Management Approach
Bora Pharmaceuticals is committed to enhancing the management cybersecurity. The company has established an Information Security Policy and an Cybersecurity Risk Management Framework, to serve as guiding principles for cybersecurity affairs. Additionally, Bora has implemented multiple cybersecurity systems and continuously optimizes its defense mechanisms. These measures include deploying next-generation firewalls, spam filtering systems, and data backup solutions to ensure the integrity and stability of its information assets.
Cybersecurity Management and Organizations
To ensure the implementation of cybersecurity, Bora Pharmaceuticals established the Information Security Policy in 2021. The relevant policies are regularly reviewed and updated in response to changes in cybersecurity risks to ensure continuous improvement and effectiveness. Additionally, the company actively participates in collaborative cybersecurity defense organizations, such as the Science Park Information Sharing and Analysis Center, the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC), and the Chief Information Security Officer (CISO) Association, to strengthen its collaborative cybersecurity capabilities.
Since January 31, 2023, Mr. Chia-Chu Chen, Vice President, has served as the Chief Information Security Officer (CISO), regularly reporting to the General Manager to enhance the overall cybersecurity management level of the Bora group. Daily cybersecurity operations are managed by the Global Cybersecurity Manager Mr. Lin-Chieh Ku, who leads the group’s cybersecurity department in executing various cybersecurity tasks. On November 13, 2024, the CISO presented a regular report on the status of cybersecurity to the Board of Directors.
Cybersecurity Management Measures
Bora Pharmaceuticals actively promotes dedicated management mechanisms in the areas of cybersecurity, technology applications, and information optimization. These efforts include establishing a cybersecurity department, optimizing system infrastructure, enhancing data utilization, and conducting regular trainings and drills. These initiatives comprehensively strengthen cybersecurity defenses and operational stability, reflecting the company’s commitment to sustainable development.
| Risk Category | Risk Impact | Response Measures |
|---|---|---|
| Cybersecurity |
|
|
| Technology Application |
|
|
| Information Optimization |
|
|
Cybersecurity Implementation Status
A. Cybersecurity Education and Implementation Report
To enhance the security awareness of all employees, Bora Pharmaceuticals continued to implement various cybersecurity measures and training activities throughout 2024. A total of 22,000 participants completed various security awareness training sessions, amounting to 3,854 hours. Additionally, the Group Cybersecurity Department produced bilingual (Chinese and English) information security training videos, which have been integrated into the onboarding process for new employees, ensuring that every employee possesses basic security awareness from the start of their employment.
B. Key Progress in Cybersecurity Implementation
- Endpoint Protection Upgrade: Upgraded endpoint protection systems at nine sites across Taiwan, enhancing detection and defense capabilities against malware and malicious attacks. This effectively reduced the risk of cyberattacks and data breaches.
- Email Protection: Upgraded the internal and external email protection systems across the entire group to address phishing and various email threats. This upgrade successfully blocked a large volume of malicious emails, significantly improving email security.
- Multi-Factor Authentication (MFA): Fully implemented the multi-factor authentication mechanism, strengthening the reliability of employee identity verification and effectively preventing hackers from accessing company systems through stolen credentials.
- Acceptable Use Policy: The Group Cybersecurity Department created and issued the “Acceptable Use Policy” at the beginning of 2024 and introduced the “AI Acceptable Use Policy” by year-end to address potential risks associated with emerging technologies.
C. Security Awareness Education and Training
In addition to regular internal training, several specialized trainings were held this year:
- New Employee Training: Integrated basic information security courses in both Chinese and English into the onboarding program for new employees.
- Social Engineering Prevention Courses: Conducted educational sessions for all employees to enhance their ability to recognize phishing attacks and other social engineering tactics.
- Advanced Professional Training: Provided in-depth cybersecurity technical training for IT department personnel to ensure key technical staff are equipped to handle the latest security threats.