Corporate Governance

Corporate Governance

Corporate Governance
Board of Directors Committee Internal Audit Risk Management Ethical Management Major Regulations

Risk Management

Implementing risk management systems and operations is a crucial foundation for ensuring CLC's stable operations. The Board of Directors is responsible for overseeing risk governance. At the end of 2023, the Board approved the establishment of a Risk Management Committee to assist in supervising the risk management system, including reviewing the company's risk management structure and processes to facilitate risk identification and management, and reporting major issues, findings, and recommendations related to risk management to the Board. In 2023, the company also revised the "Risk Management Policy and Procedures," emphasizing Cheng Loong's commitment to a sound and effective risk management system and culture. This includes integrating and managing all potential risks, authorizing the General Manager to make risk management decisions, and ensuring that departments follow risk management procedures to properly identify and manage internal and external risks, and assess the impact of operational, financial, and climate change risks on the company.

Regarding climate change risk management, the company adopted the "Task Force on Climate-related Financial Disclosures" (TCFD) initiative in 2021, becoming the first paper industry company in Taiwan to pass the TCFD audit and receive the highest rating certification, demonstrating its adaptability to climate risks. Recognizing the importance of nature-positive benefits and the impact of operations on biodiversity, the company signed on to support the "Taskforce on Nature-related Financial Disclosures" (TNFD) in 2023, becoming one of the 14 TNFD pioneer companies in Taiwan. The company will follow the TNFD framework to strengthen the disclosure of nature-related risks and responses across four key areas: governance, strategy, risk management, and metrics and targets.

*For complete details, please refer to the report sections: ch4.1 Climate Change Actions TCFD Report and ch4.6 TNFD Biodiversity.
 








Information Safety Control Risk

Information and Communications Management

To emphasize information security management, the company has established a dedicated information security unit and appointed a Chief Information Security Officer (CISO). Following the "Information and Communications Security Operations Standards and Management Guidelines," the company promotes various information security management initiatives, implements cross-departmental and site-wide firewall mechanisms, and monitors vulnerabilities in real-time to prevent attacks and damages, ensuring operational safety.

To enhance information security capabilities, the company invests resources annually, procures information security hardware and software, and conducts related training to establish a robust defense framework. In 2024, the company completed the ISO 27001:2022 Information Security Management System (ISMS) transition certification. Specific management solutions were formulated for access control, data backup, system development, and outsourcing vendor management to safeguard information assets and ensure the availability, integrity, and continuity of information services, minimizing impacts on daily operations.

Key Focus Areas in Information Security for 2024

Strengthening Information Security Management

  1.  CLC established the ISO 27001 Information Security Management System (ISMS) in 2023 and completed ISO 27001:2022 transition certification in June 2024. CLC continues to allocate resources, adhere to ISO 27001 standards, and drive innovation and management upgrades to enhance information security.XRefine the information security management system. In August 2023, the company achieved ISO 27001:2013 ISMS certification through the British Standards Institution (BSI) and obtained the ISO 27001:2022 transition certification in June 2024. Using the PDCA cycle, the company conducted a digital asset inventory and risk assessment, reviewed the effectiveness of information security goals and related measures, and implemented improvements accordingly.
  2. Digital asset inventory and risk assessment follow the PDCA model to review information and communication security goals and measures, with ongoing improvements. The President chairs the ISO Implementation Committee quarterly to review information security performance.



Enhancing Information Security Capabilities

  1. Strengthen protection for network connections, data centers, firewalls, email, and servers; regularly review information security policies and procedures; convene information security project meetings for review and revision.
  2. Enhancing OT security with USB malware scanning tools. Apply access control for critical infrastructure, recording personnel entry and exit to ensure physical equipment security.

Establishing Cybersecurity Joint Defense

  1. An information security monitoring center platform integrates key IT and OT endpoint security data, centralizes system log management, and applies AI for rapid risk detection, automated protection, and recovery. MDR (Managed Detection and Response) enables comprehensive 24/7 monitoring and analysis to prevent viruses and malicious attacks.
  2. Actively engage in external cybersecurity alliance activities and initiatives to monitor the latest cybersecurity trends.

Fostering a Corporate Information Security Culture

  1. An information security section is available on the internal EIP website, with a dedicated security knowledge area on the Information Security Insights Network for regular updates. In 2024, over 60 information security notices were published to ensure employees remain informed of current threats and protection measures. Online courses strengthen information and AI security training, covering email fraud prevention, personal data protection, and sensitive data handling, thereby enhancing employee awareness and reducing cyberattack risks.
  2. In 2024, 2 social engineering drills were conducted using AI-generated phishing emails simulating credit card fraud, department store coupons, and government notifications to test employee awareness. Following information security training and drills, open rates at Headquarters were 8% and 6% for the 1st and 2nd exercises, both below the standard threshold, indicating enhanced information security awareness.
  3. CLC partnered with the Ministry of Economic Affairs to launch the iPAS Supply Chain Training Program, providing training on smart manufacturing, industrial control system cybersecurity, and the IEC62443 standard to strengthen supply chain cybersecurity and ensure security compliance with equipment suppliers. Group discussions and cross-department, cross-plant participation deepened collaboration between internal teams and supply chain partners, establishing a foundation for future cooperation.