To promote sustainable operations, strengthen corporate governance, and enhance the risk management framework, the Board of Directors of Catcher Technology approved the adoption of the “Risk Management Policy and Procedures” on November 6, 2024, with the Audit Committee overseeing risk management matters. To further strengthen risk management and sustainability governance, the Company established the Sustainability Development and Risk Management Committee under the Board of Directors on November 6, 2025. The Committee is responsible for overseeing risk management–related matters, while the Sustainability Development Office coordinates and consolidates risk issues and implements risk management activities. The Sustainability Development Office reports at least annually to the Sustainability Development and Risk Management Committee and the Board on the operation and outcomes of the Company’s risk management framework.

The Company’s risk management framework covers environmental risks (including climate change, biodiversity, occupational health and safety, and energy management), social and human rights risks, corporate governance risks (including legal and regulatory compliance, anti-corruption and fraud prevention, and information security), financial risks, and other operational risks. The risk management process encompasses key stages such as risk identification and analysis, risk assessment, risk response, and monitoring and review mechanisms. Relevant departments regularly identify risk items based on their operational responsibilities and, in accordance with materiality principles and stakeholder concerns, conduct risk identification and analysis to assess the potential impact of each risk on the Company’s operations. Based on these assessments, appropriate risk management measures and mitigation strategies are formulated to enhance operational resilience.

For details, please refer to our company's Policies and Procedures for Risk Management.

Risk Management Levels and Responsibilities: 

• First line of defense: Each business or management unit is responsible for implementing risk identification, assessment, monitoring, and response measures in accordance with the Risk Management Policies and Procedures as part of daily operations and management activities.
• Second line of defense: The Internal Audit Department conducts regular audits and reviews to evaluate the adequacy and effectiveness of each unit’s risk management systems and implementation. Improvement recommendations are provided to ensure the continuous effectiveness of risk control.
• Third line of defense: The Sustainability Development Office, under the supervision of the Chairman, is responsible for coordinating overall risk management, consolidating implementation results from various units, and regularly reporting to the Sustainability Development and Risk Management Committee and the Board of Directors to ensure the ongoing enhancement of the Company’s risk management framework.

Catcher actively implements its risk management system and continuously strengthens the identification, assessment, and control of various risks. On November 6, 2025, the Sustainability Development Office presented the annual report on the Company’s risk management operations to the Audit Committee and the Board of Directors. The key highlights are summarized as follows:

1. Identification, Analysis and Assessment of Key Risk Issues

2. Results of the Identification of Significant Impact Issues

(A total of 15 significant issues were identified during the current reporting period)

Weighted Quantitative Scoring of Significant Impact Issues for the Current Period

*Biodiversity and Local Care and Social Inclusion were assessed as low-significance issues in 2023 and, therefore, were not included within the scope of material sustainability and risk issues in 2024 and 2025. Nonetheless, Catcher continues to disclose relevant information on these topics to ensure transparency and demonstrate its ongoing commitment to environmental protection and community engagement.

3. Risk Management Operations

For each major risk issue, Catcher has established corresponding risk management mechanisms, procedures, and regulations. To date, no significant irregularities or major incidents have occurred, and all risk mitigation measures have been effectively implemented and monitored, demonstrating Catcher’s commitment to proactive risk control and operational resilience.

Note: Under the Taiwan Stock Exchange Corporation’s Procedures for Verification and Public Disclosure of Material Information by Listed Companies, any single event with cumulative fines of NT$1,000,000 or more is classified as a material event.

Catcher Technology has established an Information Security Promotion Task Force, comprising a Convener, Management Representative, Executive Secretary, Information Security Management Team, Data Protection Team, Emergency Response Team (task-oriented), and Audit Team. The Task Force is responsible for formulating the directions and strategies for the Company’s information security development, and for promoting and implementing the initiatives related to information security management to ensure the continuous and stable operation of the information security management system.

• Information Security Promotion Task Force: The Company’s decision-making and management body for information security, responsible for overseeing and coordinating information security initiatives.
  
• Management Representative: Responsible for the overall planning of information security–related systems, coordination of resources, and implementation of related projects.
  
• Executive Secretary: Assists the Management Representative and the Convener in carrying out information security management duties.
  
• Information Security Management Team: Responsible for the planning, establishment, implementation, maintenance, review, and continual improvement of the Company’s information security management system; reports information security–related matters to the Information Security Promotion Task Force; coordinates and confirms audit schedules; oversees audit execution; and supervises preventive and corrective actions.
  
• Data Protection Team: Responsible for promoting and implementing management systems for data and personal data protection.
  
• Emergency Response Team: A task-oriented team responsible for monitoring and tracking the development of major information security incidents, and for maintaining, updating, and executing disaster recovery procedures.
  
• Audit Team: Responsible for formulating information security–related audit plans, conducting audits, and tracking preventive and corrective actions for any nonconformities identified during audits.

Catcher Technology is committed to information security management. Through comprehensive management systems and technical controls, the Company safeguards its products, services and information assets, prevents unauthorized access, alteration, use and disclosure, and mitigates potential losses arising from natural disasters and other unforeseen incidents. The Company ensures the timeliness, integrity and availability of information to protect the confidentiality, integrity and availability of critical information assets, while complying with applicable laws and regulations. These efforts are aimed at strengthening customer trust, fulfilling commitments to shareholders, and ensuring the continuity of critical operations and the Company’s sustainable development.

• Organization-wide participation to enhance information security awareness: Foster a culture in which information security is everyone’s responsibility through full participation and continuous education and training.
  
• Proactive prevention and effective information security management: Establish robust information security protection technologies, implement an information security management system, and continuously review and enhance management effectiveness through the Plan–Do–Check–Act (PDCA) cycle.
  
• Customer trust and sustainable operations: Provide a secure, stable, and trusted operating and manufacturing environment to ensure the Company’s long-term, steady business development.

To demonstrate the Company’s commitment to information security management and to ensure that all information assets and systems are appropriately protected, the Company has established, documented, implemented and maintained an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022. Through continual improvement mechanisms, the Company continuously enhances the effectiveness of the system’s operation.

Objectives

• Implement appropriate protection and security measures for all information stored, processed, or transmitted by the Company.
  
• Reduce the likelihood and impact of information security incidents involving damage, theft, leakage, tampering, misuse, or infringement of information assets.
  
• Continuously strengthen the confidentiality, integrity, and availability of information services and systems across all operational processes.

In accordance with ISO/IEC 27001:2022, Catcher Technology adopts the Plan–Do–Check–Act (PDCA) cycle to establish and implement its Information Security Management System, ensuring effective operation and continual improvement.

• Establish a comprehensive information security governance structure responsible for promoting information security policies, facilitating cross-departmental coordination, and overseeing implementation.
  
• Conduct management reviews at least annually to ensure the appropriateness, adequacy, and effectiveness of the ISMS; review items including improvement initiatives, significant requirements, and assessments of the impact of material changes in the operating environment.
  
• Define and continuously monitor key performance indicators (KPIs) for information security to evaluate performance and the overall effectiveness of the ISMS.
  
• Perform information security assessments and audits on a regular basis or as needed to verify compliance with legal requirements and information security standards for control objectives, measures, and operating procedures; implement corrective actions and ongoing maintenance in accordance with plans to continuously enhance the maturity and effectiveness of the ISMS.