Mega Holdings

Mega Holdings established the "Information and Digital Business Committee" of the Group in accordance with the Information Security Policy. The President of Mega Holdings serves as the convener and the Executive Vice President of the Electronic Data Processing Department serves as the deputy convener. The Executive Vice President of each subsidiary responsible for information and digital banking serve as committee members. Meetings are convened at least once each year and may be convened at any time based on business requirements. The Committee discusses and reviews the information security of all subsidiaries, new types of information technologies, digital development, and information security incidents. The Electronic Data Processing Department is responsible for executing or coordinating related resolutions of the Committee. Material issues or resolutions are ported to the Board of Directors and the Risk Management Committee.

MICB established a dedicated information security unit in June 2018 in accordance with the "Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries" of the FSC. The unit is responsible for the establishment and maintenance of the Bank's Information Security Policy and the establishment of overall information security protection mechanisms and contingency plans. The head of the Information Security Department serves as the Chief Information Security Officer (CISO) to take charge of planning, monitoring, and executing information security management operations. MICB established an inter-departmental "Information Security Response Meeting" to enhance information security and network security management, establish a secure and trustworthy operation environment, ensure data, system, equipment, and network security, and protect customer interests. Meetings are convened in June and December each year to facilitate discussions on business, transactions, information exchanges, and other information security issues.

The Company has established the Information Security Policy as the basis for information security measures implemented by the Company and subsidiaries. It clarifies the roles and responsibilities of employees in the planning, implementation, and continuous improvement of information security tasks. The Policy is reviewed at least once every year or reevaluated in the event of material changes to meet requirements in related regulations and the latest developments in technologies, organization, and operations.

The Company continues to review and confirm the adequacy of related regulations and measures to respond to the network threats and changes in the risks brought forth by technological developments. We establish comprehensive network and computer security protection systems, implement protection and monitoring mechanisms for important networks, conduct regular vulnerability scans and improvements, execute penetration tests, and organize social engineering exercises and information communication security training to ensure the adequacy and effectiveness of information security and network risk management. MICB, MS, and CKI have completed related information security regulations and enhanced system protection. They also joined the joint defense system for financial information security to improve information security responses and protection of the organization.

To achieve the standardization and internationalization of the information security system, MICB introduced the Information Security Management System and obtained ISO 27001 Information Security Management System certification in 2015. It also passed the triennial re-certifications in 2018. To review the defense capabilities and risk conditions of the Bank's information security environment, MICB appoints professional information security companies to conduct penetration tests and various information security tests each year to respond to the information risks derived from online threats and applications of emerging technologies. MICB also purchased the "e-commerce and information security liability insurance" to ensure the sustainable development and reputation of the Bank.

MS continues to strengthen information security and conducts daily comparison detection on the webpage transaction system to prevent company websites from alteration. It also added the Web Application Firewall (WAF) in December 2019 to enhance defense against hacking.

CKI introduced the information security management system in response to the information security risks derived from online insurance services to fully improve information security protection. CKI obtained the certification of ISO 27001 Information Security Management System in May 2017 and passed the ISO 27001 annual certification from third-party SGS in May 2019 to continuously reinforce the protection of information security systems. CKI also purchased an information security insurance policy.

Mega Holdings continues to train employees to identify unknown e-mails monthly by e-mail, training, and publication to reduce risks of information security caused by malicious links or attachments; the Company also organizes training courses on information security and personal information on a regular basis. To verify employees' awareness of social engineering email attacks, the Company conducts e-mail social engineering tests on employees every six months. In the second half of 2019, MICB conducted e-mail social engineering tests on 6,923 employee accounts (including overseas branches and the Card Department), and the pass rate was 98.51%. Compared to 2018, the rate of deception decreased by 2.49%, showing an obvious increase in employees' security awareness. For employees who failed to pass the test, MICB has strengthened their training on social engineering awareness to improve their information security awareness.

MICB provided employees with at least three hours of training on information security awareness to improve their information security know-how and build overall information security awareness and culture. MICB did not have any information security events, violate any regulations on customer information protection, and was not fined for violations of information security in 2019.

MICB has set up firewalls, anti-virus systems, intrusion defenses, and information security incident monitoring systems to prevent attacks on information and network systems. The systems help the Bank quickly gain control of conditions in the event of information security incidents and implement reporting procedures and emergency responses with the aim of restoring information and network system functions in the shortest time possible. MICB established the "Information Security Incident Management and Reporting Guidelines" to ensure the regular operations of all businesses.

MICB uses regular "computer systems information security assessments" conducted by independent third parties, SWIFT CSCF self-assessment", and "electronic payment project reviews" to examine the integrity and appropriateness of existing control measures for the overall computer system, and uncover potential information security threats and vulnerabilities in time. These assessments are used to implement technical and management control measures and improve the protection capabilities of network and information system security.

MICB values every customer's privacy. All related internal personal information protection regulations are established in accordance with the latest domestic and overseas laws and regulations to ensure compliance with global standards. The President of the Bank also oversees the completion of the annual personal information self-assessment report which is used as the basis for improvements. MICB also appoints CPAs to conduct personal data protection project reviews and incorporates the review results into the internal control report to be submitted to the Board of Directors. It has established a comprehensive compliance system for protecting personal information. MICB has set up information security management systems with continuous improvement mechanism and installed Firewall and anti-virus software on important nodes in accordance with the Information Security Policy and the Directions for the Management Information Security. MICB also organizes drills in important emergency procedures on a regular basis. MICB also conducts vulnerability scans and penetration tests from time to time to adopt test methods similar to hacking and evaluate the Bank's overall information security defenses from diverse perspectives in order to make up for the deficiencies in the penetration tests. The Bank also uses the tests to improve employees' response to new forms of attacks in order to reduce the impact of information security incidents on the Bank. The test results can be used as the basis for enhancing information security development plans.