Data and Cybersecurity

Management Approach

The Company has established an IT Security Policy to support and promote business operations, and security practices for IT security, including computer systems, networks, software, critical systems, and data, to protect against potential cyber threats. This ensures secure, continuous, and efficient IT operations and communications. This policy refers to recognized cybersecurity standards and regulations, covering damage prevention for IT systems, incident and emergency response, and mitigation of operational and financial impacts on the Company. Additionally, the Company emphasizes awareness and understanding by communicating this policy to the Board of Directors, executives, and employees at all levels. The policy is subject to annual review, at least once per year.

IT Security Management

The Company recognizes the importance of maintaining IT security and the use of IT and communication systems within the Company, with the objective of preserving confidentiality, integrity, and availability of information systems, as well as other attributes, including authenticity, accountability, non-repudiation, and reliability. The Company has established information security guidelines as a framework for IT and cybersecurity management, which helps protect the organization and ensure stable operations. The Company’s security practices consist of a total of nine categories, as detailed below.

1. Maintaining security of access and controlling the usage of information and IT and communication systems.
2. Managing the information center by implementing physical entry controls for the information center.
3. Maintaining security in computer usage.
4. Maintaining security in internet usage and email communication.
5. Maintaining security in asset and network management.
6. Controlling security for operational activities.
7. Maintaining security in data backup and recovery.
8. Assessing risks in IT and communication systems.
9. Raising awareness of IT security

Preventive Measures for Cyber Threat Emergencies

The Company has established measures and processes to prevent cyberattacks and IT security threats, ensuring cybersecurity is maintained. These measures are outlined in the Company’s Information Security Guidelines, with details as follows:

1. Implementing a structured data storage and backup system based on data types, including operating system software, application software, and at least one set of commands and data, stored separately in different locations to ensure security and continuous usability.
2. Assigning responsible personnel for data backup, ensuring accurate and complete verification of data at least once per year.
3. Establishing a backup frequency schedule and performing data backups according to the defined schedule (at least once per year).
4. Preparing an emergency preparedness plan to restore the system within the specified timeframe, including creating a disaster recovery plan according to information security guidelines and reviewing the recovery plan at least once per year.
5. Creating an emergency response plan for situations where electronic systems are non-operational to ensure business continuity.

Internal Communication for Awareness Raising

The Company has arranged for raising awareness regarding IT security, by specifying the dissemination of information and training for employees within the Company to understand and not violate the Computer-Related Crime Act and various relevant IT regulations. Additionally, to raise awareness about responsibility in maintaining IT security, the Company has arranged the IT-related training courses within the Intranet system, consisting of the Cybersecurity for IT and IT Policy and Cybersecurity. Employees can access these courses for self-learning, covering key topics as outlined below.

• What is Cyber Security
• Fundamentals of Cybersecurity
• Types of Cybersecurity Threats
• IT Security Policies
• Cybersecurity Awareness