Annual General Meeting held on May 22, 2023. The election of directors adopts the candidate nomination system, which is nominated by shareholders with more than 1% of shares and Board of Directors, in accordance with the Company’s “Memorandum and Articles of Association” and “Rules Governing the Election of Directors”. The 5th session of the Board of Directors is composed of 5 directors and 4 independent directors. The number of independent directors was increased comparing with the previous session of the Board of Directors. As the Company being an investment holding company, it does not conduct any business of its own. Although the Company’s Chairman and the CEO are the same person, the Chairman and the CEO or other equivalent highest level manager are not the same person in the Company’s important subsidiaries: Chailease Finance Co., Ltd., FINA Finance & Trading Co., Ltd. and Chailease International Finance Co., Ltd., etc. Hence, the actual business operation is consistent to the spirit of corporate governance.
In consideration of assisting the Board of Directors with legal compliance, strengthening corporate governance, and building a culture of compliance, the Company appointed a dedicated Corporate Governance Officer to ensure company strategies conform to all legal and regulatory requirements. Regular Board meeting should be called and chaired by the Chairman at least quarterly in compliance with “Rules and Procedures of Board of Directors Meetings”. Meeting agenda and materials are circulated to directors 7 days before the meeting to ensure directors have sufficient information to involve in discussions and decision-making, and to facilitate the board to oversee and direct the Company and the management team. The Company specifically stated in the “Regulations Governing Evaluation of the Performance of the Board of Directors” that the average of directors’ attendance rate of Board meeting and attendance rate of committees meeting on which the director serves shall reach no less than 80%. 11 Board meetings were held in 2023, and the average attendance rate of all Board members reached 98% (100% if attendance by proxy is included). The actual attendance rate of each director also exceeded 90%.
In order to effectively perform the functions of the Board of Directors and to improve the quality of decision-making by the Board of Directors, functional committees such as the Audit Committee, the Compensation Committee, and the Corporate Governance and Sustainable Development Committee have been established under the Board of Directors by the authority and function thereof. The Board of Directors further made the decision to adjust the structure and elevate the Risk Management Committee to a functional committee under the Board of Directors on April 10, 2023. The Management Committee has been established under the Chairman of the Company to be responsible for discussions on important issues related to economic, environmental, and social risks.
The functional committees are either composed of independent directors or participated by independent directors, such that the decisions and recommendations of the committees are forward-looking, objective and thorough, and the mechanisms of independent supervision and checks and balances are effectively implemented to ensure that all resolutions and actions taken by the Board of Directors are reported and discussed by the Board of Directors. If a director has a related interest themselves or if the director represents a legal entity that is a stakeholder in a related interest, then the director should recuse themselves from the meeting. Some motions are also reported and discussed at the Shareholders' Meeting to act in the best interest of relevant stakeholders.
The Company has established “Audit Committee”, “Compensation Committee”, “Corporate Governance and Sustainable Development Committee” and “Risk Management Committee” under the Board of Directors. These committees enhance the function of the Board of Directors, improve the independence of supervision and protect the rights of shareholders. The main responsibilities and status of each functional committee are as follows:
The Company sets sustainable business operation as core mission and is devoted to strengthening corporate governance mechanism, improving risk management system and fulfilling ethical management policies. To enhance the functionality and efficiency of the Board of Directors as the highest corporate governance unit, the professionalism, diversity and independence of directors are highly valued. The 5th session of the Board of Directors (including independent directors) were elected at the There are specific rules on handling situations in which a director’s own interests conflict with those of the Company in internal regulations. A director who is an interested party with respect to any agenda item of the Board of Directors cannot participate in discussion and voting nor hold a proxy for any other director on that agenda item and shall enter recusal during discussion and voting. Directors adhere to a high level of self-discipline and strict determination in recusing themselves from participating discussions and voting of proposals where a conflict of interest exists between the Company’s interests and the interests of a director or the legal entity that the director represents.
The Company fully disclosed the concurrent positions of the directors, the top ten shareholders and related party transactions in the 2023 Annual Report. For details, please refer to P.15~17, P.96 and P.260~265 of the 2023 Annual Report.
The composition of the Board of Directors should take into account the Company’s mid- and long-term development strategy, changing trends in external environment, major issues for sustainable management, and overall configuration and diversification. The selection guidelines include but not limited to the followings:
(1)Basic requirements and value: gender, age, race, nationality, and cultural background;
(2)Professional knowledge and skills: professional background, professional skills and industry experience.
The members of the 5th session of the Board of Directors have professional backgrounds covering finance, IT, Health Care, energy, legal and financial accounting, and have rich practical experience in corporate management, legal compliance, international taxation and corporate governance. They all have the expertise and abilities required to perform their duties. All directors are further provided with annual external training sessions that assist them to improve their professional capabilities and understanding of trending issues. In 2023, in response to promoting the global net-zero emissions target and enhancing the risk awareness, the topics of sessions included “Carbon Management Trends & Responses to Net Zero” and “Global Risk and Corporate Social Responsibility”. Every director acquired at least 6 hours of certified training, which was in line with the suggestions from external regulation. For details regarding the implementation of diversity and independence of the Board of Directors at the Company, please refer to P.18~22 of the 2023 Annual Report of the Company.
Independent directors: are non-executive directors that are independent by meeting at least 4 of the 9 criteria (of which at least 2 of the 3 first criteria) listed below:
1. The director must not have been employed by the company in an executive capacity within the last year.
2. The director must not accept or have a “Family Member who accepts any payments from the company or any parent or subsidiary of the company in excess of $60,000 during the current fiscal year”, other than those permitted by SEC Rule 4200 Definitions, including i) payments arising solely from investments in the company's securities; or ii) payments under non-discretionary charitable contribution matching programs. Payments that do not meet these two criteria are disallowed.
3. The director must not be a “Family Member of an individual who is [...] employed by the company or by any parent or subsidiary of the company as an executive officer.”
4. The director must not be (and must not be affiliated with a company that is) an adviser or consultant to the company or a member of the company’s senior management.
5. The director must not be affiliated with a significant customer or supplier of the company.
6. The director must have no personal services contract(s) with the company or be a member of the company’s senior management.
7. The director must not be affiliated with a not-for-profit entity that receives significant contributions from the company.
8. The director must not have been a partner or employee of the company’s outside auditor during the past year.
9. The director must not have any other conflict of interest that the board itself determines to not be considered independent.
To fulfill corporate governance and enhance the effectiveness of the Board of Directors, the Company has established “Regulations Governing Evaluation of the Performance of the Board of Directors” pursuant to “Corporate Governance Best-Practice Principles”. The Company regularly conducts performance evaluations of the Board of Directors and functional committees in November annually for the evaluation period from November 1 of the preceding year to the end of October of the current year. The performance evaluation scope covers the performance of the Board as a whole, functional committees and individual directors. The performance evaluation was assessed based on the questionnaire on a scale of 1 to 5 (5 is the full score) with the assessment items as below:
If 90% of the measurement indexes reach 4 points or more, the internal performance evaluation result in a grade of “Exceed the Standard”; if more than 80% but less than 90% of the measurement indexes reach 4 points or more, the result shall be in a grade of “Meet the Standard”; if less than 80% of the measurement indexes reach 4 points or more, the result shall be in a grade of “Moderately Unsatisfactory”.
Please refer to the Company’s website for the board performance evaluation report of 2023 (https://www.chaileaseholding.com/en/CorporateGovernance/Directors).
Every three years, the Company commissions a third party to perform an external performance evaluation. In 2023, the Taiwan Corporate Governance Association (hereafter “TCGA”) was engaged to conduct board performance evaluation. The TCGA and execution experts have no business relationship with the Company and are independent. The evaluation procedures not only contained the review of written descriptions for assessment indicators and supporting documents, but also face to face meetings between the TCGA and directors, each functional committee convener, and top managements. The TCGA examined the operation of the board of directors and each functional committee from 8 aspects, including the composition, direction, authorization, supervision, and communication of the board, internal control and risk management, self-discipline of the board, board meetings and supporting system, based on its wide experience of corporate governance assessment. The Company obtained objective comments and suggestions from the Board Performance Evaluation Report issued by the TCGA on December 4, 2023. The Company reported TCGA’s suggestions related to above matters and measures to be taken to the Board on March 23, 2023 and amended the “Regulations Governing Evaluation of the Performance of the Board of Directors” at the same meeting to enhance the operational efficiency of the Board.
In order to continuously strengthen corporate governance, the Company complies with external regulations while draws lessons from indicators of international assessments. The Company revised “Corporate Governance Best-Practice Principles”, “Corporate Sustainable Development Best Practice Principles”, “Risk Management Policy” and “Human Rights Policy” in 2023.
In response to revisions to the scope of Taiwan’s Money Laundering Control Act, which added financial leasing activities, the company will undertake to implement all legal requirements and procedures required of financial leasing companies. Chailease will do our utmost to coordinate with competent authorities. While fulfilling our corporate social responsibility, combating money laundering and terrorist financing, We adopt a "risk-based" approach to remain compliant with financial regulations while continuing to grow our business. To achieve this, we regularly update and refine our risk assessment methodologies, leveraging technology and data analytic tools to enhance the effectiveness of our AML/CFL management action. The abstract of combating money laundering and terrorist financing of 2023 for the overseas subsidiaries of the Company are as follows:
In order to comply with the Anti-Money Laundering Law, the Anti-Terrorism Law and the Anti-Money Laundering Measures for Financial Institutions, the Company has formulated the "Anti-Money Laundering and Anti-Terrorism Policy" and the “Procedures for Group Anti-Money Laundering and Countering Terrorist Financing Information-Sharing" and the. In addition to complying with the Company's holding rules and regulations, its major subsidiaries have also formulated their own internal regulations in accordance with the norms and references from the competent authorities and the Association, which are reported to the Board of Directors on a regular basis on a half-yearly basis by the special unit to track the effectiveness of their implementation, and the Board of Directors will also put forward suggestions or provide support in light of the concrete facts, so as to build up a culture of the Board of Directors that focuses on the prevention of money laundering and combating of information terrorism.
●Establishing Group-Level Information Sharing Platform
Important subsidiaries of the Company have also established the Group's own list sharing mechanism, whereby the Company will ask each examination unit at the beginning of each month whether there is a list of customers that meets the criteria of the Group's attention, and if so, it should provide the information of the company, list format, name, gender, nationality/country of incorporation, date of birth/establishment, and information of the beneficiary in essence to report back to the specialized unit, and then each specialized unit of the subsidiaries will consolidate the information and then reply to the Holding Company's Legal Affairs Group. To establish a mechanism for information sharing within the Group for the prevention of money laundering and combating of terrorism in order to strengthen the monitoring and control of customer status and unusual transactions across subsidiaries, and in order to effectively reduce manpower working hours and strengthen data maintenance and management so as to enhance the effectiveness of the Group's integrated money laundering and terrorism risk management. The systemization of the Group's information sharing operations is expected to be completed by the end of 2024.
During the more severe period of COVID-19, the course was changed to a recorded online course; the topics of the course were mostly on issues and current events that were highly connected with the business unit's practical operation, such as the war in Ukraine and international sanctions that customer acceptance policy, virtual assets, online Gambling and so on.
In 2023, the Company's major subsidiaries, Chailease and Fina Finance, collectively offered 46 education and training sessions. All AML/CFT supervisory officers have obtained internationally recognized anti-money laundering specialist (CAMS) license and regularly receive relevant training in the courses (including online training) held by internationally recognized anti-money laundering specialists. In response to international trends and changes in laws and regulations, understanding the latest money laundering prevention and anti-terrorism operations and making adjustments accordingly.
"Trust" and "discipline" are major cornerstones of our corporate culture, and employees are strictly held to high moral standards in undertaking work for the company. They are charged with embodying the corporate philosophy in their daily work, and every employee has the responsibility of maintaining the company's good reputation and honoring laws and regulations, avoiding conflicts of personal interest with company interest, guarding the confidentiality of company and client information, and acting according to the letter and spirit of all relevant laws and regulations. Major operational and managerial actions of the company are grounded in disclosure of information, adherence to law, risk management and honest operations.
Since 2011 when the Chailease Holding was publicly listed on the Taiwan Stock Exchange, it has participated in Company Information Disclosure Evaluation. After three years of continuous efforts, the rank of the Company has improved to the best A ++ rating. In the process, the Company implemented relevant laws and regulations, improved the establishment of policies and guidelines, and voluntarily disclosed Information in order to enhance the transparency of information. The Company also participated in the Corporate Governance Evaluation, which was conducted by the Taiwan Stock Exchange and the Taipei Exchange. Of the 1,617 listed companies that participated, Chailease Holding ranked in the top 5% up to 7 times.
In addition to publicly disclosing revenue on a monthly basis as stipulated by law, before the 25th day of every month, Chailease Holding voluntarily announces its profit situation in order to give the investing public a more immediate grasp of its revenue and profits. The company website completely discloses all significant information, including complete financial operations, important resolutions from the board of directors and important regulations, all of which provides complete information disclosure services. To ensure a complete public disclosure mechanism, a clear internal implementation process has been established and responsibility has been divided up. The information is classified according to type and attribute and the relevant business units are responsible for it. An internal division of labor, reviews, and a confirmation mechanism all ensure the accuracy of the information. In 2018, the company also amended the Chailease Holdings Information Announcement and Application Procedures. The Regulatory Compliance Unit also publicly provides information relevant to external laws and regulations and accordingly modifies the information for the other business units’ reference.
When Chailease Holding went public in 2011, it voluntarily raised its regulatory compliance standards. Just like financial institutions, it established special business units to develop regulatory compliance management practices. Other major subsidiaries, including Chailease Finance Co., Ltd. and Chailease International Finance Corporation, also developed regulatory compliance management practices. They regularly hold regulatory compliance training and awareness programs to ensure their operations and products comply with internal and external regulations. In addition, they conduct annual internal regulatory compliance inspections and report the results to the board of directors.
Chailease has Corporate Governance Officer, besides statutory compliance matters, the Corporate Governance Officer is in charge of corporate governance affairs, including but not limited to, ensuring the Company’s operation and internal policies will comply with the most recent requirement provided by relevant regulation or laws, conducting regular legal compliance internal training for targeted department, conducting the legal compliance self-examination of this year. The results of legal compliance self-examination in 2022 are in compliance with the laws and regulations, and there were no significant instances of non-compliance with laws and regulations in 2023 (No violation of the laws will impact the daily operation of the Company.)
In 2023, the self-inspection results of Chailease Holding and its significant subsidiaries in Taiwan were all in compliance with laws and regulations, and there were no major violations of laws and regulations (a major violation of laws and regulations refers to a violation of laws and regulations that has resulted in a fine of up to NT$3,000,000 or a fine from the competent authority that affects the day-to-day operations of the business, e.g., termination of the listing of the company or revocation of the business license).
The internal control systems of the company are management processes designed by its managers, passed by its board of directors, and implemented by the board of directors, managers, and the rest of employees for purpose of promoting sound operations of the company, so as to reasonably ensure that the following objectives are achieved:
1. Effectiveness and efficiency of operations.
2. Reliability, timeliness, transparency, and regulatory compliance of reporting.
3. Compliance with applicable laws, regulations, and bylaws.
The central bank interest rate raised, the crisis collapse of foreign banking, geopolitical risks in 2023 caused steady decline in world growth; and the risk of wider restrictions on the movement of people, goods and services, reduced business and consumer confidence, as well as slowed down production. When facing the overall economic environment, we always uphold the concept of risk management in order to take advantage of industry developments and future prospects. By ways of adopting a decentralized customer base, decentralized industry exposures, and through geographic dispersion, we effectively lower the risk of any market changes that might happen.
Key subsidiaries have established Risk Management Committees that meet quarterly, to maintain a robust and effective risk management mechanism and formulate risk management policy. The Committees also manage and supervise financial assets, effectively manage potential risks arising from all company business, and make adjustments to the normal ratio of allowance for bad debts based on the asset quality. In addition, there is a model to assess client credit risk, while there are two methods for evaluating credit risks for corporate financing and micro-enterprises; both were awarded a patent by the Taiwan Intellectual PropertyOffice.
Based on the emerging risks mentioned in the World Economic Forum Global Risk Report, the categories of emerging risks are increasing year by year and the probability of occurrence is increasing. In order to strengthen the management of emerging risks, the company has established an emerging risk identification and management procedure, and then assess the impact and likelihood of risks, and formulate mitigation measures based on important emerging risks, and implementation results are regularly followed up on and reviewed.
We have analyzed the emerging risks identified in the World Economic Forum’s (WEF) Global Risk Report, and have reviewed and analyzed each risk through the internal risk management unit’s discussion of the degree of impact, the level of probability, and the company’s preparedness and adaptability (vulnerability) to the risk to draw a matrix of emerging risks. Compared with the emerging risks in recent years, we identified the emerging risks with high impact and occurrence to the Company, including geo-economic conflict risk, generation AI risk, and decarbonization risk, and proposed mitigation measures for the emerging risks with significant impact.
The “Corporate Governance and Sustainable Development Committee" is responsible for promoting business ethics. The Company has business ethics related regulations such as “Ethical Corporate Management Best Practice Principles”, “Procedures for Ethical Management and Guidelines for Conduct”, “Corporate Governance Best-Practice Principles”, “Corporate Sustainable Development Best Practice Principles”, and “Ethical Conduct Best Practice Principles”;
The company provides customer satisfaction in accordance with our Ethical Conduct Best Practice Principles and strives to compete in the marketplace in an honest manner and does not use illegal or unethical means to gain results. Chailease Holding and its significant subsidiaries in Taiwan were not involved in any corruption and bribery, fraud, insider trading, anticompetitive, antitrust and monopolistic practices, and there were no lawsuits and penalties related to market manipulation in 2023.
All directors and senior executives of the Company have signed the "Integrity Statement" which has been disclosed on the Company's website. The Integrity Statement declared that the Company and all of its employees shall not directly or indirectly offer, promise to offer, request or accept any improper benefits, nor commit unethical acts for purposes of acquiring or maintaining benefits while engaging in commercial activities, in order to implement the integrity management policy, actively prevent dishonesty, and declare the determination and commitment of the board of directors and senior management to operate in good faith. All new recruits must attend the course on the Ethical Corporate Management Best-Practice Procedure and Code of Conduct, and regular training was also provided for existing employees.
In order to further enhance ethical management, the Company has implemented the ISO 37001 Anti-Bribery Management System, and formulated the “Anti-Corruption and Anti-Bribery Policy”, the prevention of corruption and bribery, the guidance for the stakeholders so as to prevent the corruption and bribery, the establishment of the ethical management policy, and the implementation of corporate social responsibility and sustainability are set forth in the Policy.
Chailease’s ISO 37001 Anti-Bribery Management System received certificate from BSI in May 2023, and passed the validity audit in January 2024. Currently, the scope of the ISO 37001 Anti-Bribery Management System is Chailease Holding Company Limited, the Company will evaluate the possibility of extending the scope of the system to subsidiaries.
The company’s policy regarding director insurance goes beyond current legal requirements. Since going public in 2012, the company has purchased liability insurance for our directors. In August 2017, during a special shareholder meeting, the Articles of Association were revised to add retired directors to the scope of compensation, while indemnity agreements shall also be signed by each director. At the same time, the company purchases Directors and Officers Liability Insurance to prevent erroneous actions taken by directors and supervisors and company officers in the process of their executive duties to cause damages to third parties and provide them with a means to pursue a claim. The insurance also helps to mitigate financial risks to the company caused by litigation and ensure healthy company operations.
Insurance for "Employee Integrity Risk", with the company listed as the insured, prevents and protects against dishonest actions by employees which might cause grave damage to the company (such as legal or financial accounting personnel), and cause the loss of company assets or assets the company is charged to steward. This will offset operational risk onto an insurance liability, reducing losses to the company and thereby protecting shareholder interests.
The Company and its subsidiaries have established the Whistle-Blower Policy, Procedures for Protecting Whistle-Blower, the Regulations of Prevention, Correction, Complaint and Punishment of Sexual Harassment, and the Regulations of Prevention, Correction, Complaint and Punishment of Unlawful Violations in Workplace have also been established as well. Personnel within and people outside of the company can report improper actions, corruption, or actions in violation of the Code of Conduct through the channels of the established public hotlines, the e-mail mailboxes on the official website, and the traditional mailbox. The Whistle-Blower Policy specifies the dedicated receiving units, the independent investigation units, and the acceptance and investigation schedule for misconduct and malpractice. If the unlawful infringement (includes: discrimination, sexual and non-sexual harassment) has been verified, Chailease may transfer, demote, cut pay, punish employees or impose other punishments on the employees based on relevant regulations such as working rules, depending on the severity of the unlawful infringement. If the investigation result shows that a criminal case, Chailease will help complainants take legal actions, and transfer the case to judicial authorities.
After being verified without false allegation or incomplete information, the report or the complaint raised will be investigated by the independent investigation unit depending on the nature of the report or the complaint. When the allegations of the report or the complaint is substantiated, the appropriate disciplinary action in accordance with the Company’s Personnel Reward and Punishment Regulations will be taken. Internal publicity to comply with the Company’s discipline and regulations will be enhanced.
The “Procedures for Protecting Whistle-Blower”require that the whistleblower should be kept strictly confidential. All information disclosed during the course of investigation should remain confidential.
In order to implement the ISO 37001 Anti-Bribery Management System, the Company has amended the “Whistle-Blower Policy “and “Procedures for Protecting Whistle-Blower”, the amendments mainly include adding and channeling the reporting method for different event, regulating different investigation items for different level of the management, and strengthening the whistle-blower protection.
Among the concerns or complaints raised to the Company and its subsidiaries in the year of 2023, 34 reported cases have been investigated and substantiated. The employees who violated the Company’s discipline or regulations have been punished in accordance with the Company’s Personnel Reward and Punishment Regulations and internal publicity has been carried out.(Note: 59 employees involved in the above 34 cases represent approximately 0.6% of the total population of the Company’s 9,887 employees by the end of 2023.)
In order to effectively promote information security work, the Company established the “Information Security Committee” in accordance with the “Regulations for Information Security Policy,” to take charge of promoting and governing information security, monitoring and managing information security risks, and reporting major information security incidents. The Committee shall hold a meeting at least once a year and may hold a meeting to report major decisions to the Board of Directors, if necessary.
In 2022, according to the “Regulations Governing Establishment of Internal Control Systems by Public Companies”, set up Chief Information Security Officer, information security supervisor, and information security dedicated department. Professional information security personnel will coordinate the information security management system and compliance, information security analysis and monitoring, threat and vulnerability management, incident response, etc.
Considering relevant business development and demands, the Company established the “Information Security Policy” to strengthen the management of information security, build a safe and reliable information operating environment, and ensure information, system, equipment and network security. Moreover, the Company also stipulated “Guidelines for the Management of Information Security” and other management regulations and established control systems, in accordance with relevant matters stated in the policy. For the content of relevant policies, please refer to the Important Articles of Incorporation for Company Governance on the company website.
In accordance with the provisions of Article 8 and 9 of the "Regulations Governing Establishment of Internal Control Systems by Public Companies", Chailease has established internal control systems and related operational specifications for information circulation and other management environment, including personal information, and computerized information system. Simultaneously, to comply with the provisions of Article 13 of the Regulations, our company information and communication security inspection is included in the annual audit plan.
In order to implement the self-supervision mechanism of information communication safety, ensure the implementation of the information cycle and personal information processing-related internal control systems can be adjusted in time in response to changes in the environment, so as to reduce the risk of negligence in information communication safety operations. In accordance with relevant internal and external laws, regulations, and risk assessment results, each unit decides on its own assessment procedures and methods. The frequency of execution depends on the nature of the work of each unit. It must be handled at least once a year, and the defects and abnormalities found in the assessment will be proposed for improvement. The results of the self-assessment are sent to the internal audit unit for review and review of the implementation of the self-assessment.
The independent internal audit department shall draft an annual information security audit and inspection plan according to the results of self-risk evaluation and risks of each operation unit. This audit and inspection plan shall be submitted to the management and the internal audit department shall conduct due diligence based on the plan. Reports of due diligence will be submitted to the management. Defects and recommendations thereof will be tracked and improved within a due date.
Each unit's new recruits are required to attend education and training classes encompassing courses of specific information security, the company's internal rules, related laws, cybercrime, and general knowledge of information security. Each year, information technology-related departments shall establish an annual education and training program and arrange personnel to participate in external workshops accordingly. Those participating in training courses will also need to pass relevant professional examinations. We also arrange companies with expertise to introduce (or educate about) important information security projects and conduct related case studies.
Regarding the management of the information service processing procedure, Chailease takes information management as its basis and builds demand management, incident management, problem management, change management, requisition form management, online management, knowledge management, and usability management, supplemented by risk management orientation, from the demands of information services at the user end to the final completion online or solutions to problems or demands, to keep close tabs on information security.
With the rapid advancement of technology and the increasingly complex challenges in information security, the protection of sensitive data within enterprises cannot be overlooked and a robust information security culture is crucial for the stability of business operations. The promotion and training of information security awareness among employees are key success factors in implementing information security policies. Information security training not only enhances employees' awareness but also effectively reduces the information security risks associated with internal errors or malicious actions. Recognizing this, the company actively invests in information security education resources and consistently takes note of effectiveness.
Information Technology Department provided gateways and terminal protection function, as well as quarantine alert for the virus program. Moreover, the department can further detect external suspicious intrusion behavior through network flow control and analysis. In addition, to improve threat detection speed and response time, XDR (Extended Detection and Response) was introduced comprehensively to collect and automatically cross-correlate data from multiple protection layers to provide faster threat detection through more rapid information security analysis, and to improve investigation and response time.
Enterprise Mobility Management (EMM) was gradually introduced. When employees use mobile devices to send and receive emails or perform remote connection operations, the authority is minimized and controlled according to the principle of “Need to know”, and ensure that no storing of data in endpoints. In other words, to truly protect the company operational information and customer personal information, it will not be possible to store company data externally from mobile devices.
Set up a dedicated department for information security and formulate daily information security inspection operations to ensure that all information security equipment can perform detection and defense capabilities as expected. Discover and eradicate potential external and internal threats information security risk by analyzing the warning signs and records generated by the equipment. Integrate information security equipment with operating processes to prevent threats before they happen.
In response to the company's heightened concern for sensitive data security in 2023, the implementation of Data Loss Prevention (DLP) technology has been successfully completed in Taiwan. The DLP system enables real-time monitoring, detection, and prevention of potential information leaks, ensuring the continuous surveillance of sensitive data usage. Monitoring reports are also regularly provided to mitigate the risk of data breaches proactively.
To establish a zero-trust foundation, the company has implemented a multi-factor authentication system in 2023. By combining different authentication factors, this move aims to strengthen the identity verification mechanism, providing higher security than single account password authentication. This ensures that only authorized personnel can access company resources, thereby reducing the risks of improper system usage and identity theft.
Completed the vulnerability scanning of the servers and the penetration test of the main website in 2023. This involves scrutinizing potential vulnerabilities in servers and websites to ensure their resilience against various potential threats. Following the completion of the assessment, we integrating the assessment report with current security control measures to evaluate the vulnerability risk levels under the information environment control. Subsequently, we formulate and implement a vulnerability remediation plan. The security assessments are conducted twice a year to ensure real-time control of new vulnerabilities and threats.
The vulnerability scanning platform was established in 2023. In addition to conducting vulnerability scans through external vendors regularly, this platform also enables real-time responses to emerging information security threats. It integrates with internal operational processes to proactively detect potential security vulnerabilities and validate the effectiveness of remediation for vulnerabilities. This aims to establish a more comprehensive vulnerability management system.
Completed the phishing e-mail drill in 2023. Phishing emails designed to be close to hacker attack methods were sent to all employees to test their information security vigilance and awareness in Taiwan. After statistical analysis of the drill results, information security training materials were designed, information security awareness announcement was established and published regularly to help employees understanding the latest social engineering techniques and improve the overall level of information security awareness continuously.
Implementing information security insurance in 2023. Making the risk transfer of financial aspects of information security impacts, mitigating the damage and impact of information security incidents to enhance the company's risk tolerance and resilience.
In response to potential risks such as information security, human rights, privacy, ethics, and legal implications arising from the global wave of generative AI, referencing "Reference Guide for the Use of Generative AI by the Executive Yuan and Affiliated Agencies," the company has formulated internal "Guidelines for the Use of Generative AI" in 2023. This aims to provide employees with consistent usage principles and awareness, ensuring safe, reasonable, and effective utilization to mitigate potential information security risks.
In 2023, two disaster recovery environment drills were conducted in accordance with the regulations, one for the information department recovery drill and one for the remote recovery about information department and the front end and back end. This exercise is to provide the best protection measures for the enterprise s internal systems and data, minimize the recovery time from system interruptions and reduce the data loss caused by operational interruptions through reasonable means and methods. In 2023, there were no fines or operational losses due to information equipment problems.
To standardize procedures for reporting and handling information security incidents, "Regulations on Incident Response and Notification Management for Information Security Events" was optimized in 2023. Processes for incident classification, severity levels, and response handling were established. In the event of an information security incident, actions will be taken within specified timeframes based on the severity level to complete damage control or recovery operations. After the incident is resolved, root cause analysis will be conducted, and corrective measures will be implemented to prevent recurrence.
When the enterprise pursues continuous operation, and complies with the international standard management system to achieve the goal of organizational operation safety, thereby enhancing customer trust and becoming the most reliable partner: