Cybersecurity

Diamond Biofund has established a Cybersecurity Management Team to formulate and implement cybersecurity policies and execution plans, promoting, reviewing, and improving them. Additionally, the Audit Office forms an Internal Audit Group responsible for conducting cybersecurity audits, performing at least one random check annually to assess the effectiveness of cybersecurity controls and track the results of improvement plans.

Diamond Biofund has established a Cybersecurity Management Team to oversee information and communications security management. The Committee is led by a Management Representative who also serves as the Convener. A Cybersecurity Group and an Internal Audit Group have been set up as the dedicated cybersecurity management units. The implementation status of cybersecurity management is reported annually to the Sustainable Development and Nominating Committee and the Board of Directors. The implementation status for 2024 was reported to the Sustainability Development and Nominating Committee and the Board of Directors on February 25, 2025. The implementation status for 2025 is scheduled to be reported to the Sustainability Development and Nominating Committee and the Board of Directors in the first quarter of 2026.

The Cybersecurity Group includes one dedicated cybersecurity manager and one dedicated cybersecurity staff member, who are responsible for planning, implementing, and controlling tasks related to cybersecurity. Their responsibilities include conducting various risk assessments, system classification, implementing system security control measures, supervising cybersecurity management tasks, and formulating and promoting cybersecurity-related regulations. The Internal Audit Group is responsible for auditing and conducts annual random checks on the implementation of cybersecurity policies, as well as tracking the effectiveness of corrective action plans. A cybersecurity meeting was held in 2025, and no significant cybersecurity violations were reported during the year.

To protect the confidentiality, integrity, and availability of information assets, the company aims to achieve the following goals through the implementation of its cybersecurity policy:

1. Establish a secure and reliable information environment, ensuring the security of the company’s data, systems, equipment, and networks to support the company’s continuous operations.
2. Protect business services by ensuring that only authorized personnel can access information, thus maintaining confidentiality.
3. Safeguard business services by preventing unauthorized modifications, ensuring accuracy and integrity.
4. Develop a business continuity plan to ensure the continuous operation of information services.
5. Ensure that all business services comply with relevant government regulations (e.g., Cyber Security Management Act, Criminal Code, Classified National Security Information Protection Act, Patent Act, Trademark Act, Copyright Act, Personal Data Protection Act).
6. Protect personal data related to the company’s business from external threats or improper management and use by internal personnel, avoiding risks such as theft, tampering, damage, loss, or leakage.
7. Enhance the protection and management of information assets to reduce operational risks.

1. Formulating management measures
   To establish a robust cybersecurity management system, the company obtained ISO 27001 certification in September 2024. By adhering to international cybersecurity management standards, the company aims to increase awareness of cybersecurity among employees and establish proper guidelines for computer and network usage. The company has developed various policies and procedures, including: Information Security Policy, Cybersecurity Organization and Objectives Management Procedures, Information Asset Management Procedures, Cybersecurity Risk Assessment, Physical Security, Operational Security, Access Control, Cybersecurity Incident Management, and other related procedures and guidelines.
2. Information technology
   The company has implemented a multi-layered protection system for cybersecurity, including: complex password verification for accounts, antivirus protection for servers and clients, internet behavior management/malicious website protection, firewall blocking, server data backup, data encryption, network IP management, and Endpoint Detection and Response (EDR) measures. In 2025, EDR deployment covered approximately 100% of the company. The company will continue to allocate resources to maintain full EDR coverage going forward.
3. Business Continuity Plan (BCP)
   The BCP is activated when disaster events disrupt business operations. The Cybersecurity Management Team is responsible for coordinating the response to ensure that critical information services are restored to minimum operational levels as quickly as possible, minimizing potential losses. To ensure the effectiveness of the plan and enhance personnel readiness, at least one drill is conducted annually. On May 15, 2025, a Business Continuity Plan drill was carried out, and both the system and database were successfully restored to normal operation.
4. Vulnerability Analysis
   The Cybersecurity Management Team conducts annual vulnerability assessments to ensure robust cybersecurity management across the Company’s data centers, internet infrastructure, EIP system, and office environment. On June 11, 2025, a system vulnerability scan was carried out, followed by an in-depth analysis of the identified risks. Based on the results, targeted remediation measures were implemented to mitigate potential threats and strengthen overall system security.
5. Risk Monitoring and Incident Response Mechanism
   To strengthen cybersecurity risk management and incident response capabilities, the Company has implemented the ISO 27001 Information Security Management System (ISMS) and established both the “Cybersecurity Risk Assessment and Management Procedure” and the “Cybersecurity Incident Management Procedure”. Through a systematic monitoring and operational framework, the Company continuously conducts risk assessments, control measures, and improvement actions to enhance its ability to identify and respond to potential cybersecurity threats.
   In terms of risk monitoring, the Company systematically carries out information asset identification, threat and vulnerability assessments, and calculates risk values using the formula (Information Asset Value × Threat Level × Vulnerability Level). The results are compared against defined risk tolerance levels, and if the assessed risk exceeds the acceptable range, improvement plans are proposed and tracked to completion. Risk assessments are conducted at least once a year and reviewed as needed when system or environmental changes occur, ensuring continuous and adequate protection of information assets.
   For incident management, cybersecurity incidents are categorized into four severity levels (Levels 1–4) with established reporting, command, and response procedures. Level 4 and Level 3 incidents must be contained or recovered within 36 hours, while Level 2 and Level 1 incidents must be contained or recovered within 72 hours. Follow-up remediation and preventive actions are also implemented to ensure timely response and effective risk mitigation.
   Furthermore, Article 6.1.2.4 of the Cybersecurity Incident Management Procedure stipulates that, when necessary, communication and explanation to affected users should be conducted to ensure transparency and strengthen stakeholder trust.
6. Promotion and improvement
   To raise awareness of cybersecurity among employees and strengthen self-protection, the company holds at least one cybersecurity management review meeting each year to supervise and control cybersecurity systems and incidents. Additionally, the company conducts at least three hours of cybersecurity awareness training and one cybersecurity incident drill annually. In 2025, a total of 3 company-wide cybersecurity training sessions were held, covering the following topics:“ISO27001 Cybersecurity Protection and Personal Data Privacy Training,” “AI Applications and Cybersecurity Risk Prevention Course” and ” Social Engineering and Password Protection Strategies.”  In total, at least 9 cybersecurity awareness sessions were held in 2025, aimed at strengthening employees’ cybersecurity awareness and improving information security protection concepts. Moreover, two phishing email social engineering drills were conducted in 2025, with a 100% success rate in passing the phishing test. In the future, more phishing email formats will be introduced. Employees who fall victim to phishing will be required to undergo additional cybersecurity education and training to enhance overall information security awareness within the company.
7. Joining a cybersecurity organization
   In September 2022, the company joined the TWCERT/CC Cybersecurity Alliance and periodically exchanges cyber threat intelligence through this platform. By leveraging joint defense mechanisms and sharing cyber threat intelligence, the company aims to expand its cybersecurity defenses and strengthen its cybersecurity resilience.

To demonstrate Diamond Biofund’s commitment to cybersecurity and align with international standards, the company initiated the implementation of the ISO 27001 Information Security Management System (ISMS) in the second quarter of 2024. In April 2024, the company established a Cybersecurity Management Committee, which was reorganized in December 2024 into the Cybersecurity Management Team. The Cybersecurity Representative serves as the team convener, and both a Cybersecurity Group and an Internal Audit Group were established as dedicated cybersecurity management bodies. The team reports annually on the execution status of cybersecurity management to the Sustainability and Nomination Committee and the Board of Directors.

Diamond Biofund obtained ISO 27001 certification in September 2024. The certification covers both system and management aspects. The implementation scope includes tasks such as risk assessment, vulnerability remediation, security protection, risk verification, asset inventory and risk evaluation, as well as personnel education and training. All tasks are in compliance with international information security management standards.

Received notification of successful renewal evaluation for the year on September 2, 2025; the certificate remains valid.