Information Security Management

Information Security Risk Management Framework

Elite Material has established the Information Security Management Policy based on the three core principles of information security—Confidentiality, Integrity, and Availability (CIA). In addition to providing a secure information environment to support the continuous operation of the Group’s business, the Company has also implemented management systems and standard operating procedures. The objectives are to comply with relevant regulatory requirements and to mitigate the risks of information security incidents such as improper use, leakage, tampering, theft, or destruction, thereby reducing potential harm.

In 2024, Elite Material implemented the international information security management standard ISO/IEC 27001 and obtained the ISO 27001 certification (valid from December 8, 2024 to December 8, 2027). Through the adoption of the ISO 27001 information security management system, the Company meets customers’ requirements for information security management and enhances its capability to respond to information and communication security incidents, thereby protecting the assets of the Company and its customers.

Elite Material also formally joined the TWCERT Information Security Alliance on March 10, 2022. Through the alliance, the Company receives early warnings on potential attacks and threat detection alerts to enable proactive prevention and response. This also strengthens intelligence sharing with domestic and international information security organizations, improves response measures, and reduces information security risks.

Elite Material assesses its current and target cybersecurity posture based on the National Institute of Standards and Technology (NIST) framework and adopts the Cybersecurity Framework (CSF) as a basis for information security policy planning, with the objective of reducing security risks to critical operational infrastructure.

Identify: cybersecurity governance; information asset inventory.
Protect: identity authentication and access control; endpoint protection; network security protection; data security protection; application and service protection.
Detect: endpoint and network behavior detection; cybersecurity technical assessment and vulnerability management; utilization of cyber threat intelligence.
Respond: incident reporting and response mechanisms; incident analysis and corrective action planning
Recover: backup mechanisms; disaster recovery plans; business continuity planning and drills.

Information Security Policy

In order to enhance the security and stable operation of the company’s information and communication operations, provide secured information and communication services, and ensure the confidentiality, integrity and availability of information assets, the information security policy has been formulated as the highest guideline for the company’s information and communication security management.

All employees in the company have obligations and responsibilities to comply with information security rules and regulations, maintain company information security, ensure the safe maintenance of company data, information systems, equipment and networks, and avoid the threat of accidents caused by all kinds of improper use, leakage, tampering, theft, and destruction, to reduce related risks.

Information Security Mechanisms

To protect the commercial secrets of the Company and its customers, the Company implements data classification and grading management, reviews and strengthens controls over information exchanged with customers, and enforces access control permissions for networks, systems, devices, and personnel. Elite Material has established three key information security management objectives:

Information Asset Security Management

In accordance with ISO/IEC 27001:2022, the Company conducts periodic information asset inventories, identifies asset risks, and establishes risk treatment plans. Key measures include building an enterprise architecture to prevent unauthorized local data storage, implementing file permission management, monitoring logs through a Security Information and Event Management (SIEM) system, strengthening authentication through Multi-Factor Authentication (MFA), and enhancing data protection controls. In addition, backup and restoration drills are conducted semi-annually to ensure rapid recovery in the event of incidents or disasters, thereby mitigating potential risks and reducing losses.

In 2025, the Company conducted four (4) disaster recovery / redundancy drills at the following locations: Elite Material (Taiwan), Elite Material (Kunshan), Zhongshan Elite Material, and Elite Material (Huangshi). The drills included cross-site switching of critical equipment and services, as well as verification of backup data restoration.

Network Security and Anti-Malware Management

To prevent cyberattacks and respond to malicious intrusion activities, the Company deploys next-generation firewalls, intrusion prevention systems (IPS), advanced threat protection systems, and endpoint detection and response (EDR) solutions. The Company also strengthens security monitoring for industrial control environments and production-line systems, and implements deep host defense mechanisms to mitigate attacks exploiting zero-day vulnerabilities.

The Company continuously obtains external threat intelligence and integrates it with existing security systems to enable automated detection and blocking of external malicious activities. Vulnerability scanning is performed monthly, and identified vulnerabilities are remediated in a timely manner. The Company also uses a cybersecurity risk management system to continuously evaluate network security risks. In addition, the Company regularly engages external professional information security experts to perform penetration testing and other security enhancement activities to comprehensively identify potential gaps in defenses, establish a secure operating environment, and support sustainable operations.

Employee Information Security Education and Training

All new employees are required to receive information security awareness training. The Company also conducts information security awareness campaigns and training sessions on an ad hoc basis and carries out social engineering email drills to enhance employees’ awareness of customer privacy and confidential information, thereby reinforcing the importance of information security

Cybersecurity Incident Reporting Process and Incidents

When an information security incident occurs, employees are required to report the incident to the Chief Information Security Officer (or the highest responsible information executive) in accordance with the Information Security Incident Management Procedures. The responsible unit then assesses, categorizes, and classifies the incident, and immediately implements appropriate control and response measures to handle the incident in the shortest possible time.

From 2023 to 2025, Elite Material has not violated any information security–related laws or regulations and has not experienced any information security incidents.

Information Security Incident Management Performance Over the Past Three Years

Item	2023	2024	2025
Total number of information security violation incidents	0	0	0
Total number of cybersecurity incidents involving hacking or intrusion	0	0	0
Total number of customers affected by information security incidents	0	0	0
Total amount of fines related to information security / cybersecurity violations	0	0	0

Specific Management Measures

The Company has duly implemented its operating procedures with respect to physical and environmental security, network and computer security, system access control, system sustainability and continuity, as well as information security awareness and education and training. The Internal Audit Office serves as the supervisory unit for information security governance and is responsible for overseeing the implementation of internal information security practices. Regular audits are conducted, and where deficiencies are identified, the responsible units are required to propose corrective action plans and specific management measures, with the effectiveness of such improvements being tracked on a regular basis in order to mitigate internal information security risks.

In addition, to further strengthen the Company’s information security risk management, the annual information security continuous improvement initiatives were reported to the Board of Directors on December 23, 2025, to ensure the Company’s sustainable operations.

The Company has established a dedicated information security function, comprising one information security officer and one information security specialist, which convenes monthly meetings to review information security policies and the details of their implementation.