Information Security Measures

Information Security Organization

Amid the digital trend, the importance of the network, IT system, and data security is becoming increasingly important, while the demand and expectations of the competent authorities and stakeholders for the company’s information security are also on the rise. If the quality of the company’s system is not up to standard, information leaks or service interruptions will result in expensive costs and damage the company’s reputation. In light of this, RichWave has formed an interdepartmental information security management team with the President as the convener, while the Information Department and Administrative Management Department are in charge of offering directions and planning, with support and cooperation coming from various business units. The information security team convenes regular meetings to review the company’s information security system operations, and it must report information security-related implementation status to the Board of Directors at least once a year to obtain advice and guidance from the highest level of the company. This is to ensure the operational effectiveness of RichWave’s information security management. The internal control operations for 2022 were concluded on February 23, 2023. During this assessment, it was determined that the company's operations were effective, efficiency objectives were achieved, and compliance with laws and regulations was maintained. Subsequently, a statement regarding the internal control system was released, which was approved by the board.

Information Security Policy

Board-approved "Information Security Risk Management Policy and Procedures" have been established by RichWave in order to protect the confidentiality, integrity, and availability of information assets related to employees, suppliers, and customers and to ensure the stable use of the company's information services. This policy governs the company's actions regarding information asset inventory, information security awareness, company data confidentiality, information equipment maintenance and backup, personal computer security system maintenance, and the reporting of information security incidents. With these measures, we hope to ensure the continued viability of the company's information business.

By implementing information security management procedures, the company ensures the security and veracity of electronic data in various systems and meets the policy objectives of sustaining the company's normal business operations. The policy applies to all of RichWave’s system data and information equipment, regulating the company’s information security control operation (including authorization control, file management, and anti-virus measures), data processing operation, information equipment management and maintenance, form filling operation and form storage period, thereby guaranteeing that the company’s system can engage in effective hierarchical control, important data can be kept, reviewed adequately, and the information system can be comprehensively protected and backed up. Additionally, the company regularly establishes a data backup system to conduct disaster recovery drills and engender an effective data security protection environment in conjunction with the information security system for the sake of ensuring the company’s sustainable operation. A total of 13 information system security updates, six application system security updates, six mail server system security updates, one firewall upgrade, one internal endpoint scanning (health check), and employee computer EDR scanning (health check) were conducted in 2022. Through these multi-layered system updates and health tests, we safeguard the information systems of the company.

2022 Information Security Management Plans

1. Arrange for an external information security firm to conduct an information security inspection/drill once a year (including email social engineering drill/weak spot detection)
2. Arrange for an annual data recovery drill focusing on the recovery and verification of backed up data to ensure the correctness of the recovered data
3. Arrange for a system security update at least once a year, focusing on the patch updates of major system loopholes
4. Establish an information security reporting mechanism and an information security team to conduct comprehensive information security management

Information Security Training and Education

To instill information security awareness in our colleagues and make every employee an integral part of the company’s information security protection network, RichWave has conducted information security education and training for all new employees, and we have promoted information security to them from time to time through email. The new employees’ information security training includes an introduction to the company’s information system, document management system, electronic form operations, computer and network regulations, and USB regulations. RichWave’s information security supervisor will brief the new employees to make sure they can comply with the information security system and regulations of the company. Furthermore, the corporation maintains a constant vigilance over the prevailing state of information security in society and endeavors to create educational materials aimed at enhancing awareness regarding highly significant matters pertaining to information security. The distribution of these materials to all employees is done in an effort to prevent dangerous incidents. Multiple information security awareness campaigns were conducted in 2022 through the internal announcement system. These campaigns covered various topics, including account security management and fraudulent emails. The purpose of this initiative was to enhance employees' understanding of cybersecurity and promote vigilance in email usage. Additionally, it served as a reminder for employees to regularly update their system login passwords. In November, all employees participated in an annual online cybersecurity education training session. The training session focused on discussing domestic and international cybersecurity incidents, as well as the associated losses. The training session emphasized the importance of common cybersecurity threats, malware techniques, social engineering, and best practices for password management. A total of 299 participants attended the training, accumulating a total of 299 training hours. The recorded sessions were uploaded to the company's document management system, allowing employees to access them at their convenience.

2022 Information Security Training and Education Plans

1. Biannual information security education and training sessions are held, with each session lasting at least one hour (including information security awareness/social engineering)
2. Announce relevant information security reports from time to time (provide analysis report for special information security incidents)

Customer Privacy

RichWave values our customers’ personal data and privacy, hence we uphold the most stringent approach to collecting and managing our customer’s information. When signing a contract with our customers, we have included the confidentiality agreement as part of the official contract to ensure that our colleagues and partners comply with confidentiality through formal document regulations. After obtaining our clients’ information, it will be stored in a digital format and maintained by the information security management system of the company in conjunction with the account authorization management mechanism to ensure that RichWave can effectively control the use of our customer’s confidential information. Furthermore, RichWave has established a hotline and email to process the consumers’ rights-related complaints and problems to make sure consumers’ complaints are responded to in a fair and timely manner. In 2022, RichWave did not receive any customer privacy violation-related complaints.