• According to Article 38-1 of "Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries", a person above Executive Vice President or with equivalent responsibilities shall be designated as CISO. In 2011, the Executive Vice President who supervised the Information Security Dept. served as the CISO to enhance the Bank's ability to implement information security issues.
• The Bank has set up the "Cyber Security Management Committee" to effectively implement cyber security management related matters. The Cyber Security Management Committee is convened by the Chief Information Security Officer (CISO) to comprehensively manage the implementation and coordination of information security management related matters. When the "Cyber Security Management Committee" is held, Managing Director (Independent Director) Xin-Wu Lin and Independent Director Jin-Long Liu are invited to attend the meeting and provide advice. In addition, cyber security consulting experts are invited to attend and provide professional opinions on major issues of cyber security, at the same time they accept consultation from the board of directors. The Cyber Security Management Committee has held 6 times in 2022.
• The establishment of the Cyber Security Management Committee shows the Bank's emphasis on cyber security, so that cyber security is no longer a slogan, but the implementation of the system.

• In order to ensure the security of the bank's various information systems and information assets, improve the bank's overall cyber security framework and reduce operational risks, the Bank hereby formulates the "Cyber security policies", which details five key include goals, scope of application, compliance and regulations, introduction into information security management systems and annual report to the board of directors.
• The overall goal of the Bank's cyber security is to ensure the confidentiality, integrity and availability of the information system and information assets, and to reduce operational risks. In addition, all staff, outsourced vendors and visitors of the Bank shall abide by the "Cyber security policies" of the Bank.
• Entrust a third-party organization to conduct on-site inspections at the relevant departments of the Bank at the end of each year to evaluate the effectiveness of the Bank's overall information security implementation.
• Summarize the implementation of the Bank's information security protection mechanism in the previous year, cyber security incident reports, feedback from internal/external stakeholders, etc. and report to the Board of Directors.
• The Bank re-examines this policy on a regular basis every year or when there are major changes, in order to comply with the latest development trends in laws, technologies, organizations and operations related to cyber security.

• In order for TBB to complete all related operations of I&C security. TBB adopts the Internal Control Mechanism of the Three Lines of Defense, to ensure the I&C security system functions smoothly. The first line of defense shall be executed and maintained by the I&C system management and the using departments of TBB. The second line of defense shall be the Information Security Department, responsible for the overall planning and monitoring. The third line of defense shall be the Auditing Department of the Board, responsible for the auditing of legal compliance.
• In order to ensure that the operation process has been adjusted to the most appropriate state, dedicated person will be assigned to take on-the-spot counseling from time to time to assist relevant units to improve cyber security operations as soon as possible.
• Submit the bank's cyber security handling situation to the risk management committee every month, and submit the information security handling situation to the Cyber Security Management Committee for review every quarter, and then submit it to the board of directors for report, so as to improve the board of directors' understanding of the bank's cyber security status.

In case of suspected cyber security incident is suspected, the system management unit shall complete the damage control and restoration within the specified time after becoming aware of the cyber security incident in accordance with the Bank's "Cyber Security Incident Notification and Emergency Response Management Procedure" , and analyze the cause and take corrective measures according to the actual handling situation, as follows:

• In order to ensure the security protection capability of our information system, we conduct an annual computer system information security assessment, including information architecture review, network activity review, vulnerability scanning, penetration testing, APP testing, security setting review and compliance review, etc.. Based on these discoveries of possible internal security threats and weaknesses, technical and management-related control measures are implemented.
• The Bank has expanded the channels for receiving and transmitting information security information and has become a member of F-ISAC(Financial Information Sharing and Analysis Center), F-SOC(Financial Security Operation Center), F-CERT(Financial Computer Emergency Response Team) and TWCERT/CC(Taiwan Computer Emergency Response Team/Coordination Center). Information security personnel also conduct risk assessment and track the progress of cyber security information processing based on the content of cyber security information.
• Every year, all employees will go through a 3-hour promotional program of information security to strengthen the knowledge and ability of the employees and information security personnel complete at least 15 hours of information security trainings annually to improve their functional quality.
• Continue to execute email social engineering drills every year to strengthen employees' awareness of cyber security, and execute DDoS (Distributed Denial-of-Service attack) drills to test the integrity of protection capabilities.
• The Bank maintains the continuous operation of the information system, establishes the Cyber Security Maintenance Plan and the Cyber Security Incident Response Mechanism, and conducts regular event drills.
• Continue to execute red team drills in a cooperative mode to discover potential attack chains and improve them, and improve TBB Bank's cyber security response capabilities to prevent increasingly serious malicious threats.
• In the event of cyber security incidents, report and respond in accordance with relevant regulations. In 2022, TBB did not damage to revenue that cause experience material cyber security incidents and they were also not imposed penalties by the competent authority.
• In order to ensure residual risk management, the Bank has planned to purchase capital security insurance to transfer this risk, and is currently evaluating the suitable cyber security insurance products for the Bank.
• In order to ensure the confidentiality, integrity and availability of customer information and relevant operational information of the Bank, the Bank has obtained the "ISO 27001 Information Security Management System" international standard certification since November 2010, and maintains the effectiveness of the certificate every year. The current certificate is valid from November 7, 2022 to November 6, 2025. Through the introduction of ISO 27001 Information Security Management System, the Bank's information security protection and operational continuity capabilities are strengthened, the security of internal assets is ensured, and customer trust and protection are enhanced.