To promote the Company’s sustainable development, strengthen corporate governance, and establish a sound risk management system, the Board of Directors approved the adoption of the “Risk Management Policy and Procedures” on November 6, 2024. The Company’s risk management procedures primarily include risk identification and analysis, risk assessment, risk response, and monitoring and review mechanisms. Each department identifies risk items related to its operations, conducts risk assessment and analysis based on the principle of materiality and stakeholder concerns, evaluates the potential impact of each risk on the Company, and formulates corresponding risk management measures and countermeasures.

The Company’s risk management framework covers operational risks related to environmental (climate change, biodiversity, occupational safety and health, energy, etc.), social and human rights, governance (regulatory compliance, anti-corruption and fraud prevention, information security), financial, and other relevant risk factors. The Audit Committee is responsible for supervision, while the Sustainability Development Office reports at least once a year to both the Audit Committee and the Board of Directors on the implementation status. 

For details, please refer to our company's Policies and Procedures for Risk Management.

Risk Management Levels and Responsibilities: 

• Level 1: Responsible units for respective risks manage risks in accordance with risk management procedures as part of their daily operations.
• Level 2: The Audit Unit conducts regular audits and reviews the implementation status of risk management.
• Level 3: The Sustainability Development Office, established under the Chairman, coordinates overall risk management and reports the execution status to the Board of Directors.

Catcher actively implements risk management, with the Sustainability Development Office reporting at least once a year to the Audit Committee and the Board of Directors on the annual implementation status. The most recent report was presented on November 6, 2024, with the key contents summarized as follows:

1. Identification, Analysis, and Assessment of Risks Related to Material Issues

▼ Identification Results of Material Risk Issues

2. Risk Management Implementation

The Company has established an Information Security Promotion Task Force, consisting of a Convener, Management Representative, Executive Secretary, Information Security Management Team, Data Protection Team, Emergency Response Team (task-oriented), and Audit Team. The task force formulates the Company’s information security development directions and strategies and promotes as well as implements various information security management initiatives to ensure the continuous and stable operation of the information security management system.

• Information Security Promotion Task Force: The Company’s decision-making and management body for information security, responsible for overall promotion of information security initiatives.
  
• Management Representative: Coordinates system planning, resource allocation, and project implementation related to information security.
  
• Executive Secretary: Assists the Management Representative and Convener in carrying out information security management tasks.
  
• Information Security Management Team: Responsible for planning, establishing, implementing, maintaining, reviewing, and continuously improving the Company’s information security management system for IT systems; reports information security issues to the Task Force, coordinates audit schedules, supervises audit execution, and oversees preventive and corrective measures.
  
• Data Protection Team: Promotes and manages the Company’s data and personal data protection systems.
  
• Emergency Response Team: A task-based unit responsible for monitoring and tracking major information security incidents, as well as maintaining, updating, and executing disaster recovery procedures.
  
• Audit Team: Formulates information security audit plans, conducts relevant audits, and follows up on preventive and corrective actions for items that do not meet audit standards.

Catcher is committed to information security management to safeguard the Company’s products and services from unauthorized access, alteration, use, and disclosure, as well as losses arising from natural disasters. The Company ensures the timely provision of complete and available information to protect the confidentiality, integrity, and availability of critical information assets. At the same time, Catcher complies with applicable laws and regulations, earns customer trust, fulfills commitments to shareholders, and guarantees the continuity of key business operations.

Full Participation, Enhanced Security Awareness:

Foster company-wide awareness to build a shared consensus that information security is everyone’s responsibility.

Proactive Prevention, Effective Security Management:

Establish information security technologies and implement an information security management system, continuously improving under the Plan-Do-Check-Act (PDCA) cycle.

Customer Trust, Sustainable Operations:

Provide a secure and trustworthy production environment to ensure business continuity and long-term sustainability.

To demonstrate the Company’s commitment to information security management and to ensure that all information and information systems are appropriately protected, the Company has established, documented, implemented, and maintained an Information Security Management System (ISMS) in accordance with the ISO/IEC 27001:2022 standard, and continuously improves its effectiveness.

Objectives:

Implement appropriate protection and preventive measures for information stored or transmitted by the Company.

Reduce the impact of information security incidents such as damage, theft, leakage, alteration, misuse, or infringement.

Continuously enhance the confidentiality, integrity, and availability of all operations across the Company’s information service systems.

In accordance with the ISO/IEC 27001:2022 standard, the Company adopts the Plan-Do-Check-Act (PDCA) cycle to establish and implement an Information Security Management System (ISMS), ensuring its effective operation and continuous improvement.

• Establish an information security management organization responsible for promoting, coordinating, and supervising information security management matters.
• Conduct a management review at least once a year to ensure the adequacy, sufficiency, and effectiveness of the ISMS. The review scope includes improvement plans and assessments of required changes to the system.
  
• Establish information security indicators to evaluate performance and the effectiveness of the ISMS.
  
• Perform regular or ad hoc security assessments or audits to review whether control objectives, measures, and procedures comply with laws, regulations, and relevant security requirements. Execute and maintain them effectively as planned to continuously enhance the effectiveness of the ISMS.