Digital transformation is a key strategy for HLC, and information security plays a central role within it. Internally, the Company has comprehensively revamped its official website and related applications and strengthened data integration mechanisms, to ensure that both security and operational efficiency are enhanced simultaneously. By leveraging AI technology, we have enhanced smart customer service functions and reduced potential risks associated with manual handling of sensitive data. Therefore, HLC views information security as a crucial component of corporate competitiveness and incorporates it as one of the key objectives in its digital transformation blueprint. Through continuous optimization and technological upgrades, we actively respond to ever-evolving external challenges. 

Information Security Management Policy and Governance Structure

HLC has established a Cybersecurity Management Organization. The Chief Information Officer (CIO) serves as the Chief Information Security Officer (CISO), responsible for reviewing the Company's information security management system objectives and implementation scope, chairing management review meetings, and making decisions about significant matters. We have also appointed cybersecurity professionals as cybersecurity security consultants to provide guidance and consulting advice related to cybersecurity management and technical fields. The manager of the Operations Technology Office serves as the Executive Secretary, responsible for early warning and monitoring of cybersecurity status and for handling cybersecurity incidents. Information personnel are assigned to the "Cybersecurity Response Team" and the "Cybersecurity Audit Team" based on their tasks. The former is responsible for monitoring, responding to, and handling information security incidents to guarantee quick response and recovery of information assets in the event of a threat. The latter is responsible for internal audits and compliance reviews of the Information Security Management System (ISMS). After conducting internal audits annually, a management review meeting is held to report regularly to the CISO. In 2024, the Company implemented the ISO 27001 management system and continuously improved its information security management system, while obtaining external certification in August 2024.

Information Security Management Measures and Achievements 

HLC has established a comprehensive information security infrastructure to ensure the stability and security of both internal and external corporate services. 

Information Security Incident Response Management 

HLC conducts at least one information security disaster recovery drill annually to enhance its team’s response capabilities, while ensuring swift action according to Standard Operating Procedures (SOPs) in the event of an information security incident. At the same time, we test backup and recovery mechanisms to verify their effectiveness in real-world scenarios, thus ensuring that critical systems can resume operation smoothly. During these drills, we also simulate attacks or system failures. This helps us identify potential vulnerabilities in our information security strategies and technologies and allows for immediate remediation to strengthen our overall information security defense capabilities. 

To further enhance information security management, the Company has established a reporting and response mechanism for information security and personal data breach incidents, with incident classification, severity levels, and response procedures clearly defined. In the event of an information security incident, we will complete damage control or recovery operations within the specified timeframe based on the impact level of the incident. Afterwards, we will be conduct root cause analysis and take corrective measures to prevent similar incidents from reoccurring. In 2024, HLC had no significant information security incidents occurring. 

Personal Data Protection

In terms of personal data protection, HLC has established a "Personal Data Affairs Office". This office is a task force headed by the Head of the IT Department, with key responsibilities, including coordination and communication with competent authorities on personal data protection matters, emergency response reporting, personal data security incident reporting, and handling requests from data subjects to exercise their related rights. The Company adheres to relevant regulations, including the "Personal Data Protection Act," and has formulated a "Personal Data Management Policy" that clearly defines mechanisms for personal data collection, processing, utilization, and protection. 

When collecting customer data, HLC adheres to the principle of data minimization, that is collecting only the necessary information required to provide services. Customers can easily query, correct, or delete their personal data through convenient channels, thus ensuring full data transparency and control. All information is processed using advanced encryption technology and secured with a layered access control mechanism to ensure that only authorized personnel can access sensitive data. For data storage and deletion, the Company sets clear retention periods and safely destroys data upon expiration to prevent any unauthorized use. Furthermore, we conduct annual personal data inventory and risk assessments. We also consistently offer employee personal data protection training on a yearly basis. Additionally, all outsourced service providers are required to sign personal data protection clauses and non-disclosure agreements.

Enhancing Information Security Awareness

HLC is profoundly aware that information security and personal data protection rely on the collective efforts of all employees. Therefore, the Company has made information security and personal data protection mandatory annual courses for employees, to continuously reinforce the importance employees place on information security. New hires must complete mandatory personal data and information security courses upon onboarding to establish their foundational information security knowledge and allow them to understand the Company’s policies and regulations. This is supported by a testing mechanism to confirm training effectiveness; in 2024, 100% of new hires completed the training. All existing employees also undergo regular information security and personal data education and training, covering various functional roles’ needs, from basic information security awareness to advanced technical applications. Personnel from the IT Department participate in the "ISO 27001:2022 Information Security Management System Lead Auditor" training (40 hours) to assist the Company with self-inspection and improvement, thus ensuring compliance with certification standards. Additionally, to continuously enhance information security risk awareness, HLC conduct an annual company-wide computer audit, focusing on computer and device security, network security, software and application security, and data access permissions. We also periodically send information security newsletters to share information security news and new knowledge, promoting and conveying the Group's latest information security regulations and precautions.