Risk Management Oveview
In response to changes in the global economic environment and sustainability related risks, EMC has developed a complete risk management organizational structure and practical implementation framework based on three major aspects: the economy (including corporate governance), the environment, and society. This framework is used to identify and monitor the risks that may impact the Company’s sustainable development. Through the application of related management strategies and corresponding measures such as risk transfer, reduction, and avoidance, potential risks may be minimized, or even turned into operational opportunities. EMC’s Risk Management Policy and Procedures was approved by the Board of Directors at the 16th session of the 12th Board meeting on October 30, 2024, to serve as the highest guiding principles for the Company’s risk management.
The risk management policy of EMC is to define various risks in accordance with the company’s overall operating strategy; establish risk management mechanisms for early identification, accurate measurement, effective supervision, and strict control; and prevent possible losses for the tolerable risks. As the internal and external environment change, EMC will continue to adjust and improve the best risk management practices to protect the interests of employees, shareholders, partners, and customers, thereby increasing the Company’s value and achieving the goal of optimizing the allocation of the Company’s resources.
Every year, the President designates a unit to conduct risk factor identification aimed at identifying the risks that may affect the Company’s sustainable development and determining the scope of risk management. Potential risks are monitored and preventive measures are implemented based on operational needs to strengthen risk management. Risk management strategies that cover management objectives, organizational framework, authority and responsibility, risk management procedures, and other related mechanisms are also formulated and implemented for each risk to ensure that the risks arising from business activities remain controlled within acceptable ranges.
Risk Scope Identification
EMC has identified various risk items of different levels based on various units’ responsibilities and functions. Based on the materiality principle, the Corporate Sustainability Development Committee has further divided the risks into different types, which are economic (including corporate governance), environmental, and social. The details are listed in the table below.
|
Dimension |
Risk Type |
Description of Risk |
Risk Control Measures |
|
Economic (including corporate governance) |
1.1 Market Risks |
1.1.1 Political and economic dimension: Includes risks of financial or business impact on the company due to domestic or international political, economic, and regulatory requirements. 1.1.2 Industrial dimension: Includes risks of financial or business impact on the company due to domestic or international technological and industrial changes. 1.1.3 Financial dimension: Includes risks of losses resulting from changes in the company’s financial assets or liabilities (including on- and off-balance sheet assets and liabilities) due to fluctuations in market risk factors (interest rates, exchange rates, stock prices, commodity prices, electricity prices, etc.). |
1. Interest Rate Risk:: The Company’s interest rate impact is mainly reflected in the interest revenue from bank deposits and the interest payments on bank loans. In terms of short-term loan management, in principle, the Company keeps its short-term facility drawdown ratio no higher than 50% and appropriately increases credit limits to enhance short-term funding flexibility. As for long-term loans, to meet the funding needs for plant expansion, the Company applies for project loans to gain the benefits of stable long-term interest rates and lower overall loan costs, thereby effectively reducing the risks from interest rate fluctuations. 2. Exchange Rate Risk: In response to significant fluctuations in the international foreign exchange market and increased variables for exchange rate changes, to reduce exchange rate risks, the Company adopts strategic management by controlling the net position ratio to hedge against exchange rate risks, thereby achieving a natural hedging effect and effectively reducing the impact of exchange rate fluctuations. 3. Accounts Receivable Risk Accounts Receivable Risk: The Company holds regular meetings to review customers’ business conditions or analyze customers’ financial reports. For customers with operational problems, it is recommended that shipments be suspended or credit be reduced. For domestic/export customers, in principle, credit is granted based on risk level, and appropriate insurance should be taken out based on risk levels. |
|
1.2 Operational Risks |
1.2.1 Operational dimension:Includes risks that impact the company due to changes in the business model, adjustment of organizational structure, over-concentrated sales/purchasing, product replacement, product/service design, quality management, and major risk management of business contracts, etc. 1.2.2 Financial dimension: Includes risks that impact the company due to asset evaluation, credit and solvency, liquidity risks, and accounting policies, etc. 1.2.3 Internal control dimension: Includes risks related to the company’s internal control. 1.2.4 Supply chain dimension: Includes risks that impact the company due to issues such as supplier quality, price, delivery, and corporate social responsibility. |
||
|
1.3 Investment Risks |
1.3.1 Investment dimension: Includes risks of short-term investment market price fluctuation impact on the company due to over-concentrated reinvestment targets, high-risk and high-leverage operations, financial derivatives trading, financial planning, etc., or the operational management risks involved in the long-term investment of the company to be invested. |
||
|
1.4 Regulatory Compliance
Risk |
1.4.1 Regulatory compliance dimension: Includes risks of failure to comply with relevant laws and regulations, including but not limited to the Labor Act, the Company Act, the Securities and Exchange Act, import/export regulations, industry code of conduct, anti-corruption regulations, etc. 1.4.2 Legal dimension: Includes risks that may result from failure to comply with various legal norms, or various legal risks that may infringe on the company’s rights and interests. |
||
|
1.5Information Security Risk |
1.5.1 Including risks that threaten the confidentiality, integrity, or availability of the Company’s information assets due to natural, human, or technological factors. |
1. Beginning this year, the Company has commissioned an internationally renowned certification body (SGS) to conduct ISO 27001 certification. Additionally, the audit department conducts at least one information security audit every year. 2. The Company has commissioned a professional information security consulting company to perform server host vulnerability scans, aiming to identify potential risks and make corrections to strengthen defenses against hacker attacks. 3. The Company conducts regular education, training, and advocacy to raise awareness of the latest information security knowledge. The Company consistently improves its information security education, and it implements social engineering drills every year to enhance employees’ information security awareness and protect data security. |
|
|
2. Environmental |
2.1Environmental Risk |
2.1.1 Includes risks related to greenhouse gas emission management, carbon credits management, and energy management conducted in response to climate change and natural disaster issues, as well as risks for complying with international and local environmental protection laws such as emission/discharge management for gas, water, waste, poison, and noise or Environmental Impact Assessment requirements. |
1. Environmental impact of carbon emissions due to business activities: (1) The Company analyzes potential climate change risks, explores possible opportunities and response measures through greenhouse gas inventories and product carbon footprint investigation, and explains corresponding response methods. (2) The Group holds regular inter-plant technical exchange meetings and continuously promotes energy saving, carbon reduction, occupational safety, environmental protection, and equipment preventive maintenance based on experience accumulated through each plant’s successful projects. (3) The Company pays constant attention to changes in policies and regulations related to energy and carbon management and proactively participates in public consultations and hearings regarding new (revised) regulations. 2. Environmental pollution caused by business activities: (1) The Company carries out the Group’s safety and environmental audits to verify the regulatory compliance of its occupational safety, environmental protection, and fire safety activities, and it takes relevant actions for correction and improvement. (2) Annual safety and environmental education and training plans are implemented to enhance environmental personnel’s competence and understanding of the latest safety and environmental regulations. (3) The Company pays constant attention to changes in domestic and international environmental laws and regulations and proactively participates in public consultation or hearings regarding new (revised) regulations through associations. |
|
3. Social |
3.1Workplace Hazard Risk |
3.1.1 Operational dimension: Includes risks to the company caused by occupational safety, hygiene and health, chemical management, safety protection, emergency response, and other improper management operations or errors. 3.1.2 Workplace dimension: Includes risks caused by issues related to the safety of the workplace for employees or contractors. |
1. Comply with relevant laws and regulations, and formulate various operation management guidelines. 2. The Workplace Safety and Health Committee regularly reviews the compliance with environmental/occupational safety laws and regulations |
|
3.2Human Resources Risk |
3.2.1 Includes issues related to the human rights issues of employees or suppliers, including but not limited to risks derived from labor relations, child labor, and forced labor, as well as risks resulting from the cultivation of talents, such as the mechanisms for recruitment, retention, and development of talent. |
1. Regularly conduct manpower check and review. 2. Plan and implement employee education, training, and development plans. 3. Design competitive compensation and employee benefit measures. 4. Develop complete training and local talent development plans |
2025 Implementation Status of the Risk Management Policy and Procedures
The implementation status of the Risk Management Policy and Procedures for 2025 was reported on December 23, 2025 at the 3rd meeting of the 4th term of the Audit Committee and the 4th Board Meeting of the 13th term. For further details, please refer to the 2025 Implementation Status of the Risk Management Policy and Procedures.
Information Security Management
EMC has formulated its Directions for Information Security Management based on the three principles for information security management, which are confidentiality, integrity, and availability. The goals are to provide an information environment for EMC Group’s overall business to operate without interruption, establish management systems and standard procedures to meet relevant regulatory requirements, and protect the Company from various information security threats and accidents such as data misuse, leakage, tampering, theft, and destruction to reduce possible hazards.
EMC, Elite Electronic Material (Kunshan), Elite Electronic Material (Zhongshan) and Elite Electronic Material (Huangshi) are all equipped with a cybersecurity response group. The president acts as the leader of the group, and department heads and cybersecurity reporting network contact personnel serve as group members. Guanyin Plant 1 in Taiwan passed the ISO 27001 Information Security Management System certification in 2024 (valid from December 8, 2024 to December 8, 2027), which will not only improve Company’s internal information security management performance, but will also earn and maintain customer confidence. For other plants, information security management will focus on the promotion of internal management consistency.
EMC has followed the standards established by U.S. National Institute of Standards and Technology (NIST) to evaluate its information security status and set up relevant security goals. The Cybersecurity Framework (CSF) has been adopted for the planning of information security policies to reduce the security risks facing key operating facilities.
|
|
|
Cybersecurity Framework (CSF) |
|
|
|
ISO 27001:2022 Certificate |
n Information Security Management Framework
In order to protect the Company’s security and customers’ business secrets, EMC carefully examines and strengthens the management measures for information transmitted between the Company and customers, and further implements an information security management system based on the five major components of information security management technology: Identify, Protect, Detect, Respond, and Recover.
|
Identify |
Protect |
Detect |
Respond |
Recover |
|
1. Information security governance 2. Information assets inventory |
1. Identity verification and access control 2. Endpoint protection on devices 3. Network security protection 4. Data security protection 5. Application service protection |
1. Endpoint network behavior detection 2. Security technology detection and vulnerability management 3. Network threat intelligence utilization |
1. Information security incident reporting and response mechanisms 2. Information security incident analysis and corrective planning |
1. Backup mechanism 2. Backup plan 3. Business continuity planning and exercise |
n Information Security Management Mechanism
To protect the commercial secrets of the Company and its customers, the Company implements data classification and grading management, reviews and strengthens controls over information exchanged with customers, and enforces access control permissions for networks, systems, devices, and personnel. Elite Material has established three key information security management objectives:
1.
Information equipment security
management
In accordance with ISO/IEC 27001:2022, the
Company conducts periodic information asset inventories, identifies asset
risks, and establishes risk treatment plans. Key measures include building an
enterprise architecture to prevent unauthorized local data storage,
implementing file permission management, monitoring logs through a Security
Information and Event Management (SIEM) system, strengthening authentication
through Multi-Factor Authentication (MFA), and enhancing data protection
controls. In addition, backup and restoration drills are conducted
semi-annually to ensure rapid recovery in the event of incidents or disasters,
thereby mitigating potential risks and reducing losses.
In 2025, the Company conducted four (4) disaster recovery
/ redundancy drills at the following locations: Elite Material (Taiwan), Elite
Material (Kunshan), Zhongshan Elite Material, and Elite Material (Huangshi).
The drills included cross-site switching of critical equipment and services, as
well as verification of backup data restoration.
2.
Network and antivirus management
To prevent cyberattacks and respond to
malicious intrusion activities, the Company deploys next-generation firewalls,
intrusion prevention systems (IPS), advanced threat protection systems, and
endpoint detection and response (EDR) solutions. The Company also strengthens
security monitoring for industrial control environments and production-line
systems, and implements deep host defense mechanisms to mitigate attacks
exploiting zero-day vulnerabilities.
The Company continuously obtains external threat
intelligence and integrates it with existing security systems to enable
automated detection and blocking of external malicious activities.
Vulnerability scanning is performed monthly, and identified vulnerabilities are
remediated in a timely manner. The Company also uses a cybersecurity risk
management system to continuously evaluate network security risks. In addition,
the Company regularly engages external professional information security
experts to perform penetration testing and other security enhancement
activities to comprehensively identify potential gaps in defenses, establish a
secure operating environment, and support sustainable operations.
3.
Employee information security
education and training
All new employees are required to receive information security awareness training. The Company also conducts information security awareness campaigns and training sessions on an ad hoc basis and carries out social engineering email drills to enhance employees’ awareness of customer privacy and confidential information, thereby reinforcing the importance of information security.
n Reporting Procedures for Information Security Incidents and Related Events
When an information security incident occurs, employees are required to report the incident to the Chief Information Security Officer (or the highest responsible information executive) in accordance with the Information Security Incident Management Procedures. The responsible unit then assesses, categorizes, and classifies the incident, and immediately implements appropriate control and response measures to handle the incident in the shortest possible time. From 2023 to 2025, Elite Material has not violated any information security–related laws or regulations and has not experienced any information security incidents.
|
Information security incident management status in the last 4 years |
2022 |
2023 |
2024 |
2025 |
|
Total number of information security breaches |
0 |
0 |
0 |
0 |
|
Total number of security hacking incidents |
0 |
0 |
0 |
0 |
|
Total number of customers affected by information security incidents |
0 |
0 |
0 |
0 |
|
Total amount of fines associated with information security/cyber security violations |
0 |
0 |
0 |
0 |
n Specific Management Plans
The
Company has duly implemented its operating procedures with respect to physical
and environmental security, network and computer security, system access
control, system sustainability and continuity, as well as information security
awareness and education and training. The Internal Audit Office serves as the
supervisory unit for information security governance and is responsible for
overseeing the implementation of internal information security practices.
Regular audits are conducted, and where deficiencies are identified, the
responsible units are required to propose corrective action plans and specific
management measures, with the effectiveness of such improvements being tracked
on a regular basis in order to mitigate internal information security risks.
In
addition, to further strengthen the Company’s information security risk
management, the annual information security continuous improvement initiatives
were reported to the Board of Directors on December 23, 2025, to ensure the
Company’s sustainable operations.
The Company has established a dedicated information security function, comprising one information security officer and one information security specialist, which convenes monthly meetings to review information security policies and the details of their implementation.