Cyber Security Management

The cyber security risk management structure and risk identification and assessment are operated by the Information Security Committee.

The Company got certification of ISO/IEC 27001:2022 Information Security Management System (ISMS) in 2025, with certificate number TW25/00000036.ply with relevant legal and regulatory requirements.

The structure of Information Security Committee

Information Security Committee is chaired by the President and assign the Director of the Information Center as the Executive Secretary to coordinate matters related to information security.

The members of the Information Security Committee are composed of senior executives, heads or representatives of risk management departments, business departments, etc. of the company. Assist in the implementation of information security related operations.

Members of the Information Security Committee are responsible for developing information security policies and reviewing information security-related regulations. Handing over decisions to relevant departments for implementation. The Executive Secretary of the Information Security Committee coordinates the Information Security Implementation Team and the Emergency Response Team in executing information security-related tasks, is responsible for early warning and monitoring of information security status, and handles information security conditions and incidents, as well as overseeing the implementation and achievement of information security goals.

Cyber Security Policy

Continually improve and strengthen the company’s information security management to ensure the confidentiality, integrity, and availability of information assets. Comply with relevant laws, regulations, and contractual requirements, establish and maintain a secure, trustworthy, and continuously operational information environment, and protect against internal and external intentional or accidental threats. This ensures the safety of information assets.

In order to effectively identify, measure, monitor and control risks, M31 uses the ISO system PDCA (Plan → Do → Check → Action) management cycle to ensure the correctness of its objectives and the effectiveness of its action plans, and to minimize the gap between expected and actual results by eliminating future uncertainties at a reasonable and feasible cost.

Cyber Security Objectives

Ensure that the company’s information operations comply with relevant legal and regulatory requirements.
Ensure that all employees know the responsibilities of information security, protect information assets, and reduce the risk of information security incidents.
Ensure the confidentiality of the company’s information assets, implement access control, and information assets must be authorized to access.
Ensure the integrity of the company’s information operation management and the correctness of the data and avoid unauthorized modification.
Ensure the continuous operation of the company’s information operations and meet the operational service level requirements.

CERTIFICATE OF ISO 27001

ISO 27001 Audit Report

Specific management plans and resources devoted to information security management

The Company focuses on information security control, and the specific measures adopted for information security protection are mainly based on five aspects of information security management:

Staff Management

At the time of employment, the Company signs a “contract of employment” with the employee, which stipulates that the intellectual property rights of all creations and inventions made by the employee during the employment period shall be vested in the Company. At the same time, the Company signs a detailed “confidentiality agreement” with the employee, which stipulates that the employee is responsible for maintaining the confidentiality of all business information, technology, processes, programs, procedures, designs or any other confidential information that the employee may use in the design, sale or operation of the Company, whether during or after the termination of the employment contract. The Company may impose penalties in accordance with its work rules for any breach of contract. 

In case of contract violation, the Company may impose penalties in accordance with the work rules and, depending on the seriousness of the situation, may pursue criminal liability. The Company uses various meetings to educate employees from time to time, including the protection of business secrets, access control rules, and the principle of disclosing information to the outside world, etc., so that employees can establish correct concepts and develop good working habits.

Device Control

The Company’s computer equipment must be installed with antivirus software. The system will determine that the computer meets the specifications before granting network connection authorization. Any unauthorized computer equipment is strictly prohibited from accessing the Company’s network, and the system will automatically block any unauthorized equipment to prevent non-compliant computer devices from affecting the Company’s internal network and equipment.

Authority Management

To avoid theft and fraudulent use of accounts, Company employees are required to pass two-factor authentication (system account password + OTP one-time password) to access their personal computers. Each R&D project has strict permission control. Project members are required to submit a form to apply for access privileges. The information management staff will set the access privileges after the supervisor’s approval. Access privileges are reviewed once every six months to ensure the correctness of privilege management.

Data Management

The Company’s R&D-related data are stored in dedicated storage devices with high-availability redundancy, and project R&D data are controlled by privileges, allowing only authorized members to access them. The Company’s R&D data has a complete regular backup mechanism and is stored off-site to ensure disaster recovery capability in the event of a disaster.

Export Management

When the product is delivered to the customer, the application must be completed. The data will be encrypted by the system and uploaded directly to the dedicated space provided by the Company to the customer for downloading without the intervention of anyone in the industry. This dedicated space only allows the specific IP device connection provided by the customer. The connection opening time is limited to one month.

Type	Item	Prevention Purpose	Information Security Management Resources Description
Staff Management	Information security advocacy	Prevention reduces the chance of getting a virus	Information security advocacy for new hires Regularly share cases of major domestic and international information security abnormalities with employees
Device Control	Antivirus software Untrusted device blocking	Prevention of software virus	Information Security System Procurement and Implementation The system determines that the computer meets the criteria before granting permission to connect to the network. If there is an unauthorized device accessing the system, the network will be blocked.
Authority Management	Two-factor authentication Project authority control	Avoid account impersonation	Two-factor authentication system setup To log in to a personal computer, all colleagues must pass two-factor authentication (system account password + OTP one-time password) to avoid theft and fraudulent use of the account. Internal R&D management system development Each R&D project has strict permission control. Project members need to submit a form application and the information management staff will set the access permission after the approval by the supervisor.
Data Management	Professional Storage Equipment Local redundancy architecture Off-site data backup	Avoid Data loss	Professional Storage Equipment Procurement With the high availability of redundancy capabilities, project R&D data are controlled by permissions, and only authorized members are allowed to access it. Professional Backup Software Procurement The company’s R&D data has a complete regular backup mechanism. Off-site storage to ensure resilience in the event of a disaster.
Export Management	Automated system rotation Dedicated encryption space	Avoid Data breach	Internal shipment management system development When the product is delivered to the customer, an application form is required. After the approval of the relevant supervisor and sales contractor, the system will encrypt the data and upload it directly to the exclusive space provided by the Company for the customer to download without any manual intervention. Exclusive space allows only certain IP devices provided by customers to connect, and the connection opening time is limited to one month.

Cyber Security Management Execution Overview

On August 6, 2024 the Board of Directors reported the following executive highlights for the year：

Item	Execution Details	Execution Results
Internet firewall updates	The original Internet firewall has poor stability, which has affected the sending/receiving of emails and the exchange of customer data, and the information security protection function is relatively basic. In consideration of operational stability and an increasingly challenging information security environment, planning to upgrade. The new firewall provides more granular application classification control and has more powerful hardware specifications to improve the network performance.	Improve the stability of the overall operating environment, more powerful network traffic processing efficiency and more rigorous classification. There are currently no major cyber security incidents.
Endpoint information security management and control software import	To strengthen the control of laptops, the endpoint protection software is introduced after testing, which can distinguish user departments and set different information security principles. To ensure information security protection capabilities and reduce the risk of data leakage after the information equipment leaves the company’s network.	Improve the information security protection capability of laptops, and the software deployment rate is 100%.
The defense capability of the e-mail system has been improved	The ADM advanced defense module is added to the original email protection system, and the cloud sandbox technology is used to simulate the production of static features, intercept attachments, zero-day malicious programs and APT attack tools, improving the overall email protection capability.	The ability to block phishing emails has been improved and there are currently no major cyber security incidents.
Social engineering	Social engineering was conducted in Q4 2023, with a total of 290 emails sent, and a pass rate of 91% for all employees. An explanation announcement was sent after the drill. Promote information security policies on the homepage of the company’s internal website to enhance the information security awareness of all colleagues.	Improve the ability of colleagues to respond to phishing emails, and there are currently no major cyber security incidents.