Information Security Risk Management

Information Security Risk Management Framework

In response to climate change, Edison Opto follows the Task Force on Climate-Related Financial Disclosures (TCFD) framework, progressively promoting low-carbon transformation and climate adaptation in four major directions (as shown in the table). Upholding the belief in the co-prosperity of corporate growth and the natural environment, the company strives to implement green manufacturing, produce green products, introduce green innovation, and strengthen green management. These efforts are integrated into daily operations to continuously address climate change, energy management, and water management, while actively contributing to global sustainable development.

 

Information Security Policy

To strengthen information security management, Edison Opto has established a computerized information system processing cycle and security management standards. The Information Department is responsible for implementing various information security tasks. The policy is as follows:

1. Maintain data integrity and availability.
2. Ensure data access is regulated according to departmental functions.
3. Prevent unauthorized use of data and systems.
4. Reduce the risk of intrusion into the Company’s network systems.
5. Prevent misuse of network resources.
6. Strictly control access permissions for systems storing personal data in accordance with the Personal Data Protection Act.
7. Conduct information security awareness campaigns for new and existing employees to enhance information security knowledge.
8. Collect information security patterns, perform risk assessments, and promote preventive measures.

Specific Management Measures

To reduce information security risks and ensure that anomalies can be resolved in the shortest possible time to maintain normal operations, Edison Opto's information security management is implemented across the following dimensions.

Equipment Management and Protection

• Update antivirus software.

• Perform operating system vulnerability scans and apply patches.

• Continuously monitor information security trends, implement timely countermeasures, and provide training.

External Risk Prevention

• Implement firewalls to regulate external access and block intrusion attempts.

• Establish spam filtering mechanisms to prevent phishing and social engineering emails.

• Introduce two-factor authentication for remote work approval mechanisms.

Incident Response and Recovery

• Establish system backup mechanisms and conduct restoration drills.

• Develop contingency plans (e.g., in case of hacking or power outages).

Implementation Status

1. In 2023, Edison Opto established a dedicated Information Security Unit, consisting of one Chief Information Security Officer (CISO) and one dedicated information security staff member.
2. In 2024, the Company upgraded its firewall equipment and integrated external cybersecurity resources to mitigate hacking and phishing risks.
3. To strengthen information security mechanisms and promote industry-wide intelligence sharing, Edison Opto joined the Information Security Officers Association of the Information Service Industry Association of R.O.C. (CISA) and the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC) in 2023. Through participation in association exchanges, cybersecurity events, and receipt of threat intelligence, the Company has enhanced awareness and strengthened its defense capabilities.
4. Data restoration drills were conducted during the year to ensure data availability and business continuity.
5. A total of 50 employees participated in information security awareness training, supplemented by irregular updates on emerging cybersecurity threats.
6. Information security personnel attended three external seminars on ransomware organized by third-party partners to enhance their professional expertise.
7. To date, there have been no cybersecurity incidents impacting Edison Opto’s operations.
8. Edison Opto regularly reviews its information security policy and reports to the Board of Directors. On November 1, 2024, the Information Security Unit presented to the Board an update on the Company’s information security risk management framework, policies, risk assessment results, and implementation measures.