investor relations
投資人關係
Corporate Governance
Information Security Management Policy
The Information Security Management Policy of HD Renewable Energy Technology Co., Ltd. serves as the guiding principle for information and communications security management. In accordance with ISO 27001, the Company has established an Information Security Management System based on the Plan Do Check Act (PDCA) cycle to ensure effective operation and continuous improvement.
HD Renewable Energy Technology Co., Ltd. commits to the following information security management policies:
01
Planning and Establishment
Through the establishment of an information security organization, potential threats and vulnerabilities are identified and controlled. Risk assessments are conducted, and control mechanisms are designed and implemented to establish an information security management system.
02
Implementation and Operation
Management controls of the information security management system are implemented and operated.
03
Monitoring and Review
The implementation of information security management activities is monitored, and their effectiveness is reviewed.
04
Maintenance and Improvement
Based on monitoring and review results, corrective actions are established and implemented to ensure the continued operation of the information security management system.
- To ensure effective communication of the Company’s information security management system to all relevant stakeholders, information security policies and related procedures are disclosed through easily accessible channels such as the corporate website, internal portals, and contractual documents.
- To ensure effective communication of information security management requirements to external parties, all employees, contracted or appointed personnel, and outsourced service providers are required to understand and comply with the Company’s information security management requirements when performing their duties.
- The Information Security Committee conducts a review of information security policies and management requirements at least once a year. Additional reviews are performed in response to significant environmental factors including climate change, organizational changes, major service adjustments, or significant information security incidents. These reviews ensure alignment with the latest developments in laws and regulations, information technology, and business operations, and maintain the effectiveness of information security practices.
Information Security Framework
HD Renewable Energy Technology Co., Ltd. has established an Information Technology Department and an Information Security Promotion Team responsible for the planning, implementation, supervision, and continuous improvement of information security management. Layered control and protection mechanisms have been implemented across system servers, operating systems, and network infrastructure to prevent incidents such as disasters, data damage, and unauthorized access to confidential information. In the event of an information security incident, the Company has an emergency response plan in place to ensure business continuity. The Company also places strong emphasis on physical security and the prevention of risks related to malicious data leakage, theft, or unauthorized recording.
HD Renewable Energy has allocated dedicated budgets to information security management to further strengthen information protection and reduce the risks of cyber intrusions and system attacks. To mitigate cybersecurity risks and safeguard Company and customer data, a range of information security management mechanisms has been progressively implemented in recent years. Through designated information security authorities, the Company establishes information and communications security policies and promotes cross functional collaboration to enforce information security requirements and manage ISO related documentation. Execution status is reported regularly to the Board of Directors to ensure the secure use of information and maintain a trusted information environment. No major information security incidents occurred in 2025.
Since 2023, the Company has established dedicated information security leadership and a six-member security team. Information security performance is reported monthly to senior management, included in quarterly management reviews, and presented to the Board of Directors each year. In 2025, more than twelve information security-related meetings and reviews were conducted.
Information Security Committee Structure
Roles and Responsibilities of the Information Security Committee
| Group or Role | Department | Title | Headcount | Notes |
|---|---|---|---|---|
| Information Security Committee | ||||
| Management Representative | Information Technology Office | Assistant Manager | 1 | Oversees the effectiveness of the Company’s information security policy implementation |
| Information Security Execution Team | ||||
| Team Leader/Member | Information Technology Department |
Manager | 1 | — |
| Team Member | Information Technology Department | Engineer | 3 | Coordinates representatives from relevant departments to support and implement information security related initiatives |
| Information Security Audit Team | ||||
| Team Leader | Audit Office | Manager | 1 | — |
| Team Member | Audit Office | Specialist | 1 | — |
| Team Member | External Consultant | — | — | Provides audit reports based on the audit scope and operational needs as assigned by the team leader and implemented after approval by management |
| Emergency Response Team | ||||
| Team Leader | Information Technology Department | Deputy Manager | 1 | — |
| Team Member Incident Reporting Contact | Information Technology Department | Engineer | 2 | Responds according to incident severity and operational requirements and coordinates emergency response actions across teams |
Information Security Incident Response Measures
Information Security Initiatives
- In 2024, the Company implemented the ISO 27001 Information Security Management System (2022 revision), integrated with the PDCA cycle, and obtained third-party certification valid from December 10, 2024 to December 9, 2027.
- The Company participates in cybersecurity alliances such as TWCERT/CC to collect threat intelligence and assess potential risks across internal systems.
- System vulnerability scans are conducted quarterly or upon deployment, with high-risk issues addressed through timely software and firmware updates.
- Information security policies and management measures are reviewed and updated in response to regulatory changes and internal or external risks to meet stakeholder expectations.
- Key systems regularly conduct Business Continuity Plan exercises to ensure operational resilience during major information security incidents.
- Information Security Awareness Enhancement:
- New employees receive foundational information security training during onboarding.
- The Group conducts annual information security training for all employees, followed by assessments. In 2025, both participation and pass rates reached 100 percent, with total training hours exceeding 500.
- Social engineering drills are conducted twice annually using realistic scenarios. In 2025, the click-through rate was 1.7 percent, and targeted follow-up training was provided to employees who interacted with simulated attacks.
- The Company conducts ad hoc information security awareness initiatives in response to emerging cybersecurity and fraud incidents. In 2025, a total of eight initiatives were carried out, along with remediation of identified system vulnerabilities.
