• According to Article 38-1 of "Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries", a person above Executive Vice President or with equivalent responsibilities shall be designated as CISO. In 2011, the Executive Vice President who supervised the Information Security Dept. served as the CISO to enhance the Bank's ability to implement information security issues.
• The Bank has established the "Cyber Security Management Committee" to effectively implement matters related to cyber security management. The committee is chaired by the Chief Information Security Officer, who oversees the execution and coordination of cyber security management matters. During meetings, Board member Xin-Wu Lin and Jin-Long Liu attend to Cyber Security Management Committee and provide suggestions. They also review the implementation of the Bank’s overall cyber security management. Cyber Security Management Committee also invites cybersecurity consulting experts to attend and offer professional opinions when discussing significant cybersecurity issues. They provide professional opinions on proposals regarding significant cybersecurity issues and receive consultation from the Board of Directors. The Cyber Security Management Committee convened 10 times in 2023.
• The establishment of the Cyber Security Management Committee shows the Bank's emphasis on cyber security, so that cyber security is no longer a slogan, but the implementation of the system.

• The Bank has formulated the Cyber Security Management Policy, and all of our employees, outsourced vendors, and visitors shall abide by our cyber security management policy to ensure the confidentiality, integrity, and availability of cyber security systems and information assets, and reduce operational risks. In addition, the Bank re-examines this Policy every year regularly or at each major change in order to ensure compliance with the latest development trends in cyber security regulations, technologies, organizations, and operations.
• After engaging a third-party organization to assist the Bank in reviewing the effectiveness of the overall implementation of information security annually, the execution of the annual information security protection mechanism, reporting of cyber security incidents, and feedback from internal/external stakeholders are summarized, and the Bank's overall information security implementation for the previous year is reported to the Board of Directors in the first quarter of each year.

• In order for TBB to complete all related operations of I&C security. TBB adopts the Internal Control Mechanism of the Three Lines of Defense, to ensure the I&C security system functions smoothly. The first line of defense shall be executed and maintained by the I&C system management and the using departments of TBB. The second line of defense shall be the Information Security Department, responsible for the overall planning and monitoring. The third line of defense shall be the Auditing Department of the Board, responsible for the auditing of legal compliance.
• In order to ensure that the operation process has been adjusted to the most appropriate state, dedicated person will be assigned to take on-the-spot counseling from time to time to assist relevant units to improve cyber security operations as soon as possible.
• Submit the bank's cyber security handling situation to the risk management committee every month, and submit the information security handling situation to the Cyber Security Management Committee for review every quarter, and then submit it to the board of directors for report, so as to improve the board of directors' understanding of the bank's cyber security status.

In case of suspected cyber security incident is suspected, the system management unit shall complete the damage control and restoration within the specified time after becoming aware of the cyber security incident in accordance with the Bank's "Cyber Security Incident Notification and Emergency Response Management Procedure" , and analyze the cause and take corrective measures according to the actual handling situation, as follows:

• Implement the cyber security mechanism: Implement "Diversity and Defense-in-Depth", including network control, webpage control, email control, and endpoint control systems, in order to enhance cyber security defense capability. Use the "Cybersecurity Assessment Tool" (CAT) to conduct cyber security governance maturity assessments, continuously enhancing the Bank's cyber security.
• Perform cyber security protection checks: In order to ensure the security of the information communication system, the Bank regularly performs cyber security protection checks operations. In 2023, it has implemented a computer system information security assessment project, a Distributed Denial of Service (DDoS) drill, and the bank’s personal computers and business workstation weaknesses Scan and detect operations to confirm the completeness and effectiveness of existing control measures. In addition, red team vs blue team attack-defense drills are conducted through professional organizations to strengthen defense detection and response capabilities in response to attacks.
• Expand cyber security intelligence and cooperation: The Bank has designated cyber security personnel to receive cyber security intelligence from various channels, such as the Financial Information Sharing and Analysis Center (F-ISAC) or the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC), to stay updated on emerging cyber security intelligence and formulate corresponding control measures. The Bank has established a Security Operations Center (SOC) and deployed professional cyber security monitoring personnel to monitor threats such as internal abnormal behaviors and external attacks through a Security Information and Event Management (SIEM) platform to ensure the effectiveness of cyber security protection monitoring.
• Strengthen employees’ awareness of information security: In the 2023 years, the Bank has completed a 3-hour information security awareness course for all staff and a 15-hour professional courses of information security or on-the-job training for information security staff to enhance information security awareness and capabilities. Provide information security education and training for directors, supervisors and senior management personnel, enhance Board of Directors members’ understanding of the cyber security situation. In order to strengthen colleagues' alertness to social emails, a total of 6 email social engineering drills were conducted in 2023.
• Establish a business continuity mechanism: The Bank has established the annual cyber security maintenance program and cyber security incident response mechanism, and holds regular drills to reduce any impact caused by a disaster or major event on business continuity. In 2023, it has conducted 17 Information Communication System Business Continuous Planning exercises. Since 2023, the Bank has been insured with "Electronic and Computer Crime Comprehensive Insurance" to transfer financial losses caused by external malicious actors or hackers infiltrating the systems.
• Cyber security incident management: To enhance its response capabilities to cyber security incidents, the Bank has established the Regulations on the Notification and Response of Cyber Security Incidents and set up a "Computer Security Incident Response Team"(CSIRT), with the Bank's Chief Information Security Officer serving as the convener, to promptly handle cyber security incidents and mitigate damages.
• Introduce international cyber security management standards and obtain certification: To ensure the confidentiality, integrity, and availability of customer data and related operational information, the Bank obtained "ISO 27001 Information Security Management System" international standard certification in November 2010 and has maintained the validity of the certificate every year (the certificate is valid until November 6, 2025).
• The funding invested in cyber security in 2023 accounted for 11.60% of the total IT budget.