• Information Security Committee
  The Company held its first Information Security Committee meeting on 2024/6/24, to confirm the committee’s organizational structure, approve the information security policy, and review the Group’s overall cybersecurity plan. Moving forward, the Committee will convene at least once annually to ensure effective management implementation.

• Information Security Management Policy
  The Company’s information security policy was approved by the Board of Directors, ensuring that the Group’s information systems remain secure and resilient, and that potential cybersecurity incidents are effectively prevented. The policy upholds the confidentiality, integrity, and availability of information assets, while promoting proper cybersecurity awareness among employees to safeguard the Group’s sustainable operations. The Company will continue to strengthen relevant policies and measures in accordance with this policy.

• Information Security Awareness Promotion
  To enhance employees’ awareness and understanding of cybersecurity, the Company launched an information security awareness campaign starting from its Taiwan site. Each employee attended a 1.5 hour training session, with a total of 208 participants completing the course and test, of which 203 passed, achieving a 97.6% pass rate and a total of 312 training hours.
   
• Offsite Backup and Disaster Recovery
  The Company performs daily tape and offsite data backups and is gradually establishing a more comprehensive offsite (e.g., cloud-based) backup system to ensure the secure preservation of critical information. To maintain the security of information systems, equipment, networks, and data, the Company conducts semiannual disaster recovery drills, with the 2024 drill carried out on September 9.
   
• Vulnerability Scanning
  Regular vulnerability scans were conducted on servers in 2024, with results analyzed. A total of 55 servers were scanned.

• AD Account Login Failures
  Regular reviews and management of AD account login failures were performed in 2024, completing 83 reviews.
   
• Information Security Drill
  In 2024, no unauthorized software was detected on employee computers. Software inventories were automatically collected and reviewed by the IT Department, covering 253 devices.

• Phishing and Social Engineering Emails
  A total of six simulation exercises were conducted in 2024, including the following scenarios
  A total of 32 employees clicked on phishing emails. These employees were required to retake the information security awareness training and pass the related test. The exercises effectively enhanced cybersecurity awareness and strengthened vigilance against online security risks.
  
  1. 5/8: “Abnormality in your April salary, please correct your information.”
  2. 6/3: “E.SUN Bank online account notification.”
  3. 6/18: “MOMO Shopping website alert.”
  4. 12/26: “Clock-in anomaly requires your attention.”
  5. 12/27: “Parcel pickup notice requires your attention.”
  6. 12/30: “LOTTO WIN.”
   
• Information Security Awareness Campaigns in 2024
  1. 3/30: “New phishing-as-a-service platform exploiting RCS and iMessage for attacks.”
  2. 6/26: “Publication of Information Security Policy in both Chinese and English.”
  3. 9/25: “Necro malware hidden in popular browser and camera apps on Google Play Store.”
  4. 10/28: “No surprise! These file types are most commonly used by hackers to conceal malware.”
  5. 12/30: “Information Security Bulletin 20241230: U.S. plans to ban TP-Link routers.”

To ensure the security and proper management of customer data, ABC-ATEC has established a set of data protection principles. First, customers are clearly informed about the collection, use, and protection of their personal data to ensure transparency. Data collection follows the principle of minimization—limited only to what is necessary—and is aligned with specific purposes. De-identification measures are also implemented to reduce privacy risks.

In terms of usage, the company strictly limits the scope of application of customer data, ensuring it is used only for its original intended purposes and preventing misuse. For sensitive data, encryption measures are applied during transmission, such as through email, to ensure information security is not compromised.

Internally, access control is rigorously enforced—only authorized employees may access sensitive information. Department supervisors periodically review folder access permissions to ensure they remain appropriate. Through these measures, the company actively safeguards the security of customer data and ensures that personal information protection meets the highest standards.

• In 2024, the company collected information to establish the Personal Data Protection Management Regulations, which are scheduled for release in 2025.
• An encryption mechanism has been implemented for email content and attachments. When special symbols such as “@@” or “##” are added to the email subject line, encryption is automatically applied.
• For emails containing sensitive information such as credit card numbers or ID numbers, the subject line includes “[!Personal information!]” to alert recipients of potential data privacy risks and ensure proper handling of such emails.