CHENG LOONG

Risk Management

The implementation and operation of risk management are the roots to ensure CLC's steady operations. To optimize the risk management system, we followed the "Risk Management Policy and Procedure", with the Risk Management Committee being the highest command of risk management and authorizing the president to engage in risk management decision-making. Based on the risk management procedure, by identifying and managing internal and external risks, each department measures and analyzes the impacts that risk factors brought to the Company in terms of operations, finance, and climate change, and the president annually reports to the BoD.

Paying attention to the climate change crisis and responding to the Financial Supervisory Commission Corporate Governance 3.0 Sustainability Blueprint in advance, the Company responded to the TCFD initiative in 2021, signed up as a supporter and conduct third-party verification of TCFD compliance to actively manage climate change issues and take action, becoming the first paper company in Taiwan to pass the TCFD audit and obtain the highest rating certification, demonstrating resilience in the face of climate risks.

 

Board of Directors	Auditing Division	President	Management
Based on the overall operational strategy and macro environment, the board of directors discerns the risks in operations, focusing on the promotion and implementation of overall risk management to ensure the effectiveness of and assume full responsibility for risk management.	The Auditing Division periodically audits the performance based on the Company's internal control and audit programs, produces the audit reports based and presents them to the board, and follows up the performance of each unit.	Make decisions for risk management and coordinate cross-department risk management interaction and communication.	Being responsible for risk management and analyzes and monitors related risks within the unit to ensure the effective implementation of the risk control mechanism and procedures.

Information Security Control Risk

We have established a responsible unit in accordance with the Company Information Security Policy. In 2022, we further increased the expenditure by nearly 50% to establish complete network and computer protection framework. Additionally, we established Information Security Center and "Chief Information Security Officer" position acted concurrently by head of Information Technology Division to improve our information security capacity and planned to implement ISO 27001 the Information Security Management System(ISMS) .

4 Highlights of 2022:

I. Enhancing information security management:
1. The president convenes the information security review meeting each quarter to review the performance in information security. 2. Based on the PDCA cycle, we inventory information assets and assess their risks, check cybersecurity KPIs and the performance of relevant measures, and make improvements.

II. Enhancing information security protection:
1. Periodically review and revise the cybersecurity policy and information security SOP.
2. Set up the information security monitoring center and situation room to make real-time detection, response, and handling to effectively block viruses and malicious attacks.
3. Set access control and maintain personnel access records for important information infrastructures (e.g. server rooms) to ensure protection for physical information equipment.

III. Building joint defense for information security:
1. Sign up to organizations such as the Taiwan Computer Emergency Response Team/ Coordination Center (TWCERT) of the Ministry of Digital Affairs, Executive Yuan, and the Taiwan Chief Information Security Officer Alliance (Taiwan CISO Alliance) to enhance alert, detection, report, and intelligence sharing.
2. Review the information security performance of suppliers from time to time. The questionnaire survey at the 2022 CLC Supplier ESG Conference shows, each supplier has one to two responsible information security staff, the average score for overall information security protection was 72 marks, and 63% of suppliers drilled social engineering periodically.

IV. Shaping a culture of information security:
1. Arrange awareness education and post notices of information security at the EIP information security section; offer e-learning information security courses; help employees prevent attacks such as email scams and malicious website links; and enhance their awareness of the correct protection and alert to confidentiality and security.
2. Drill social engineering from time to time and request employees to change logon passwords periodically. In 2022 the mail opening rate was 7.2%, 11.5% less over last year, suggesting that employees have raised their awareness of and become more alert to information security.

風險管理運作情形

2023年12月21日向董事會報告2023年風險管理運作情形如下：