Information
Security
The Company has established the “Information Security Policy” approved by the CEO, which provides guidelines for system and network security management across the Group. The policy ensures the protection of critical assets and continual improvement of the cybersecurity framework.
Key elements include: conducting regular evaluations of the information security management system; establishing mechanisms to ensure confidentiality, integrity, and availability of information and prevent unauthorized access; receiving internal and external threat intelligence and performing risk assessments and penetration testing; requiring all employees to comply with the policy and promptly report incidents; and requiring third-party partners to undergo security assessments and include information protection obligations in contracts. The Company also implemented firewalls, threat monitoring and analysis, vulnerability scanning, hacker simulations, drills, and backup operations. In 2024, no violations of customer privacy or legal penalties occurred.
The “Information Security Committee of the Group” is the highest guiding organization for the Company’s information security. The Group CEO serves as the highest supervisor, and oversees the implementation of various information security management measures by committee members to demonstrate the full support for the information security management system. The organizational structure of the committee is as follows. The committee is composed of commissioners designated by various departments, including but not limited to the head and division-level executive members. In 2023, the headquarters of the Group further appointed an “Information Security Officer,” with the division-level management unit of the Information Service Division managing information security-related matters, and with a professional security technology team commissioned to assist in providing the necessary information security services.
Two Information Security Committee meetings chaired by the Group’s CEO were held in the year to review the performance of the current security management system, assess operational risks and related response plans, and review the progress of the annual information security projects.
The “Information Security Committee of the Group” is responsible for a variety of information security management tasks, including formulating corresponding information security policy, deploying information security protection, addressing vulnerabilities, capturing abnormal information, and responding to emergencies, etc. based on the Group’s operational objectives and strategies, as well as the regulatory and legal requirements of the government. The committee adheres to the PDCA (plan–do–check–act) management cycle, and manages risks with the consistency among what is said, what is written and what is done as the key to ensure the continuity of services and operations. Under the framework of the cycle featuring risk assessment, policy amendment, protection deployment, risk monitoring, and security reinforcement, we constantly keep up with information security trends and make rolling review of the current management and protection practices in response to changes in the information service, macro environment, legitimacy, and various impacts in different time-space to ensure appropriate risk control for information system operations and network services.
Gamania’s information security strategy focuses on the aspects of personnel, systems and management. In compliance with national laws and regulations, the Company manages customers’ and members’ digital assets through risk analysis and control.
– Information security risk-driven education and training allows proactive defenses to precede attacks. Internal information security trainings are also organized to enhance information security awareness and awareness among information and communication management personnel and general colleagues, understand the importance of information security and various possible security risks, and improve Information security awareness among employees, and thereby change their behavior. In 2024, this was designated as a compulsory courses for all employees of the Group, in order to comprehensively increase their awareness of information security, achieving a 100% completion rate.
– Information security e-newsletters are distributed from time to time to supplement the information security awareness propaganda, in order to enhance and strengthen the awareness of information security awareness among employees, and cultivate the habit of security inspections.In 2024, Gamania reviewed and adjusted its “Group Operational Business Information Security Management Guidelines” to continuously enhance the completeness of its information security management. We strengthen the overall security of information systems across networks, operating systems, databases, and applications, to ensure stable operation of information systems and protect the security of information equipment and data documents, while preventing intrusion and damage from various threats, thereby reducing operational risks. For any factors that may pose a threat to operational information, the Company collects security indicator data and requires relevant information systems and services to undergo regular or irregular necessary security checks to enhance defense effectiveness.
Information security risk management is a continuous cyclical mechanism. Through our management processes, we analyze cybersecurity risks in operations and assess risk impacts and establish appropriate protection mechanisms, monitor measures, and responses to minimize losses and maximize profit for corporate operations.
On October 12, 2023, the Ministry of Digital Affairs promulgated the “Regulations Regarding the Security Maintenance and Administration of Personal Information Files in Digital Economy Industry,” with which the
security maintenance plan for personal data files shall be completed within three months from the enforcement date of the regulations, and personal data shall be processed after business termination.
When an enterprise’s IT personnel create insecure rule settings or fail to follow established information operation procedures, it creates vulnerabilities, which can then be exploited by malicious individuals using technical means to intrude, damage, or steal from target systems or networks, thus directly impacting the enterprise’s operations.
Viruses can be carried through various vectors, including previously visited websites, attachments or links containing malicious programs in emails, malicious links or executable files from social media websites, portable storage media, unauthenticated documents, files, software or applications.
The inability of cybersecurity systems to operate continuously would halt external business services , thus impacting brand image, revenue, and customer and shareholder trust and rights.
Employees, due to their job responsibilities, directly interact with the Company’s operational systems and data. Operations not in line with security control requirements, unsafe usage habits or handling methods,
or even the accidental loss of IT equipment assigned by t h e Company without proper necessary measures, could lead to the use of unknown software on the device or malware infection. This could result in the leakage of sensitive operational data, thus impacting internal system security and trade secrets and leading to data breaches and information security incidents.
The widespread adoption of cloud services and GAI tools has improved operational efficiency and accelerated technical learning but has also led to an increase in cybersecurity risks.
In 2024, the Company amended its “Information Security Incident Handling Procedures” and redefined information security incident classification and grading standards (including escalation and de-escalation) as well as reporting and handling levels in the “Information Security Incident Notification and Response Operations”. Regarding changes compared to the past, a briefing session was held for the task force members of the cybersecurity organization, to require them to disseminate relevant information on changes horizontally across units. Concurrently, the information on “24-hour information security incident reporting hotline and email” will be posted on the Company’s internal digital display.
All the Group’s employees are responsible for reporting incidents and must promptly notify the IT contact point of their respective unit in the first place. The contact point will conduct a preliminary assessment based on the type and severity of the incident and complete the “Information Security Incident Reporting Record Form”. Subsequently, the IT Department, in collaboration with relevant units, will follow up on the information security incident. The IT unit must resolve and fix incidents within the predefined timeframe. After resolution, it needs to provide an incident analysis report and improvement suggestions to prevent similar events from recurring. All information security incident handling results and reports will be periodically compiled into the Monthly Information Security Report for review and retention by the Information Security Committee.
Gamania has established the “Information Operations Outsourcing Security Management Regulations,” which outline information security review requirements for outsourced development projects. All the activities of development, installation, maintenance, processing, and management by a third party must be subject to corresponding information security inspection items, e.g. important data privacy requirements, according to the severity of the information security risks that might be involved, to make sure that each supplier is committed to adopting adequate technology and organizational measures for protecting the information processed by them. The information security inspection service provider is required to have the professional information security license to be qualified, and is able to provide inspection services such as source code inspection, vulnerability and penetration testing, etc. so that the outsourced development systems of all subsidiaries have standard security before being implemented or launched. The “Group Operational Business Information Security Management Guidelines” also specify security testing requirements for systems or services before they go live.
The Group not only values the health and safety of consumers for the products or services provided, but also provides detailed instructions to consumers on the use of the products or services provided for online services, in order to maintain transaction fairness. Pre-drafted contractual terms are established for the network services provided for the sufficient and accurate information to customers, and other necessary consumer protection measures are implemented to maintain the quality and safety of products or services, and prevent services from damaging consumers’ physical or mental health, property or other rights and interests. We comply with laws and regulations on the labeling and fair trading of products or services, and provide complete consumption information for consumers to adopt correct and reasonable consumer behaviors to safeguard their safety and rights.
With the rapid growth of online information, fraud and game account theft have become prevalent as new societal challenges. Gamania is committed to prioritizing customer service and players’ rights and actively engages in digital crime prevention to stand with consumers. For all relevant complaints received, provided
that there is sufficient supporting evidence, Gamania’s team proactively cooperates to help consumers cope with criminal behavior so as to prevent unlawful opportunists from endangering the platform’s security.
Since 2022, Gamania has partnered with the Anti-fraud Hotline 165 by establishing an online inquiry mechanism that allows police to submit case inquiry requests in real-time, significantly boosting investigation efficiency. Additionally, recognizing the high technicality and difficulty in identifying digital game terminology, the Group has formed an independently operating “Joint Defense Team.” This team dispatches dedicated personnel for 24-hour shift support, to provide real-time information and answer questions for police and investigative agencies, thus ensuring uninterrupted anti-fraud operations.
To enhance our industry competitiveness, Gamania actively participates in assisting the government in formulating regulations that are fair, just, and in line with industry development needs. With the employees responsible for legal affairs serving as the members of the Cultural-Creative and Sport-Entertainment Law Committee, Taiwan Bar Association, Gamania consistently provides legislative amendment suggestions
to the government through various associations and personally attends relevant institutions to present opinions and share insights. Additionally, Gamania receives visits from lawyers, judicial officer groups, and law school students is also, and shares with them the common dispute scenarios in the fast-changing digital entertainment industry, thus fostering a deeper understanding and exchange regarding the industry’s legal frameworks.
Most of the Gamania Group’s products and services feature digital entertainment and multimedia content. In order to provide players and consumers with a quality and innovative service experience, all digital content is launched in compliance with the regulatory requirements of the regions where we operate. In addition, while it becomes easier to speak up via the Internet in the democratic social environment, there is also a higher risk of being exposed to inappropriate content. As a platform operator, Gamania advocates that standards regarding responsible content should be formulated to convey the Company’s sustainable business philosophy in relation to the digital technology industry.
In 2023, we officially started the formulation of the “Gamania Group’s advertising ethics policy” as the first domestic company in the industry to set advertising business regulations for advertisers. We also integrated the feedback from the Group’s pan-digital entertainment businesses to improve the applicability of such policy and set a demonstrative model for the industry. This policy not only keeps in line with the regulations, but also covers different control conditions for product categories such as adult content, controlled products, entertainment, and health. Meanwhile, violent, hateful, harassing or deceptive words to solicit or mislead consumers are prohibited; Gamania reserves the right to suspend the publication of any advertisements that are against this rule.
In 2024, Gamania’s e-commerce business entity, Gamania Shopping, fully adhered to this policy and further implement actions related to digital privacy protection, warnings for high-risk content identification, and requirements for legitimate material usage rights to ensure the integrity and honesty of all advertising content.
For the games and platforms released by the Company, it is emphasized on the registration page that users shall abide by the Company’s business regulations, management rules, and international Internet etiquette and regulations. Generative content that is insulting, disinformation, defamatory, threatening or indecent (i.e. sexually explicit content) and violates public order or good morals (i.e. discrimination, harassment, self-harm and hate speech) is strictly moderated and prohibited; the Company reserves the right to terminate any digital service to the violators in serious circumstances.
The Company ensures that all digital content is designed to promote the balanced physical and mental development of children and adolescents, and encourages use only by individuals aged 12 and above. In accordance with the “Protection of Children and Youths Welfare and Rights Act” and “Game Software Rating Management Regulations”, we have established clear protection policies, including age-appropriate content, rating labels, and warning messages to prevent underage exposure to unsuitable material.
To safeguard privacy, our games and platforms explicitly state in the user terms that the collection of personal or sensitive information from minors requires the consent of a legal guardian. Parents or guardians are further supported with online parental control mechanisms, such as consumption reminders and abnormal login alerts, which enable them to monitor usage. If any irregularities are identified, parents or guardians can contact customer service, and the Company will take appropriate measures to protect the safety and privacy of children and adolescents.
In the future, should new regulations arise, our company will actively support and promote their implementation, continuing to lead the Taiwanese gaming industry in emphasizing child protection.
