In order to comprehensively improve digital financial business and information security management efficiency, the Company has hired two Ph.D.s with backgrounds in computer science and information management as directors and set up a Chief Information Security Officer, which is assumed by the former director of the National Center for Cyber Security Technology of Executive Yuan and deputy director of the CyberTrust Technology Institute of the Institute for Information Industry. It is in charge of the Information Technology Department and is responsible for the planning, establishment, promotion and management of the Group's information systems and information security control measures, as well as the sharing and integration of related resources.

We established an IT Development Committee with the president of FFHC as the chairperson. Committee members include vice presidents, the head of the Information Technology Department, presidents of subsidiaries, and vice presidents responsible for IT operations (or managers with an expertise in IT). The IT Development Committee is convened regularly to discuss and review IT development, IT security and management issues at each subsidiary. To comply with the authority's rules, bank, securities, investment trust and life insurance subsidiaries have included the overall implementation of information security in 2023 into the internal control system statement, and such companies' chief information security officer or the supervisor or top supervisor of the dedicated unit responsible for information security and its chairman, president, chief auditor, and the head office's legal compliance officer jointly issued the internal control system statement.

To support the Group's overall business development, and ensure the effective utilization of its information and resources while looking after the safety of its information system and operations, the Company demands that it and its subsidiaries formulate related information operation management regulations in line with industry characteristics and in accordance with the "Information Management & Information Security Policy" reviewed and approved by the Board of Directors. Moreover, the Company has formulated the "Regulations Governing Information Operation Management" to beef up its and its subsidiaries' information operation systems, equipment networks and data security, strengthen its internal control functions, and align with regulatory regulations relating to information management. Guidelines for the usage and safety control of Internet of Things (IoT) equipment have also been stipulated in the "Regulations Governing Information Security Management", in response to the Bankers Association's requirement for controlling IoT equipment. The Internal Control System contains detailed rules and manuals for information security/online security risks, including application system operations management, hardware and environment management, network management, webpage management, e-mail security management, computer user access rights management, disaster recovery procedures, subsidiary supervision and computer file preservation, storage and processing principles.

To provide safe, convenient and uninterrupted financial services, the Company and its subsidiary bank, securities company and life insurance company have implemented and executed related planning and operations in accordance with the Financial Supervisory Commission's "Financial Cyber Security Action Plan 2.0" as follows:

To ensure the security of the IT operating system, network, and data, and ensure continuity of operations, the Company established the "IT Operating Management Guidelines" and "Guidelines for Disaster Recovery Plan" which serve as the basis for emergency response for IT operations. The Company executes disaster recovery drills every six months. In order to enhance handling mechanisms of major information security incidents, in 2022, the Company enacted the “Computer Information Security Incident Response Team Establishment Guideline of First Financial Holding Co. Ltd.” and established the “Computer Information Security Incident Response Team", which appointed the Information Security Officer of the Company to be the convener, the head of the Information Technology Department of the Company to be the vice convener, the information security supervisors of the Information Security Section of the Information Technology Department, the Information Planning Section of the Information Technology Department and the subsidiaries to be the Team member, and divide the Team into five groups to be receptively in charge of responding, handling, contacting externally and safety managing information security incidents.

In order to immediately knew the efficiency of handling information security incidents, the Company has enacted the “Information Security Incidents Report Operation Rules” for companies of the Group to follow, the procedure to handle information security incidents is stated as follows:

To build the right concepts of information security among employees and encourage them to abide by related regulations, the Company organized 77 information security training sessions in 2023 which were attended by 22,541 people with 263 total training hours. Details are shown in the table below:

The Company enhanced information security education to prevent malicious programs from penetrating the Company's information system through social engineering. First Bank, First Securities, First Securities Investment Trust and First Life Insurance organized 2-4 social engineering drills irregularly within the scope of security monitoring for all employees. The employee test coverage rate was 100% and drill items included opening mail, clicking on the link, delivery receipt, opening the attachment, and successful phishing. For units that have not passed the drill and employees with insufficient information security awareness, in addition to strengthening education and training and information security dissemination, information security-related items such as the completion rate of the drill and the occurrence of information security hazards causing the Company or its subsidiaries to be severely punished by the competent authority are listed as annual performance appraisal indicators for employees. Those who fail to meet the standard will face performance bonus reduction in the current year according to the Company's Employee Bonus Rules to reduce the risk of threats due to potential weaknesses. No major contingencies or incident notifications endangering information security occurred to the Company or any of its subsidiaries in 2023. Nor was there any IT infrastructure incident that resulted in revenue loss. No units received any regulatory penalties.

To ensure network and information system security and to provide customers with safe automated services, the Group's subsidiary bank, securities company, securities investment trust company and life insurance company have all obtained the ISO 27001 certification. In an effort to maintain the validity of the certificates, we would commission verification organizations to conduct secondary reviews every year in addition to re-verification every three years, so that we can provide safer financial products and transaction flows.

To beef up information security resilience and information security, all subsidiaries have adopted the following related measures: No information security incidents occurred to any of the Group's subsidiaries in 2023.

To enhance information security resilience, First Bank continues to purchase the "information system illegal conduct insurance" to mitigate the financial losses of the penetration of the system. It also appoints an independent third party to conduct information security evaluations, examine the completeness and appropriateness of existing control measures for the overall computer system, and uncover potential information security threats and vulnerabilities. This provides the basis for implementing control measures in technical and management aspects to build key defensive capabilities in information security, including continuing the transitioning of core systems, expanding the capabilities of backup centers through containerized security protections, automating deployment of firewalls, optimizing the integrated code, and expanding platform support for accounts with special permissions etc. Additionally, the organization of "Red Team Exercises" utilized the strategy of third party infiltration or white hat hackers in goal oriented themed exercises. These Red Team Exercises allow external cyber attacks that expose the security strength of network environments and application systems, the effectiveness of defensive equipment, management systems and implementation of procedures, the rationality of surveillance scope, and appropriateness of response time.

First Securities conducts vulnerability scanning and test operations against infiltration through an independent third party, inspects network and system security as well as the effectiveness of its defense equipment, builds a multi-layered defense deployment system and control measures, increases the intensity of information security protection, continues to enhance the backup capacity of its core transaction system, and conducts response drills for interruptions to the core transaction system regularly. The goal is to enhance the company's capability to cope with contingencies.to enhance the company's capability to cope with contingencies.

FSITC has established the SOC information security monitoring system as well as the DLP protection system for confidential/sensitive data, in addition to reviewing its firewall rules on a regular basis; Vulnerability scan is carried out every year, in addition to social engineering drills and official website infiltration tests. Business continuity planning regarding the information system has been formulated to respond to emergency incidents. Remote backup drills are carried out every year. "DDoS offensive and defensive drills" are carried out in the fourth quarter of each year to ensure that the defense mechanism against cyberattacks is effective.

Each year, First Life Insurance would commission a professional external information security company to conduct various assessments, including vulnerability scanning, infiltration tests, mobile app tests, and the safety settings and reviews of the information system and network equipment. They are meant to help detect information security threats and vulnerabilities, as we hope to enhance our defense capability for information security through various improvements. Furthermore, social engineering drills, DDoS offensive and defensive drills, drills for responses to personal information leaks, and business continuity planning (BCP) drills for the information system are conducted each year. Through the approach of implementing scenario simulations, we hope to improve our colleagues' responsiveness and related awareness, while ensuring the appropriateness and reasonableness of various response processes.

Has conducted information security assessments and vulnerability scanning through an independent third party to identify potential information security threats and vulnerabilities, which serve as the basis for implementing related control measures from both the technical and management aspects. The company's Microsoft operating system for server has also been upgraded, its external firewall has been replaced, and information security vulnerabilities have been patched continuously, as part of the effort to increase its defense capabilities for information security.

Value customer privacy, FFHC and its subsidiaries has enacted Personal Data Protection Policy and Guidance, its relevant range, regulation, measures and internal controls is stated as follows:

Except that the domestic units of First Bank shall follow EU General Data Protection Regulation (EU GDPR) and relevant regulations, other overseas branches shall also follow regulations policies of competent authorities of each country (for example: UK General Data Protection Regulation (UK GDPR)) and in order to request employees to follow Personal Data Protection Act, the breach of Personal Data has been included into deduct items of business units’ evaluation and personal punishment will be made according to the degree of seriousness of the violations.

First Financial Holding highly values the security of our customers' personal information. To implement the management of personal information protection, both First Commercial Bank and First Life Insurance have obtained the "BS10012: Personal Information Management Systems" verification certificates, in addition to undergoing continuing secondary reviews and re-verification every year. Moreover, we take 100% control of how our customers' personal information is used. Around 4.36 million pieces (46.2%) of customer information are made available for secondary use (such as marketing or product/service quality improvement) under the condition that no related laws and regulations or agreements with our customers are violated.