Information Security

(1) Information security risk management framework:

1. To protect the Company’s valuable trade secrets, R&D technologies, and intellectual property rights, and to enhance its business and public image while increasing operational competitiveness, OBI Pharma, Inc. follows the international standard ISO/IEC 27001 Information Security Management System. The Company adopts the Plan-Do-Check-Act (PDCA) methodology, establishes a multi-layered information and communication security defense mechanism, and continuously strengthens management systems and technical measures to proactively prevent diverse and unpredictable cybersecurity threats and reduce operational risks.
2. The Company’s “Information Security Policy” is approved by the Board of Directors and serves as the foundation for establishing its information security management system, as well as for formulating related regulations and procedures. This ensures the confidentiality, integrity, and availability of the Company’s critical information.
3. The Company clearly defines the responsibilities and authority of the information security management unit, which assists the Board of Directors in continuously promoting the implementation of information security management to strengthen corporate governance and enhance the security of business operations.
4. Regular information security risk assessments are conducted, with the Information Security Management System (ISMS) Management Representative responsible for reviewing the appropriateness of risk treatment measures.
   Management review meetings are convened periodically to evaluate the performance of the information security management system.
5. Management review meetings are convened periodically to evaluate the performance of the information security management system.
6. Information security inspection and control tasks are included in the Company’s annual audit plan. The audit unit conducts at least one audit per year. In accordance with the internal control system, the Company performs a self-assessment annually, summarizes the effectiveness of internal control implementation, submits the results to the Board of Directors for review and confirmation, and issues an Internal Control System Statement based on the evaluation outcome.

(2) Information security policies:

1. The Company has established clear information security objectives and policies, which are reviewed and revised regularly to ensure their ongoing relevance and effectiveness.
2. OBI Pharma, Inc. obtained ISO/IEC 27001 certification in 2023, and the current certificate is valid from May 13, 2025, to May 12, 2026.
3. Effectiveness measurements and corrective and preventive actions are regularly implemented to ensure that the information security management mechanism evolves in line with current needs.

(3) Specific management schemes:

1. The Company conducts at least one information security training and awareness session per year. All new employees are required to sign a confidentiality agreement.
2. External vendors must sign confidentiality agreements to ensure that any information accessed or handled during the provision of services is protected, preventing unauthorized access, alteration, destruction, or improper disclosure.
3. Employees are required to properly safeguard and use their accounts, passwords, and access rights, and must regularly update their passwords.
4. Appropriate backup, redundancy, or monitoring mechanisms have been established for critical information systems and equipment, and are tested regularly to ensure availability.
5. A business continuity management mechanism has been established and is periodically tested to ensure its applicability.
6. Internal audits are conducted annually to verify the effectiveness of the information security management system and internal controls related to information security.

(4) Resources invested in information security management:

1. The Company has assigned dedicated personnel to be responsible for information security planning and technical implementation, with the goal of maintaining and continuously strengthening its information security posture.
2. Professionals with internationally recognized information security certifications and relevant experience have been recruited to enhance protection capabilities and information security.
3. Professional cybersecurity vendors are engaged to perform information security assessments and related testing, evaluating the effectiveness of existing controls.
4. A backup mechanism has been established for key systems, and regular disaster recovery drills are conducted.
5. The Company is a member of the government-sponsored TW-ISAC (Taiwan Information Sharing and Analysis Center) platform, enabling real-time access to and sharing of critical cybersecurity intelligence.
6. The Company has also joined the Taiwan Chief Information Security Officer (CISO) Alliance to promote collaboration and exchange of cybersecurity technologies among CISOs. Through this alliance, OBI Pharma, Inc. enhances cybersecurity talent development, access to security services and resources, support for major incident response, compliance-based ISMS implementation, and overall cybersecurity resilience.
7. Standard procedures for responding to and reporting information security incidents have been established. A dedicated incident response team is responsible for the real-time handling of security incidents to prevent escalation and further damage.
8. Through continuous investment in cybersecurity management and technological resources, the Company continues to enhance its defensive capabilities and resilience. This enables effective prevention before incidents occur, and facilitates swift response and handling when incidents arise—ultimately minimizing the impact on the Company’s financial and operational performance.