funds, we jointly established Taiwan Wind Investment Co., Ltd. to develop an offshore wind farm project in which Taiwan Life invested NT$2.5 billion, representing approximately 43% of the equity. We were also the first life insurance company in Asia to invest in an offshore wind farm project. Later in 2019, we participated in the Formosa 2 syndicated loan for a 376-MW offshore wind farm project, becoming the first life insurance company in Asia to play a role in offshore wind farm syndication.

Risk management

In 2020, Taiwan Life’s Board of Directors approved the Sustainable Insurance Policy, which stipulates that insurance operations should take into account ESG-related issues, including climate risks and opportunities. In 2021, in accordance with Risk Management Best Practice Principles for the Insurance Industry and CTBC Holding' s Risk Governance Core Policy, we integrated climate change risk management principles into Taiwan Life’s Risk Management Core Strategy, Financial Transaction Credit Risk Management Policy, Operational Risk Management Policy, and Loan Credit Risk Management Policy, as well as amended the Responsible Investment Policy and Responsible Investment Regulations.
In the case of the Responsible Investment Regulations, the Company is required to take ESG risks into consideration when determining investment and financing asset allocations in order to reduce profit fluctuations in the overall investment/loan portfolio, in turn also reducing related risks. Therefore, prior to engaging in investment and financing activities, all units are required to assess whether a business or counterparty is associated with significant environmental issues (such as climate change and biodiversity), substantial social concerns, or major governance concerns that could significantly impact corporate value. This evaluation process specifically identifies oil sands and coal mining as high carbon-emitting industries, as well as coal-fueled thermal power generation, which are regarded as industries with significant environmental concerns. Accordingly, the investment unit must review and limit our involvement in these industries in accordance with relevant regulations. Alternatively, any involvement in relevant businesses should only commence after a thorough evaluation has confirmed that the project aligns with sustainability criteria.
In addition, the Company has formulated Business Continuity Management Standards in accordance with the group’s Risk Management Policy as a guiding principle for crisis management. The Company has formulated proper business continuity management mechanisms based on the characteristics, scale, and complexity of our business, and uses proper systems, resources, and processes to maintain the Company’s business continuity. The business continuity management mechanism is summarized as follows:

• 1.Risk identification and measurement
• ● We have developed an operating impact analysis to identify the functions and importance of all businesses. This analysis includes assessing the interdependencies between different business processes and systems, evaluating the potential impact of climate change-related physical risks on business interruptions, and determining the order of business recovery and the resources critical business operations rely on.
• ● A risk evaluation framework has been established to identify and assess the physical risks associated with climate change. We evaluate the likelihood and potential impact of these risk incidents on business interruptions.
• 2.Risk response
• ● Taking into account the company's business strategy and operating objectives, we have established appropriate business interruption recovery targets that reflect the acceptable level of risk throughout the organization.
• ● We have developed a comprehensive business continuity strategy and formulated a business continuity plan. This plan includes a response mechanism and a clear order of business recovery.
• ● We organize education and training programs to ensure employees are well-prepared for business continuity procedures.
• ● Regular drills and test runs are executed to validate the effectiveness of the business continuity plan and ensure that all necessary steps can achieve the intended business continuity objectives.
• 3.Risk monitoring
• ● The Business Continuity Plan is regularly reviewed and updated.
• ● Supervision of, and reporting on, the business continuity management mechanism is conducted.

For other relevant risk identification, measurement, and actual result management and scenario analysis, refer to CTBC Holding’s 2022 TCFD Report.

Contingency plan for major infectious disease incidents

Amid the COVID-19 pandemic, Taiwan Life has formulated a Contingency Plan for Major Infectious Disease Incidents for the Company and its branches, subsidiaries, and overseas branches in accordance with the policy and practical operation needs of the competent authority, hoping to prevent the serious infectious disease from endangering employees’ health or affecting the Company’s business activities.

Helping staff stay healthy

During the COVID-19 pandemic, employees have been the primary concern of the Company. We have proactively raised awareness of COVID-19 health-related matters, including that employees with a high temperature should stay home and seek medical treatment as soon as possible. We have also issued guidance for employees regarding overseas travel and self-health management, established a pandemic-related notification mechanism for employees, and implemented on-site management measures to limit physical interaction. When COVID-19 cases in Taiwan increased and the government raised the epidemic alert level, we significantly increased the proportion of employees working from home in order to minimize the flow of personnel and to effectively reduce the spread of the disease without interrupting our operations.

Providing customers with attentive service

As COVID-19 emerged, Taiwan Life quickly set up an emergency response care team. It devised and launched a number of customer care measures, including consolation payments for medical personnel, claim relaxation services, deferred premium payments, and deferred repayment of loan principal and interest or interest reductions, echoing the relief measures outlined by the government. For hospitalization medical products currently on the market, we introduced the Taiwan Life Notifiable Diseases Waiting Period Exemption Endorsement to remove the 30-day waiting period restriction usually required for notifiable diseases, thus ensuring policyholders can enjoy immediate health protection.
Furthermore, through our online insurance, video-based survival investigation, and online claim settlement tools, customers have been able to access insurance, underwriting, and claim settlement services safely and remotely. These reduce the need to travel to high-risk areas such as medical institutions and household administration authorities for our customers and staff alike.

Constant care for underprivileged people

● Constant care for underprivileged people

Information security governance

The Board has passed an Information Security Policy and an Information Security Committee has been established, with the President as the convener; division-level supervisors under the President, the Chief Risk Management Officer, and the Chief Compliance Officer serve as committee members, and the Chief Auditor is also invited to attend. The Chief Information Security Officer, who is directly under the President, is responsible for managing the Information Security Department, which is an independent department responsible for information security governance, information security system maintenance, and information security incident response. The key risk indicators of high-risk information security incidents are also reported to the Board of Directors on a monthly basis in the Risk Management Department’s Risk Integration Report, and the overall performance is reported to the Board of Directors annually. In order to maximize the effectiveness of the CTBC Holding group’s information security governance and management, Taiwan Life’s Chief Information Security Officer meets weekly with its parent CTBC Holding to review the group’s overall vertical defense framework and build a safe financial environment.

Information security defense

According to the World Economic Forum’s Global Risk Report, technology risks such as cyberattacks, data fraud or theft, and the destruction of critical information infrastructure continue to be high-risk threats. In order to effectively control these risks, we have included them as key risk indicators and have built multi-level defense technologies to block various types of attacks in accordance with international standards such as ISO 27001 and ISO 22301. We have also strengthened our key risk prevention projects by using appropriate protection mechanisms to detect and block information security threats at the network, application system, hardware, operating system, and data levels.
We are continuing to expand our investment to enhance our overall information security. We increased information security expenditure by approximately 27% in 2022 from the previous year, with 4% of the total Information Department budget going to information security. The number of staff dedicated to information security in 2022 also increased 50% from the previous year.
We have developed a learning map to help financial information security employees gradually strengthen their core functions according to their role and duties, at the same time cultivating information security talent that meet the Company’s needs. In 2022, 11 information security specialists obtained a total of 20 international information security licenses. We also regularly conduct social engineering drills as well as personal information- and information safety-related advocacy among employees.

Monitoring and response

Taiwan Life, in cooperation with CTBC Holding, has set up an information security monitoring center to review changes in the internal information security environment 24 hours a day. An automated alert mechanism is in place for information systems and services, end-end equipment, data storage devices, and more. If an information security incident occurs, it will be investigated and dealt with in real time in accordance with the Company’s incident-handling and notification procedures. It will also be incorporated into the information security monitoring and control configuration benchmark of the Financial Information Security Monitoring Center in order to improve the immediacy and effectiveness of the analysis of the correlation between information security incidents and monitoring information and to enhance the efficiency of collaborative operations.

Information gathering and joint defense

We have joined the Financial Information Sharing and Analysis Center, and all information security information received by our information security personnel will be investigated and handled in accordance with the operational security management regulations of the information security management system. For abnormal traffic, malicious emails, and internal and external threat intelligence data, a rapid risk identification and evaluation mechanism is in place. The Company also continues to conduct emergency response operations in the case of personal data infringement, information security incident notification and response, and distributed denial of service attack drills to strengthen its defense and response capabilities and refine its information security resilience.

Personal information protection

The Company has an Emergency Response Plan for Personal Data Breaches. In the event of an information security or personal data infringement, the Company will notify the relevant units at the earliest opportunity in accordance with internal regulations. Furthermore, if necessary, the incident commander will set up an emergency response center with members of the incident management, communication and coordination, investigation and evaluation, and public relations media task force to handle the situation. The responsible unit will submit a detailed incident report after the resolution of the incident and conduct a root-cause analysis to reduce the likelihood of such an incident reoccurring.

The Company strictly protects customers’ personal information. The information system platform displays only the minimum amount of data required for the business purpose, reducing the chance of risk exposure and strengthening the defense-in-depth structure of information security. We also reinforce the defense-in-depth security of our infrastructure, including data classification, internet access control, installation of data breach prevention software on personal computers, online browsing isolation framework, network activity monitoring, and privileged account management, in order to prevent DDoS and advanced persistent threat (APT) attacks. In addition, through the establishment of information security performance evaluation indicators, the effectiveness of protection against viruses, hackers, and data leaks is regularly monitored, and relevant departments are regularly warned regarding areas that show substandard performance.