Information Security Management Policy
To ensure the security of the Company’s information assets, information systems, equipment, and networks, an Information Security Committee was established in July 2021, chaired by the General Manager, who is responsible for overseeing and coordinating the Company’s information security policies and governance.To confirm the suitability, adequacy, and effectiveness of the Information Security Management System (ISMS), the General Manager conducts a management review of the ISMS at least once a year. This management review includes an evaluation of whether improvements or changes to the ISMS are necessary, as well as a review of the Company’s information security policy and security objectives.
In July 2022, the Board of Directors approved amendments to the Computer Information Processing Cycle, under which the Company established the positions of Information Security Officer and Information Security Supervisor, responsible for overseeing the implementation of information security policies and coordinating related resources.
To safeguard the information security of Lemtech’s products and services throughout the stages of development, manufacturing, and delivery, and to prevent unauthorized access, alteration, misuse, or disclosure of information, as well as to mitigate the risk of operational disruptions caused by natural disasters or information security incidents, the Company is committed to establishing and maintaining a robust information security management system. This system is designed to ensure the confidentiality, integrity, and availability of critical information assets.All related management measures comply with applicable laws and regulations as well as customer requirements, and are continuously enhanced with reference to international standards such as ISO/IEC 27001, in order to strengthen external trust and fulfill the Company’s commitments to customers and shareholders, while ensuring the stable, secure, and sustainable operation of its core business. In 2024, the Company did not experience any material information security incidents, nor did it receive any complaints regarding the infringement of customer privacy or the loss of customer data.
We place great importance on information security and the protection of customer data. In accordance with the ISO/IEC 27001 international standard, the Company has established an Information Security Management System (ISMS) and obtained certification.To ensure the effective operation of the system, the Company conducts at least one internal self-audit and one external audit performed by an independent third party each year. In addition, a certification revalidation is carried out every three years to continuously maintain the validity of the ISO/IEC 27001 certification.
(1) Ensuring the Continuous and Sustainable Operation of Information Systems
(2) Preventing hacking, malware, and other cyber threats from intrusion and damage
(3) Preventing intentional misconduct and unlawful use by personnel
(4) Preventing the leakage of sensitive information
(5) Avoiding human error and accidental incidents
(6) Maintaining physical environment security
Information Security Management Framework
Information Security Management Committee Structure
(Version: V3.0)
Information Security Incidents and Response
| Date of Occurrence | Information Security Incident Statement | Impact Level | Degree of Damage | Resolution Date |
|---|---|---|---|---|
| 2025/10/17 | Due to scheduled maintenance by Taipower, internal network and server services within the data center were temporarily and intentionally suspended. | 1 | None | 2025/10/19 |
| 2025/10/25 | Due to scheduled maintenance power outages conducted by Taipower, internal network and server services within the data center were intentionally suspended as planned. | 1 | None | 2025/10/26 |
Information Security Training Outcomes
To enhance information security awareness among all employees and foster a preventive security culture, the Company continues to implement a wide range of information security education and practical drills. Training records are incorporated into the Company’s internal audit processes and sustainability report disclosures.
Annual Company-wide Training (2025): Covering information security awareness and general software education and training.
Disaster Recovery and Incident Response Drills:
Multiple internal simulation exercises were conducted, focusing on response measures for business-critical data and systems, to strengthen employees’ incident identification and protection capabilities.
Vulnerability Scanning:
Assessments were conducted on externally exposed addresses, with a focus on protecting critical points and providing reference data for risk mitigation and reduction.
New Employees:
Required to sign employment and confidentiality agreements and to participate in internal information security education and training in line with applicable information security management guidelines.
Senior Management and Board Members:
Required to participate in information security and regulatory awareness training at least once per year.
The 2025 Information Security Implementation Results Report was presented to the Board of Directors on December 18, 2025. The relevant attachments are as follows: