Cybersecurity organizational structure

To improve the security management of the group, a Group Cybersecurity Department has been established, with the Financial and Business Department General Manager as thehighest responsible person. The cybersecurity Department isresponsible for driving information security policies and resource allocation. It is staffed with dedicated cybersecurity professionals to ensure that all information security management standards and control measures are effectively and continuously implemented. The organizational structure of the Group's Cybersecurity Department is shown in the figure below:

The organizational structure of the Group's The organizational structure of the Group's Cybersecurity Department

IT 1


PMX Group's Cybersecurity Management and Continuous Improvement Framework

6 2


Cybersecurity management mechanism

All of customer privacy and confidential information is disclosed on a need-to-know basis, and the Group has implemented three different types of control:People, Process and Technology to ensure the security of customer privacy and confidential information. Below is a summary of the three controls:

6 3


Cybersecurity management actions

  • To meet the requirements of internal information security regulations and external regulatory authorities, the Group has established an Information Security Management System and information security management procedures. Ten information security objectives have been formulated, and the results of their achievement are recorded on a monthly basis.
  • To reinforce the information security protection capabilities, we request vendors to perform hacker penetration testing every year to analyze the potential vulnerabilities and scenarios of hacking through various hacking methods, to keep improving the quality of cybersecurity protection.
  • In order to enhance the application system security and mitigate risks, we perform system and equipment vulnerability scanning and penetration testing regularly and fix mid-risk and high-risk vulnerabilities each year. Meanwhile, we have also added privileged account access management, IP-guard system, EDR and network equipment configuration management to protect and reduce external intrusion risks and internal sensitive data loss risks, and continue to monitor logs through the information security incident management system to achieve real-time monitoring of abnormality and strengthen the cybersecurity management mechanism.
  • For critical systems related to company operations, regular data backups and on-site redundancy mechanisms are implemented to strengthen the enterprise's resilience against cybersecurity risks.
  • We organize the information security awareness training for twice per year and 6 social engineering exercises each year, during which it uses a combination of e-mail,instant messaging, and digital TV to communicate with employees on cybersecurity protection and current affairs, which in turn promotes the cybersecurity awareness of the Group's employees. Meanwhile, we have purchased the "CorporateInformation Security Risk Management Insurance/Fraud Risk Protection Insurance"to reduce or shift the losses of cybersecurity, hoping to become an enterprise outperforming in the maturity of information security governance.
  • The main operating locations of Primax Group have obtained the "ISO 27001:2013"international standard certificate. The core key systems added in 2023 have successfully passed SGS certification. We have planned to upgrade it to the new version of " ISO 27001: 2022" in 2024 to continue to expand the scope of certification, including the R&D process, engineering, manufacturing processes andother operating procedures of the Company in order, and also pass the continuing certification by a third-party certification company each year.

6 4


Cybersecurity risk assessment

Primax Group takes an inventory of the information assets and update the list of property regularly. Every year, the risks related to the information assets are appraised, and the high risk items are controlled, to lower the chance of risks and their impacts, for the purpose of ensuring the long-term cybersecurity.

Primax has established comprehensive network and computer cybersecurity protection measures; however, malicious hackers can also try to spread computer viruses, destructive software, or ransomware across the Company's network system to interfere with our operations, to extort money, gain control over our computer systems, or spy on confidential information.Such attacks may result in losses due to delay or disruption of orders, or a great cost of remedial and improvement measures adopted to strengthen the Company's cybersecurity systems.

To prevent and reduce the damage caused by such attacks,we continue to update and implement relevant improvement measures, such as strengthening network firewalls and network control; establishing endpoint antivirus measures depending on computer types; adopting new technologies to strengthen data protection and backup; enhancing the detection of phishing emails; and regularly performing social engineering email testing and offering employee IT security awareness training.

Internal audit of cybersecurity

The information audit taskforce of the Cybersecurity Department establishes the assessment indicators based on the risks. The self-assessment and inspection of cybersecurity were completed on March 29 , 2023 . The outcome of assessment and supporting documents were also sent to the Audit Department for verification. The Audit Department implements the PDCA cycle for once per six months. Cybersecurity is one of the required items for audit. All the outcomes of audit are submitted to the Audit Committee and Board of Directors regularly, at least for once per year.


Product R&D and Manufacturing Safety

The research and manufacturing units of the company have consistently conducted research and manufacturing operations in accordance with the Group's information security policy and customer requirements and expectations. Through various physical and electronic control processes, the protection of product confidential information and process technology is ensured, while also maintaining compliance with customer requirements and relevant third-party certifications.

Primax Group's products include both computer peripheral products and non-computer peripheral products. If products are classified according to their information security risk characteristics, such as electroacoustic products, OEM brand products, and wireless connector products, we will arrange control measures,such as code review or source code scanning, per customer's request before software/firmware updates go live to reduce the information security risks.

At the stages from R&D to shipment of finished products, we always follow the customer's security principles. Any security-related concerns are immediately corrected. Without affecting the production process and subsequent operating procedures, we ensure the product information security without worry. Moreover,we also place significant emphasis on post-shipment product information security. Depending on the product's characteristics and customer requirements, preventive measures such as software testing or physical circuit isolation are implemented to strictly prevent potential cybersecurity risks during product use (e.g., malicious program implantation) and avoid the risk of user information leakage.

6 5


Customer Privacy and Personal Data Protection

Primax Group complies with the provisions ofthe personal data protection act and related lawsand regulations at home and abroad to formulate the "Privacy Policy,"which is applicable to:1 .customers,suppliers and contractors;2.visitors to the official website or on-site visitors;and3. job applicants.CyberSecurity Department serves as the dedicated personal data protection and management unit.One dedicated personnel has been appointed by each of Primax Electronics and Tymphany to take charge of formulating personal data protection laws and regulations,accepting related complaints and managingthe operating procedures,etc..

Meanwhile , Primax Group is committed to protecting customer information security to safeguard customers' interests and rights. The Company has established management policies and procedures for customers' privacy and confidential information,adhering to the principle of "least privilege." Access to sensitive data related to customer projects is granted only after internal authorization, and the Group's Cybersecurity Department conducts regular reviews on cybersecurity-related procedural documents to ensure timely updates that meet the required level of information security management in line with customer needs and demands.

Primax values the data subject's exercise of rights against his/her personal data pursuant to laws. It has set up a dedicated mailbox on the Company's website.Once complaints are received or incidents of personal data infringement are discovered, we will settle it and impose related punishment in accordance withthe applicable regulations, including:"Personal Data Protection Regulations," "Supplier Code of Conduct,"and "Customer Data Non-Disclosure Agreement," etc..In 2023 , there was no violation of personal data orviolation of customers’ privacy (including complaints).