Corporate Governance

Corporate Governance

Corporate Governance

Risk Management

Implementing risk management systems and operations is a crucial foundation for ensuring CLC's stable operations. The Board of Directors is responsible for overseeing risk governance. At the end of 2023, the Board approved the establishment of a Risk Management Committee to assist in supervising the risk management system, including reviewing the company's risk management structure and processes to facilitate risk identification and management, and reporting major issues, findings, and recommendations related to risk management to the Board. In 2023, the company also revised the "Risk Management Policy and Procedures," emphasizing Cheng Loong's commitment to a sound and effective risk management system and culture. This includes integrating and managing all potential risks, authorizing the General Manager to make risk management decisions, and ensuring that departments follow risk management procedures to properly identify and manage internal and external risks, and assess the impact of operational, financial, and climate change risks on the company.

Regarding climate change risk management, the company adopted the "Task Force on Climate-related Financial Disclosures" (TCFD) initiative in 2021, becoming the first paper industry company in Taiwan to pass the TCFD audit and receive the highest rating certification, demonstrating its adaptability to climate risks. Recognizing the importance of nature-positive benefits and the impact of operations on biodiversity, the company signed on to support the "Taskforce on Nature-related Financial Disclosures" (TNFD) in 2023, becoming one of the 14 TNFD pioneer companies in Taiwan. The company will follow the TNFD framework to strengthen the disclosure of nature-related risks and responses across four key areas: governance, strategy, risk management, and metrics and targets.


*For complete details, please refer to the report sections: ch4.1 Climate Change Actions TCFD Report and ch4.6 TNFD Biodiversity.
 

Board of Directors Auditing Division President Management
Based on the overall operational strategy and macro environment, the board of directors discerns the risks in operations, focusing on the promotion and implementation of overall risk management to ensure the effectiveness of and assume full responsibility for risk management. The Auditing Division periodically audits the performance based on the Company's internal control and audit programs, produces the audit reports based and presents them to the board, and follows up the performance of each unit. Make decisions for risk management and coordinate cross-department risk management interaction and communication. Being responsible for risk management and analyzes and monitors related risks within the unit to ensure the effective implementation of the risk control mechanism and procedures.










Information Safety Control Risk

Information and Communications Management

To emphasize information security management, the company has established a dedicated information security unit and appointed a Chief Information Security Officer (CISO). Following the "Information and Communications Security Operations Standards and Management Guidelines," the company promotes various information security management initiatives, implements cross-departmental and site-wide firewall mechanisms, and monitors vulnerabilities in real-time to prevent attacks and damages, ensuring operational safety.

To enhance information security capabilities, the company invests resources annually, procures information security hardware and software, and conducts related training to establish a robust defense framework. In 2024, the company completed the ISO 27001:2022 Information Security Management System (ISMS) transition certification. Specific management solutions were formulated for access control, data backup, system development, and outsourcing vendor management to safeguard information assets and ensure the availability, integrity, and continuity of information services, minimizing impacts on daily operations.


Key Focus Areas in Information Security for 2024

Enhancing Information Security Management

  1. Refine the information security management system. In August 2023, the company achieved ISO 27001:2013 ISMS certification through the British Standards Institution (BSI) and obtained the ISO 27001:2022 transition certification in June 2024. Using the PDCA cycle, the company conducted a digital asset inventory and risk assessment, reviewed the effectiveness of information security goals and related measures, and implemented improvements accordingly.
  2. In December 2023, the company established a Risk Management Committee and an Information Security Task Force to identify security risks and evaluate existing protection measures comprehensively. The committee convenes twice annually to develop complete risk management plans and improvement measures based on assessment results. It regularly reports its operations to the Board of Directors to ensure the effective mitigation of information security risks and the stability and safety of corporate operations in a rapidly evolving threat environment.

Enhancing Information Security Protection Capabilities

  1. Strengthen protections for network connections, server rooms, firewalls, email systems, and servers. Continuously review the company's information security policies and operational procedures, holding regular information security project meetings for necessary evaluations and updates.
  2. To improve the security of Operational Technology (OT) systems, implement USB scanning tools to detect malicious software infections. Critical infrastructure, such as server rooms, is equipped with access controls and personnel entry/exit logs to ensure the safety of physical equipment.

Building a Collaborative Security Defense

  1. Establish a Security Operations Center (SOC) war room to monitor abnormal security behaviors. Core systems are integrated with MDR endpoint protection services to enable rapid detection, defense, and recovery for critical IT and OT endpoints. External professional information security teams provide comprehensive, 24/7 monitoring and analysis to effectively address and respond to viruses and malicious attacks.
  2. Actively participate in external cybersecurity alliance activities and initiatives to stay abreast of emerging cybersecurity trends.

Fostering a Corporate Security Culture

  1. An information security section is set up on the company's EIP platform, regularly updated to share the latest cybersecurity knowledge. Through continuous promotion and announcements, employees' awareness of security issues is heightened. Additionally, information security training is conducted to strengthen employees' understanding of phishing email prevention, personal data protection, and the correct handling of sensitive information.
  2. In 2024, the company conducted two social engineering drills, utilizing AI technology to design realistic phishing email scenarios such as fake credit card fraud alerts, department store discount vouchers, and government document notifications. The drills evaluated employees' vigilance toward phishing emails. Results showed that email open rates in both tests were below the standard threshold.