Information and cyber security

Information
Security

The Company has established the “information security policy” upon the approval of the CEO. It provides guidelines for the Group’s establishment of systems and procedures regarding information security and network security management, and information and communication management of computer systems, software and hardware, so as to ensure the confidentiality, integrity and availability of the Company’s important information.Gamania’s network services are equipped with firewalls and network identity recognition, threat monitoring and analysis mechanisms to block malicious network behavior, periodically scan website system vulnerabilities, and provide reinforcement and correction, periodically simulate hacker attacks and information security drills, and develop and implement backup operations and other information security protection measures based on service content. In 2023, there were no incidents of violation of customer privacy at the Company, and there were no legal penalties related to user privacy imposed on the Company.

Information security management

The “Information Security Committee of the Group” is the highest guiding organization for the Company’s information security. The Group CEO serves as the highest supervisor, and oversees the implementation of various information security management measures by committee members to demonstrate the full support for the information security management system. The organizational structure of the committee is as follows. The committee is composed of commissioners designated by various departments, including but not limited to the head and division-level executive members. In 2023, the headquarters of the Group further appointed an “Information Security Officer,” with the division-level management unit of the Information Service Division managing information security-related matters, and with a professional security technology team commissioned to assist in providing the necessary information security services. Two Information Security Committee meetings chaired by the Group’s CEO were held in the year to review the performance of the current security management system, assess operational risks and related response plans, and review the progress of the annual information security projects.

The “Information Security Committee of the Group” is responsible for a variety of information security management tasks, including formulating corresponding information security policy, deploying information security protection, addressing vulnerabilities, capturing abnormal information, and responding to emergencies, etc. based on the Group’s operational objectives and strategies, as well as the regulatory and legal requirements of the government. The committee adheres to the PDCA (plan–do–check–act) management cycle, and manages risks with the consistency among what is said, what is written and what is done as the key to ensure the continuity of services and operations. Under the framework of the cycle featuring risk assessment, policy amendment, protection deployment, risk monitoring, and security reinforcement, we constantly keep up with information security trends and make rolling review of the current management and protection practices in response to changes in the information service, macro environment, legitimacy, and various impacts in different time-space to ensure appropriate risk control for information system operations and network services.

Information security management strategy and specific management measures

Gamania’s information security strategy focuses on the aspects of personnel, systems and management. In compliance with national laws and regulations, the Company manages customers’ and members’ digital assets through risk analysis and control.

Early prevention

  • Regular review of information security-related management regulations
    Every year, the Company establishes and adjusts the information security policy and relevant management regulations or procedures in accordance with the current laws and regulations, industry trends, and the requirements of concerned parties. This includes a total of 13 regulations covering the aspects of data protection, operational security, information operation outsourcing, password management, and so on.
  • Security inspection of information operations
    Risk assessment is carried out according to the nature of a project. Before the system goes live, source code scanning/vulnerability scanning/penetration testing and other information security inspections are conducted based on the risk assessment results, and the system vulnerabilities are properly fixed.
  • Implement the mechanisms of security monitoring (SOC) and endpoint protection (EDR)
    Invite the domestic third-party security technology consultant team to monitor and stay on top of the security alerts and intelligence for better and faster detection and response.
  • Review of the effectiveness of cybersecurity measures
    The Information Security Committee of the Group convenes two regular meetings per year to review and adjust the information security strategy and mechanisms in a timely manner, as well as to review the effectiveness of regulatory implementation and follow up on internal audit findings.
  • Introduction of ISO 27001 and other international information security management standards
    The information security management system is strengthened by formulating various operational requirements and response plans, which enhances the overall information security control and response capabilities.
    – Subsidiaries of the Group have received international information security certifications (Please refer toList of Information Security Certifications).
    – GAMA PAY has obtained the “Mobile App Basic Security” certification for consecutive years since 2019, and has been certified by a third-party testing agency.
  • Social engineering drills and employee education and training on information security
    – The email social engineering drill is conducted once this year, and education and training are additionally provided for the employees successfully deceived.
    – Annual training courses on information security are arranged as compulsory courses for all employees of the Group, in order to comprehensively increase their awareness of information security. The training completion rate was 100% in the year.

In-process implementation and review

  • Self-evaluation for business information operations
    An evaluation mechanism has been established for various information security management measures, and each operating subsidiary is required to perform self-evaluation for information operations on a quarterly basis.
  • Endpoint security management
    An endpoint protection mechanism is in place to effectively reduce the information security gaps caused by the improper use of endpoint equipment.
  • Backup mechanism available for critical systems, databases, and files
    A system recovery plan is prepared for the core service system every year, and disaster recovery drills are performed on a regular basis (at least once a year). Through written simulations and scenario simulations, we make sure that the drill results have reached the preset targets, and that timely response to emergencies can be made to ensure uninterrupted services.
  • Yearly internal audit on information security
  • Each year, the headquarters of the Group draws up an information security management audit plan to be implemented. Operating subsidiaries are accordingly interviewed and sampled in terms of the implementation status of various information operations, and the audit results are reported to the Information Security Committee of the Group. The audit findings are listed for follow-up and correction, and serve as the basis for promoting the Group’s information security management.

Post-response and recovery

  • An information security response and reporting mechanism is established to ensure the rapid and thorough handling and recovery in the case of information security incidents.
  • In 2023, the Company did not encounter any major network attack or incident, and was not involved in any related case of legal dispute, supervision or investigation.

Information security risk management

Cybersecurity risk management is a continuous process for analyzing cybersecurity risks in operations and assessing risk impacts and establishing appropriate protection mechanisms, monitoring measures, and responses to minimize losses and maximize profit for corporate operations. The framework of cybersecurity risk management aims to(1) provide appropriate management for the cybersecurity risks in operations (2) encourage the management and operational teams to understand the impact of risk exposure,(3) realize better business resilience and legal compliance, and (4) provide strict decision-making and planning processes.
The following are explanations and countermeasures for the potential information security risks that the Company may encounter during operation, to ensure that the Company’s operational services and systems are deployed with necessary security measures.

Compliance with legislation and standards

In the face of the legal requirements arising from changes in the industry, Gamania makes timely responses and dynamically adjusts or establishes corresponding management systems to meet the legal compliance requirements. On October 12, 2023, the Ministry of Digital Affairs promulgated the “Regulations Regarding the Security Maintenance and Administration of Personal Information Files in Digital Economy Industry,” with which the security maintenance plan for personal data files shall be completed within three months from the enforcement date of the regulations, and personal data shall be processed after business termination. On January 12, 2024, the Company finalized the “personal data protection policy” and the “security maintenance plan for personal data files” to process and protect data in all aspects.
For the compliance with industry information security standards, the Company has obtained the ISO 27001 and PCIDSS certifications and maintained the validity thereof based on the verification by third-party certification organizations.

Cyberattack

Hackers invading, destroying, or stealing target systems or networks will directly impact corporate operations. Therefore, necessary protective measures are required during the environment construction, including firewall segmentation, network segmentation, design and planning of secure channel access, adoption of encrypted communication protocols, intrusion detection and blocking attack mechanisms, etc. Meanwhile, we conduct relevant security inspections (i.e. information security check, vulnerability scanning, penetration testing, etc.) on a regular or irregular basis for the websites through which our services are offered to external parties, and fix the vulnerabilities found. In addition, the vulnerability warnings collected based on the information security intelligence are used to reinforce systems or address vulnerabilities, so that the possibility of being attacked due to vulnerabilities may be reduced

Viral threats

The possible sources of computer viruses include previously visited websites, attachments or links containing malicious programs in emails, malicious links or executable files from social media websites, portable storage media, unauthenticated documents, files, software or applications. In light of such a wide range of sources and channels, we have established a multi-layered defense and detection system, and fully implemented an endpoint protection system to perform monitoring and protection with a central management approach, thereby reducing the risk of malware infection and attack.

Operational disruption

In order to ensure the corporate business continuity, we have set up planning and management requirements for the plans of system operation security management, backup recovery. There is also an information security incident handling procedure to ensure the timely response to unexpected emergencies or abnormal events. The maintenance and operation are based on the “information security policy” and the “Regulations of Information Security Management for Group Businesses.” We conduct an annual information operation continuity drill for the core services, so as to verify the continuity of services after system restoration and ensure the security of confidential information. With the drill also covering incident reporting and handling, relevant personnel can become more familiar with the incident handling procedures through a complete drill, which helps strengthen the response capability for information security incidents, cushion operational impact, and lower the risk of loss of services, assets, and finance.

Insufficient awareness of information security in employees

Employees have direct contact with the Company’s operating systems and data as required by their duties, and their accidental use of unknown software or malware infection could impact the information security of the Company’s internal systems. Hence, the Company devises compulsory online courses on information security to regularly educate all employees about relevant knowledge. Also, we collect information security-related information and reports on a daily basis, and irregularly share them with the employees through other channels for greater awareness of information security, so that the information security risks caused by careless operations can be reduced. Meanwhile, social engineering drills are carried out to verify employees’ awareness of information security, and to improve their knowledge of privacy, personal data laws, data protection practices, and cybersecurity behaviors. The employees in IT-related positions are encouraged to attend various seminars on the topics of information security, information operation management, etc. to keep track of the emerging industry trends as well as the information security trends and technologies, thereby improving their skills, and even enhancing their risk prediction capabilities for early prevention.

Information security reporting and handling procedures

Gamania has established the “Information Security Incident Handling Procedures,” which define the reporting and handling methods of information security incidents for each business unit within the Group. All employees within the Group are responsible for reporting information security incidents, if any. They should immediately notify the IT contact person of their respective units, who must clarify the details based on the level and category of the incident, complete the “Information Security Incident Reporting Record Form,” and instruct the IT unit and incident-related units to make subsequent handling of such information security incidents. The IT unit is required to eliminate and resolve the incident within the target handling time, and provide the analysis results and suggested corrective actions after the incident is handled to prevent the recurrence of the incident. Finally, the aforementioned information security incident handling reports will be compiled into the Monthly Information Security Report for review and retention by the Information Security Committee.

Supplier information security management

In 2023, Gamania established the “Regulations for Security Management of Outsourced Information Operations” to conduct information security audits for outsourced development projects. All the activities of development, installation, maintenance, processing, and management by a third party must be subject to corresponding information security inspection items, e.g. important data privacy requirements, according to the severity of the information security risks that might be involved, to make sure that each supplier is committed to adopting adequate technology and organizational measures for protecting the information processed by them. The information security inspection service provider is required to have a professional information security license to be qualified, and is able to provide inspection services such as source code inspection, vulnerability and penetration testing, etc. so that the outsourced development systems of all subsidiaries have standard security before being implemented or launched. In addition, in handling data exchange with the Company (including personal data), our legal team ensures that all supplier agreements should include appropriate statements and protection-related obligations.

Protection of network security

【 Consumer protection measures 】

The Group not only values the health and safety of consumers for the products or services provided, but also provides detailed instructions to consumers on the use of the products or services provided for online services, in order to maintain transaction fairness. Pre-drafted contractual terms are established for the network services provided for the sufficient and accurate information to customers, and other necessary consumer protection measures are implemented to maintain the quality and safety of products or services, and prevent services from damaging consumers’ physical or mental health, property or other rights and interests. We comply with laws and regulations on the labeling and fair trading of products or services, and provide complete consumption information for consumers to adopt correct and reasonable consumer behaviors to safeguard their safety and rights.

【 Crime prevention 】

Advancements in networking and information technologies have given rise to new social problems such as scams and theft of game accounts. Driven by the motivation to serve and protect customers, Gamania helps consumers who have fallen victim to scams, and would take the initiative to fight crimes and ill-intentioned players as long as there is sufficient evidence. Since 2022, in collaboration with the anti-scam website (165), we have created an online inquiry platform that enables law enforcers to submit queries online for greater efficiency. To ensure that law enforcers are kept up to date on the digital gaming terminology, Gamania assembled an independent “investigation team” and assigned employees to support law enforcers and investigators 24 hours a day by providing relevant information and answering queries.

GASH is a game point and virtual product of Gamania. Due to the booming development of video games in recent years, it has been in wide circulation in the market, but it has also been used by criminal groups as a tool for crimes.

In 2023, Gamania and Gash launched a series of risk control management measures from April, such as the “delayed serial number stored value access” and “card locking platform for point fraud prevention.” An “Anti-fraud Team” has been formed as well to work closely with the Ministry of Digital Affairs and the National Police Agency to combat fraud. Despite the impact on operational performance, Gamania has fulfilled its industrial self-discipline and social responsibilities. As of the end of the year, nearly 90% of the fraud cases had been significantly reduced and over NTD 1.5 million was saved from being lost; the fraud prevention result was remarkable.

【 Implementation of industry laws 】

Gamania assists the government in creating laws that enforce fairness and justice and improve competitiveness of the industry. With the employees responsible for legal affairs serving as members of the Cultural-Creative and Sport-Entertainment Law Committee, Taiwan Bar Association, Gamania has also long been recommending regulatory amendments through various associations, and is often invited to explain and share opinions at government agencies. Gamania also receives visits from lawyers, judges, and law school students each year, and shares with them the possible disputes in the fast-changing digital entertainment industry as well as opinions on industry regulations.

Responsibility for digital content

Most of the Gamania Group’s products and services feature digital entertainment and multimedia content. In order to provide players and consumers with a quality and innovative service experience, all digital content is launched in compliance with the regulatory requirements of the regions where we operate. In addition, while it becomes easier to speak up via the Internet in the democratic social environment, there is also a higher risk of being exposed to inappropriate content. As a platform operator, Gamania advocates that standards regarding responsible content should be formulated to convey the Company’s sustainable business philosophy in relation to the digital technology industry.

Ethics of advertising

In 2023, we officially started the formulation of the “Gamania Group’s advertising ethics policy” as the first domestic company in the industry to set advertising business regulations for advertisers. We also integrated the feedback from the Group’s pan-digital entertainment businesses to improve the applicability of such policy and set a demonstrative model for the industry. This policy not only keeps in line with the regulations, but also covers different control conditions for product categories such as adult content, controlled products, entertainment, and health. Meanwhile, violent, hateful, harassing or deceptive words to solicit or mislead consumers are prohibited; Gamania reserves the right to suspend the publication of any advertisements that are against this rule.

Responsible content

For the games and platforms released by the Company, it is emphasized on the registration page that users shall abide by the Company’s business regulations, management rules, and international Internet etiquette and regulations. Generative content that is insulting, disinformation, defamatory, threatening or indecent (i.e. sexually explicit content) and violates public order or good morals (i.e. discrimination, harassment, self-harm and hate speech) is strictly moderated and prohibited; the Company reserves the right to terminate any digital service to the violators in serious circumstances.

Child protection

In order to make children and youth place importance on the balanced development of body and mind, we suggest that all digital content generated by us be used by natural persons aged 12 years and above. Observing the “Protection of Children and Youths Welfare and Rights Act” and “Game Software Rating Management Regulations,” we provide appropriate digital content and clear rating labels, take necessary measures to prevent children and youth’ exposure to inappropriate content, and clearly display corresponding warnings. Through the user terms and conditions of the released games and platforms, we remind users that we respect the privacy of children and youth, and that the legal guardian’s consent is required before we collect the private or sensitive personal information of a minor user or player. Parents/legal guardians of the minor users or players are encouraged to contact our customer service upon the discovery of any abnormalities; the Company will take appropriate measures accordingly to protect the privacy of children and youth. In the future, should new regulations arise, our company will comply accordingly, leading the Taiwanese gaming industry to emphasize child protection.