We have established an Information Committee, with the Chairman of the Board as the director, the President as the executive deputy director, and the vice president in charge of information security as the deputy director. The Information Committee is the decision-making body for major information security matters, such as the Company’s management guidelines and policies. It is responsible for guiding the construction of information security systems. The general manager of the Information Department (Information Security Officer) will report on the Company’s network security every month.
We have formulated a sound information security system and technical standards and implemented corresponding management measures to protect the confidentiality, integrity, and availability of information systems, automation equipment, and data. Our group-wide information security management scope includes:
To address information security and privacy breaches, we have developed the “Information Security Incident Emergency Response Plan.” This plan categorizes various information security incidents, such as network interruptions and equipment failures, by their levels of severity and outlines procedures for emergency reporting, response, and disclosure. We conduct disaster recovery and backup exercises biannually. Additionally, we have established clear protocols and timelines for reporting information security emergencies: relevant on-site personnel must immediately report incidents to the department head, who then instructs relevant staff to manage the situation on-site according to established procedures. Direct reporting to leadership is required, and in urgent cases, reporting may escalate to the company’s principal executive. Upon receiving a report of an information security incident, the principal executive or direct managing leader must quickly mobilize a response, inform the company’s emergency response office, and, if necessary, notify local government or public security authorities.
We organize various information security awareness training sessions for all employees, such as activities related to information security and privacy protection, lectures, and disseminations on the work platform. Depending on the circumstances, employees who violate information security management regulations or fail to fulfill their information security responsibilities will receive penalties. Furthermore, information security work has become part of the appraisal of the digital transformation work of subsidiaries, accounting for 10%.