Information Security Management

Information Security

In response to increasingly severe information security risks and challenges, the Company has established a “dual-focus” information security management strategy that emphasizes both technical safeguards and human awareness. By strengthening equipment protection, system defenses, and employee security awareness, the Company ensures the confidentiality, integrity, and availability (CIA) of its information assets.

To comply with relevant government regulations and further enhance the Company’s overall information security governance framework, the position of Chief Information Security Officer (CISO) was established in November 2023, along with the formation of an Information Security Task Force responsible for promoting, supervising, and reviewing information security management activities.

ARIZON RFID appointed the General Manager of the Taiwan subsidiary as CISO, leading information technology personnel from both the Taiwan and Yangzhou sites to form the Information Security Task Force.

Information Security Management Strategy

The CISO is responsible for the planning, implementation, coordination, supervision, and review of information security policies and systems, while task force members carry out information security management activities according to their assigned roles and responsibilities.

The Information Security Task Force convenes quarterly (four times per year). At least once annually, it reviews information security policies and objectives, conducts internal security health checks and audits, proposes concrete management plans and improvement measures, and regularly reports information security performance and progress to the Board of Directors.

In 2025, a total of four information security working group meetings were held to ensure the implementation of management objectives, and a report was presented to the Board of Directors on November 11, 2025.

Specific Management Measures

To effectively implement information security management, the Company has adopted the following measures:

1. Invested in firewalls and core network switches, and implemented network segmentation and the principle of least privilege to reduce potential risks.
2. Conducted regular inventories and security updates of computer system software.
3. Enforced the use of all network services in accordance with information security policies.
4. Performed regular data backups to ensure traceability and recoverability of critical data.
5. Implemented Multi-Factor Authentication (MFA) at the Taiwan plant; the Yangzhou plant is scheduled to complete evaluation in 2025 and formally implement MFA in 2026.
6. Introduced AI-based zero-day antivirus software starting in 2025 to enhance real-time threat detection and protection.
7. Assigned dedicated custodians for computer equipment; accounts and passwords follow strong password policies and are changed regularly.
8. Applied access control for remote login systems, granting appropriate access rights based on job responsibilities.
9. Conducted annual disaster recovery drills to ensure business continuity.
10. Performed at least one social engineering drill annually to enhance employee awareness of cyber threats.
11. Organized company-wide information security training at least once per year to continuously improve overall security awareness.
12. Required Information Security Task Force members to complete a minimum of 12 hours of information security training annually to maintain professional competency.
13. Held periodic information security awareness campaigns to embed a strong security culture throughout the organization.

Implementation Status

In 2025, the Company continued to strengthen its information security governance and protection mechanisms, with the following key achievements:

1. Conducted four information security team meetings throughout the year to regularly review security risks and control effectiveness, ensuring that information security management objectives are effectively implemented.
2. Organized two company-wide information security training sessions to enhance employees’ awareness of cybersecurity risks and their ability to prevent potential incidents.
3. Distributed four cybersecurity awareness emails, one per quarter, to continuously reinforce staff awareness and reduce the risk of social engineering attacks and other security incidents.
4. Implemented the IEC 62443-4-1 standard to establish a Secure Development Lifecycle (SDL) for product development, integrating security design from the early stages to enhance overall cybersecurity resilience.
5. Procured 300 sets of AI-powered real-time antivirus software to strengthen endpoint threat detection and protection, thereby reducing the risk of cyberattacks.
6. Completed the procurement of a Multi-Factor Authentication (MFA) system for the Yangzhou site, with full implementation planned for 2026, further enhancing account and access security.

Future Initiatives

Looking ahead, the Company plans to progressively implement a Zero Trust security architecture, ensuring that all users and devices undergo strict authentication before accessing corporate resources.

To further strengthen network defense capabilities, the Company plans to establish an Intrusion Detection System (IDS) in 2026 to enable real-time monitoring of abnormal network activities and enhance threat response capabilities.

Regarding international standards and certifications, the Company plans to complete IEC 62443-4-1 certification for the product development phase in 2025, and to formally launch the ISO 27001 Information Security Management System (ISMS) certification project in 2026, establishing a more robust information security governance framework.

Material Information Security Incidents and Losses

As of the reporting year, the Company has not experienced any material information security incidents, nor any incidents resulting in damage to corporate reputation, customer relationships, or revenue. This demonstrates the initial effectiveness of the Company’s information security management strategy, which will continue to be strengthened to enhance overall governance and protection capabilities.