Digital technology innovation continues to change people's life style, especially in the field of financial technology (Fin-Tech); including web application, mobile application, digital currency, block chain, mobile payment, API, biometrics..., prompting huge changes in the financial industry and creating many new opportunities, however, they also lead to many information security risks at the same time, such as: cyber-attacks, inadequate identity verification and inaccurate information. These vulnerabilities can be exploited by criminals with malicious intent to engage in money laundering or fraudulent activities, which may result in the leakage of personal information.

To effectively address risks and opportunities brought by digital technologies, KTB has established a comprehensive management structure and system, strengthen hardware and software strength, and promote education and training and other measures, to commit to take precautions and countermeasures. 2024 results are as follows:

Information Security Risk Management Framework

The Information Technology Department of KTB is the information security execution unit and the first defense line of information security internal control. The Board of Directors approved the establishment of a dedicated unit of information security "Information Security Section" under the Risk Management Department in August 2015, to serve as the second defense line of information security internal control and to be responsible for the planning, promotion, monitoring and management of the information security management system (ISMS), so as to enhance the information security management. The Auditing Department under the Board of Directors is an independent information security audit unit, which plays the role of the third defense line of information security internal control, and is responsible for information security audits to ensure the implementation of management operations.

In order to improve the Bank's ISMS, respond to all changes in information security regulations, and comply with relevant government laws and regulations, so as to reduce the risks and impacts arising from information security, KTB established the "Information Security Management Committee" in November 2015. The committee is responsible for reviewing the ISMS policy and regulations as well as overall implementation of information security. The dedicated unit of information security - "Information Security Section" under the Risk Management Department, submits the implementation overview to the chairman every year, and then the Auditing Department will report the results to the Board of Directors. The committee has set up a convener, who is acted or designated by the president, and its members are acted or designated by heads of the Risk Management Department, Information Technology Department, Digital Service and Channel Management Department, Compliance Department and department heads of the units designated by the convener. The Auditing Department is a non-voting member at meetings. The committee holds at least one management review meeting on a regular basis every year, or holds meetings irregularly as required. Main task of the meeting is as follows:

(1) Formulate KTB's Information Security Policies.
(2) Promote the information security management system.
(3) Assess the infrastructure of the information security management system.
(4) Handle and review major information security incidents.
(5) Major issues or discussions related to information security proposed by each unit.
(6) Annual review of the overall implementation of information security measures.
(7) Discussion of other information security issues.

In addition, to strengthen the information security management framework, KTB set a new position of Chief Information Security Officer on December 21, 2021, to be responsible for integrated information security policy promotion and resource scheduling. And in accordance with the Financial Supervisory Commission's "Financial Cyber Security Action Plan 2.0," which encourages financial institutions to appoint directors, advisors, or establish cybersecurity advisory groups with cybersecurity backgrounds, a "Cybersecurity Advisory Group" was officially established on July 1, 2023. The members include the President, Chief Auditor, Chief Regulatory Compliance Officer, Head of Risk Management, Head of Information Technology, Chief Information Security Officer, as well as internal and external members appointed by the President. The primary members consist of relevant managers from the Company's three lines of defense in cybersecurity, with responsibilities and qualifications closely related to the overall cybersecurity policy of the institution. The operation mode involves discussing and communicating on information security policy issues that impact organizational operations and making recommendations through meetings or discussions in any form. These are then included in the "Information Security Management Committee" for implementation and follow-up, aiming to enhance the board members’ understanding of information security situations and to substantively incorporate information security risks into business decision-making

Information Security Management Measures

Information Security Policy

KTB has formulated the "Information Security Policy" to protect the confidentiality, integrity, and availability of KTB's information assets, to prevent risks including, inappropriate use, leakage, alteration, and damage, and to ensure the safety of the collection, handling, transmission, storage, and distribution of information. Moreover, KTB has formulated procedures and manuals in accordance with the "Information Security Policy," to specify the actions of employees, outsourced service providers, and visitors, and report relevant regulations to the Information Security Management Committee.

The Bank obtained the "Information Security Management System (ISMS) ISO/IEC 27001:2013" certification in December 2022 (valid until 2025-10-31), and subsequently acquired the revised certification for "Information Security Management System (ISMS) ISO/IEC 27001:2022" in December 2024 (valid until 2025-12-15). We will continue to review and improve to comply with the latest trends in information security-related laws, technologies, organizations, and operations. In addition, in accordance with the requirements of the competent authorities, regulations and the Bank's ISMS standards, we implement relevant control measures to build and strengthen all-round information security defense capabilities. The specific management plan is as follows:

(1) Information Security Protection and Inspection Analysis
․ Establish an information security inspection platform for real-time information monitoring and statistical data presentation.
․ Establish backup routes and "Distributed Denial-of-Service (DDoS) Attack Monitor and Traffic Cleaning Protection" mechanism for Internet network of major businesses.
․ Regular information security evaluations are conducted by external professional vendors, including information architecture review, network activity testing, security settings review, vulnerability scanning, penetration testing, compliance review, etc. In accordance with the internal information security management regulations established by King's Town Bank, the risky items in the evaluation report are regularly reviewed and improvement measures are tracked in the Information Security Management Committee to ensure information security is not compromised.
․ Update information security protection software and hardware regularly to detect and blocks Internet attacks effectively and timely.
․ Join the Financial Information Sharing and Analysis Center (F-ISAC), to become a member of domestic information security joint defense system, and establish a joint defense system to have instant access to financial security information.

(2) Information Security Emergency Response Drills
In order to minimize the impact on business and resume operation in the shortest time in case of major disasters occurring to the information service, KTB has formulated regulations including, "Business Continuity Management Manual," "Cyber Security Incident Management Procedure," "ATM Cyber Security Emergency Response Procedure," "Information Technology Department Denial-of Service Attack Handling Manual," and "Open System Backup Exercise Plan," etc. Also, KTB conducts annual drills to minimize possible information security impacts through correct operation procedures. In 2024, KTB organized total 29 drills, and the content is as follows. KTB has submitted the status of the drills to the Information Security Management Committee for review:

(3) Information Security Planning:
In order to continuously enhance the management measures related to information security in the Company, we have obtained the new version of ISO 27001:2022 certification at the end of 2024. We will continue to maintain the validity of the certificate in the future and provide education and training for personnel with relevant certifications in information security.

◆ Resources Invested in Information Security

KTB continues to invest in the field related to information security. In 2024, KTB invested a total of NT$67,403 thousand in information security, accounting for 65.71% of the total information budget and the projects invested include the improvement of information security and defense equipment, data monitoring and analysis, education training and so on. In terms of information security deployment, there is 1 Chief Information Security Officer, 4 members of information security promotion unit as the 2nd defense line, and 95 members of information security execution unit as the 1st defense line, total 100 members.

However, in terms of education training, the whole company participated in information security test, with a pass rate of 100%. 3,693 hours of internal and external courses related to information security were organized, of which 95.5% were internal education training courses and 4.5% were external education training courses. In addition, the information security promotion unit conducts information security awareness training twice a year for the whole company. The topics of the awareness training are planned according to the laws and regulations and current internal and external threat events, and the topics are as follows:

◆ Information Security Incident Reporting Process

KTB has developed the "Cyber Security Incident Management Procedures" to standardize the reporting process, evaluation capability and contingency measures of information security incidents. In the event of an information security incident, the personnel of relevant units being notified shall classify and identify the incident in the first time, and decide whether to form an "emergency response team" according to the incident level, identify the scope of impact within certain time, find out possible causes, eliminate and solve the information security incident, and analyze and produce reports after handling the incident to prevent the incident from happening again. List the loss, possible influence and countermeasures from significant information security incidents in recent year and as of publishing date of the annual report. If it is unable to make estimation reasonably, the fact that can't be reasonably estimated shall be explained: there is no significant security incident in 2024 and by January 2025.