Effective corporate governance is the cornerstone for sustainable development of enterprises. We see Ethical Corporate Management as the supreme principle, implement sound risk management, comprehensive information security management, and actual compliance with laws and regulations. As a means to achieve the goal of sustainable co-prosperity, we took a proactive approach to understand and respond to the needs of various stakeholders through a variety of information disclosure channels on top of rigorously safeguarding shareholders'rights and interests.
Management Governance
ECOVE sees ethical corporate management as the fundamental spirit of corporate governance and embarks on a quest to satisfy the expectations of investors and various stakeholders while working on the stable growth of the organization. We have established multiple channels to provide relevant information, such as holding regular investor conferences and annual shareholders' meetings, as well as setting up a special zone for
investor relations, a special zone for corporate sustainability, and a special zone for stakeholders, etc., in order to continue to strengthen the disclosure of information, to respect the rights and interests of all stakeholders, and to achieve effective communication.
Governance Structure
The Board of Directors of ECOVE is the Company's highest decision-making body, responsible for overseeing the Company's operations and formulating major strategies. To ensure sound corporate governance, we have established an Audit Committee https://air.writepath.co/dispatchjob/list/mine and a Remuneration Committee under the Board of Directors, which are responsible for overseeing the Company's finances and compensation system, respectively. Additionally, an internal audit organization has been set up to manage the planning and execution of audit operations. The unit not only reports on audit activities to the independent directors on a regular basis but also attends meetings of the Audit Committee and the Board of Directors to provide reports.
Transparent and Efficient Operations
The operation of our Board of Directors follows the "Rules Governing Procedure for Board of Directors' Meetings" and "Guidelines for Board of Directors Meeting Operations Management." The Board holds meetings at least once per quarter, adheres to conflict of interest regulations, and any director with personal interests involved in a board resolution automatically recuses themselves and does not act as a proxy for other directors in voting. The average attendance rate of all directors on the Board of Directors in 2024 was 100%, which is above and in compliance with the 85% corporate governance rating metric. The Chairman of ECOVE has the primary responsibility of overseeing the executive management to ensure that the Company's operations and business execution align with the corporate philosophy. The President's primary responsibility is to lead the management team and ensure the overall operations are carried out in accordance with the directives of the Board of Directors. The Chairman does not concurrently hold the position of President to avoid conflicts between their respective responsibilities.
BOARD DIVERSITY AND INDEPENDENCE
To ensure the independence of the Board of Directors, we have implemented a strict candidate nomination system, whereby the shareholders' meeting elects from the list of director candidates. Directors may be re-elected consecutively. As of the end of 2024, the average tenure of our Board of Directors is 7.1 years.
In addition, the Company amended its Articles of Incorporation in May 2025, stipulating that the Company shall have five to nine directors, each serving a term of three years, with the possibility of re-election. Among these, the number of independent directors shall not be less than three and shall not be less than one-fifth of the total number of directors.
In addition, we are committed to promoting a diverse structure for the Board of Directors. The Company's Corporate Governance Principles explicitly state that the composition of the Board of Directors should take into account diversity, including but not limited to basic qualifications such as gender, age, nationality, and culture, as well as professional knowledge and skills. Furthermore, specific management objectives for the Board's diversity policy shall be formulated based on the Company's operations, business model, and development needs. These objectives include that the number of directors who concurrently serve as executives of the Company shall not exceed one-third of the total Board seats, there should be at least one female director, and at least two independent directors whose consecutive terms do not exceed three terms.
The current Board of Directors consists of 9 members, of which 1 member is an employee (approximately 11% of the total board), and also includes 1 female director (approximately 11%) and 3 independent directors (approximately 33%), in accordance with the diversity policy. The Board is responsible for formulating the Company's business policies and important strategies. All members of the Board possess the professional knowledge, experience, and qualifications necessary to perform their duties, including expertise in engineering and environmental protection, industrial safety, water resources, finance, and sustainable environmental practices. They are well-versed in international perspectives, decision-making leadership, and crisis management capabilities to respond to changes in economic, environmental, and social aspects. Information regarding the Board members' positions on other Boards has been disclosed in the Company's 2024 Annual Report.
DIRECTORS' FURTHER TRAINING AND PERFORMANCE EVALUATION
In order to implement corporate governance and enhance the functions of the Board of Directors, establish performance objectives and strengthen the operational efficiency of the Board of Directors, the Company has established the "Regulations Governing the Board Performance Evaluation,
which stipulates that the Board of Directors of the Company shall conduct an internal performanceevaluation annually, and shall be evaluated by an external professional independent organization or a team of external experts and scholars at least once every three years, and that the scope of the evaluation shall include the entire Board of Directors, individual members of the Board of Directors, and functional committees. The evaluation methods include internal self-assessments by the members of the Board of Directors and functional committees (Remuneration Committee and Audit Committee), and performance evaluations conducted by external professional organizations and experts or other appropriate methods. The results of the internal and external performance evaluations of the Board of Directors shall be completed before the end of the first quarter of the following year. In order to enhance the quality of decision-making, ensure that the decisions of the Board of Directors are closely aligned with the goals of sustainable corporate development, strengthen governance effectiveness, and respond to stakeholder expectations, the performance evaluation indicators for the Board of Directors have been updated in December 2023 to include an evaluation item of "participation in sustainable
management (ESG)." The individual performance evaluation of directors will serve as a reference for determining their compensation.
The Company appointed Taiwan Corporate Governance Association, an external professional and independent organization, to conduct a performance evaluation of the Board of Directors at the end of 2024. The evaluation results and proposed follow-up measures have been presented at the 13th Board meeting of the 9th term on May 5, 2025. The next performance evaluation will take place at the end of 2027. The results of the Board's performance evaluation, as well as subsequent reviews andimprovements, will be reported to the Board and disclosed in the annual report and on the Company's website.
All members of the Board of Directors of the Company have completed relevant training in accordance with the "Guidelines for Continuing Education for Directors and Supervisors of Exchange-listed and OTC-listed companies." The training sessions are coordinated by the Group's Secretariat of the Board of Directors in accordance with the needs of the directors' professional functions or external trends. The training content covers corporate governance, business ethics and compliance, risk management,
corporate sustainability, information security, etc., aiming to enhance the Board's understanding of emerging issues and the effectiveness of corporate governance. In 2024, the average training hours for the Company's directors reached 6.3 hours, with all directors meeting the requirement of a minimum of 6 hours of training under the "Guidelines for Continuing Education for Directors and Supervisors of Exchange-listed and OTC-listed companies." Related information is disclosed on the Market Observation Post System.
Remuneration Structure for Directors and Managers
Business Ethics and Legal Compliance
Business Ethics
ECOVE adheres to the spirit of integrity in its operations and ensures that daily operations comply with corporate ethics and morals. We have established basic standards of conduct that must be followed by the directors, managers, and general employees, including "Corporate Governance Principles," "Ethical Corporate Management Principles," and "Code of Ethical Conduct," among other regulatory standards. Additionally, we have set forth work rules for all ECOVE employees to follow in their daily business activities. The Company's Group Shared Services is responsible for the development and subsequent implementation of the Corporate Integrity Management Plan, and the General Manager, the highest decision-making authority of the Group Shared Services, determines and supervises the implementation of the Corporate Integrity Management Plan. The Company reports the results of the "Policy for Promoting Corporate Integrity" to the Board of Directors once a year.
With the intention of maintaining fair trade and preventing corruption and bribery, and in compliance of the Enforcement Rules of Code of Ethical Conduct and the no-gift policy, ECOVE strictly requires employees and related parties to conduct transactions without preferential treatment, and not to request, obtain, offer, accept favors such as gifts, entertainment, kickbacks, or bribes for themselves or people around them when performing their duties. Through the internal control system, relevant risks can be confirmed and mitigated for all operating sites. Within the "Code of Ethical Conduct," it is specified that employees of the Company must not, in any way, engage in political contribution, support specific political parties or candidates, or participate in other political activities that may influence other employees.
In order to ensure that all ECOVE employees are familiar with the various management standards, since 2020, all employees, regardless of their positions, including newly hired staff, are required to sign the "Employee Ethics Commitment Letter." In 2024, the signing rate reached 100%. During the orientation and training for new employees, the importance of ethics and integrity is emphasized, along with an introduction to ECOVE's "Code of Conduct," "No Gift Policy," "Whistleblowing Website," and other legal compliance regulations and reporting mechanisms. Since 2017, a "Code of Conduct for Procurement Personnel" has been established, requiring all procurement staff to sign it upon employment. The code explicitly prohibits the solicitation of improper benefits and provides guidelines and reporting procedures regarding the giving and receiving of gifts so as to prevent conflicts of interest or the compromise of the impartiality of procurement decisions. As of 2024, the signing rate is 100%. Since 2018, ECOVE also requires all employees of affiliated companies to sign the "Confidentiality, Non-Competition, and Intellectual Property Commitment Letter." In 2024, there were no incidents of corruption or bribery, and our commitment to ethical management in business operations has received recognition and approval from our partners.
To continuously strengthen the commitment to ethical management, the Company has incorporated "ethics" as part of the annual performance evaluation criteria for all employees, accounting for 5% of the performance evaluation metrics. This aims to deepen the connection between ethics and positive employee behaviors. Additionally, each year, the Company organizes both internal and external activities and training sessions related to ethical management for all employees. In 2024, two online ethical corporate management courses were conducted for all employees, with a total of 1,846 participants in both sessions. The number of employees who completed the courses was 1,840, representing 99.6% of all employees; the 0.4% of employees who did not complete the training was due to their resignations during the training period. In addition, the education and training program for new recruits also includes courses related to ethics and integrity, such as Code of Conduct, Code of Ethical Conduct, and Business Secrets, and the participation rate is 100%. The total number of training hours for the above related courses is 2,767. All Board Directors also underwent courses related to ethical corporate management issues, and advocacy was further conducted on the issues of legal compliance, avoidance of interest, improper political contributions and donations, with a completion rate of 100%, thereby strengthening the concept of ethical management at the governance level.
Through practical actions, we strengthen the ethical business management with vendors, during interactions with vendors, such as requesting for quotations, tender meetings, going through ordering procedures, etc. we will express CTCI's and ECOVE's resoluteness in ethics by means of words, written and verbal. Prior to a tender meeting, we will execute Integrity Moment actions, announcing and explaining the contents of the Supplier Code of Conduct to vendors, simultaneously informing the prohibition of private interests, and providing information to the whistleblowing mailbox. Additionally, the implied covenant of good faith and fair dealing is also added to purchase orders to vendors and engineering commission contracts.
Legal Compliance
The Company's business scope covers four major areas: resource management, recycling, renewable energy, and electrical and mechanical maintenance and refurbishment. We regularly review the latest legal changes and updates both domestically and internationally and are committed to establishing a culture of compliance. In 2024, ECOVE did not face any legal actions related to anti-competitive behavior, antitrust and monopoly practices, non-compliance with product and service information and labeling regulations, or violations of marketing and promotion (regulatory or voluntary guidelines). ECOVE and its subsidiaries had no significant regulatory violations in 2024.
Whistleblower and Consultation Mechanism
In response to reporting-related operations, ECOVE has established the "Whistleblowing Operation Management Measures." These measures are not only available on the Company's internal employee education platform, but are also published on the official website for both internal and external personnel to download and reference. During the onboarding training for new employees, the reporting channels and the relevant rights of whistleblowers are included in the training materials to ensure that all employees understand the operation of the reporting mechanism and their rights.
In response to reporting-related operations, ECOVE has established the "Whistleblowing Operation Management Measures." These measures are not only available on the Company's internal employee The Human Resources Department is responsible for handling whistleblowing cases and providing initial review recommendations. The cases are then forwarded to the Group Shared Services (GSS) for further investigation, ensuring a transparent whistleblowing channel and fair investigation process. Internal and external personnel who discover any violations of laws, regulations of the Company, or other improper conduct that may affect the interests of the Company may freely choose to report such incidents either by providing their names or anonymously. Internal whistleblowers wishing to file a report may do so through the Employee Feedback Platform's employee mailbox (HR@ecove.com) or by utilizing the reporting website established by the third-party impartial organization, KPMG Taiwan, to protect the rights of the whistleblower and ensure that the reported cases are properly investigated and addressed.
Furthermore, we are committed to maintaining the confidentiality of the whistleblower's information. All participants in the investigation and interviewees required for the case must sign a confidentiality agreement, pledging to uphold the confidentiality of the investigation process and any case-related information they may encounter. Additionally, we will protect the whistleblower from being dismissed, removed from their position, demoted, or subjected to any detrimental treatment that may harm their legal rights, contractual entitlements, or customary benefits as a result of their whistleblowing.
If employees have concerns or inquiries regarding the various codes of conduct or ethical business practices, they can consult with their supervisors or contact the internal complaint mailbox (HR@ecove.com). Two complaints were received in 2024 and only one was substantiated and closed after investigation. ECOVE will continue to follow the brand positioning of "Most Reliable" and continue to implement the Ethical Corporate Code of Integrity, reaffirming and reinforcing employees' beliefs in integrity - honesty, commitment, and sincerity, including: organizing training courses to deepen trust in the corporate culture; organizing online ethical and integrity training courses for all employees and signing of declarations, etc., as well as ensuring a smooth channel for employees to report operations, and increasing the resolve of colleagues to expose malpractices.
Regarding the incident in 2023 at the Gangshan Incineration Plant, where an employee was suspected of taking away contraband cigarettes that were supposed to be destroyed during the operation of a crane and selling them privately, the Company has cooperated with judicial authorities to conduct an investigation and understand the situation, and has implemented relevant disciplinary actions. To strengthen management mechanisms and operational transparency, the Company has reviewed and amended relevant operational processes. The supervision of the destruction of contraband items is now jointly conducted by the unit that applies for the destruction operation, the Environmental Protection Bureau, and the Company, ensuring that contraband items are directly placed into the incinerator for destruction by cranes. Meanwhile, dedicated personnel are assigned to monitor the processing procedures in real-time through video surveillance at the storage pit site and the central control room, in order to enhance operational safety and management efficiency. The Company will continue to enhance internal controls and management measures to ensure that all operations comply with regulations and to respond robustly to external concerns.
Risk Management
In order to strengthen the operational quality and competitiveness of the Company and its subsidiaries, the Company systematically identifies and evaluates the risks it may face in the course of its operations and formulates appropriate risk management strategies to reduce the likelihood of the occurrence of risks and their negative impacts, as well as implements an all-employee risk culture, promotes the Company's core values to its employees, sets behavioral indicators, and strengthens the organization's behavioral and internalized awareness of risks.
Risk Management Framework
ECOVE focuses on the risks faced in the course of operation to integrate the corporate risk management framework and build a perfect risk management organization and system. In 2017, ECOVE issued the "Risk Management Guidelines" and set up the "Risk Management Executive Committee" to formulate the "Risk Management Policies," which serves as the supreme guiding principle of the Company's risk management, and clearly regulates the policy, purpose, scope, and organizational structure of risk, unit's authority and responsibility, risk management mechanism and execution process, and incorporate the risk management system to implement risk management.
The Board of Directors of ECOVE is the highest governing body responsible for risk management of the Company, delegating the Audit Committee to oversee the effectiveness of the Company's general risk control. The Audit Committee is composed of three independent directors. The Risk Management Executive Committee reports on the implementation of risk management to the Audit Committee and the Board of Directors at least once a year. The most recent report was presented to ECOVE's 10th meeting of the 4th Audit Committee and 11th meeting of the 9th Board of Directors on December 12, 2024, detailing the "Operation of the Risk Management Executive Committee in 2024."
The Company has established the "Risk Management Executive Committee." The Chairman/President serves as the Commissioner, and the heads of each department and the Presidents of subsidiaries serve as committee members. The committee meets quarterly and is responsible for approving risk management policies and guidelines, reviewing management reports, strategies, and improvement plans of each unit, ensuring the effectiveness of risk management measures, etc., and continually reviewing the effectiveness of the control measures through
audits to help the Board of Directors and managers to ensure that the risks are effectively controlled. The risk control representative isappointed by the Commissioner of the Risk Management Executive Committee. The representative is responsible for overseeing the convention of the Risk Management Executive Committee meetings, as well as organizing and tracking relevant data and files, ensuring the continuous effectiveness of the risk management mechanisms. The Risk Management Executive Committee for 2024 has convened four meetings to monitor the status of existing risk improvements and the results of the major risk item inventory.
ECOVE categorizes risks into three main types: climate and natural risks, operational risks, and project risks. To mitigate the operational impacts caused by internal and external uncertainties, a comprehensive risk management process is implemented. This process includes systematic risk identification, risk analysis, risk assessment, and response measures to address and manage risks that may pose threats (or opportunities) to the Company. The aim is to avoid or reduce the impact on operations. All employees are also responsible for identifying and reporting risks. If any significant risk events that may affect the Company's operations are discovered, they should be reported immediately to their respective supervisors.
Each member of the Risk Management Executive Committee shall bear full responsibility for risk management, which includes risk identification, assessment, reporting, and the execution, supervision, and improvement of daily control measures. The Risk Management Committee's roles and responsibilities include promoting, supervising, identifying and managing significant risks, compiling and compiling risk profiles and improvement plans for each company, collecting and monitoring significant risk events in each company, evaluating the extent of impacts, reporting significant risks and related improvement plans to each company's general manager, communicating risk management guidelines to members, identifying, analyzing, evaluating, handling and reporting the risks of the units under our control, ensuring the effective implementation of the risk management and related control procedures of the units under our control, participating in the meetings related to the risk management of the units under our control, providing the opinions related to the risk management and control, accepting the related risks of the units under our control, proposing the risk mitigation plans/measures of the units under our control and handling and tracking the control according to these plans/measures, informing the colleagues of the units under our control of the items that should be followed and cooperated with by us, and assigning a responsible person for the management and control of the risk management projects as necessary.
After identifying key risk items, the relevant risk responsibility units will discuss and evaluate them to establish "alert standards" and "action standards." These will be submitted to the Risk Management Committee for resolution, and will be implemented upon approval by the President, serving as the basis for risk mitigation and control. If the alert standards are met, each risk management unit shall report to the supervisors of their respective units and monitor the situation according to procedures. If the action standards are met, an emergency risk response team will be established to handle and respond to urgent risk events.
Risk Review
Each risk management unit shall conduct risk identification, risk analysis, risk assessment, and risk controlprocesses at least once every six months. This includes identifying potential risks that the Company may face within its business scope, analyzing the degree of impact and probability, selecting appropriate risk control measures based on each identified risk, and formulating mitigation strategies. The findings shall be submitted to the Risk Management Executive Committee for review to assess the effectiveness of risk control measures and action management, and to continuously monitor the status of risk improvement.
Risk Assessment and Analysis
According to the scope covered by the risk management framework, in the assessment results for 2024, ECOVE has identified the following seven major high-risk items:
Based on the aforementioned risk assessment results, appropriate risk control measures will be selected for the primary identified rather high risk items. This will involve the formulation of risk mitigation action plans, including risk control and improvement strategies. Continuous monitoring of the implementation of these mitigation actions will be conducted to ensure that the mitigation plans are effectively executed. The main risk mitigation action measures are described as follows:
Strengthening Risk Culture
In order to effectively enhance the outcomes of risk management, the Company not only promotesawareness on risk management guidelines and related regulations through various risk control units, but also establishes a risk management mechanism. This mechanism assists the Company and all employees in systematically identifying and assessing the risks that may be encountered during operational processes. After completing the identification, analysis, and assessment stages, appropriate measures and responses are taken. In addition to adhering to and implementing these measures in daily operations, regular promotional or training activities are conducted for all levels of management and staff to enhancethe overall risk awareness of all employees.
Internal Control System
ECOVE's internal control system is based on the "Guidelines for Establishing Internal Control Systems for Publicly Issued Companies" issued by the Financial Supervisory Commission. It incorporates elements such as control environment, risk assessment, control activities, information and communication, and monitoring. Designed by managers, approved by the Board of Directors, and implemented by the Board of Directors, managers, and other employees, the system aims to promote sound business operations, ensure operational effectiveness and efficiency, reliable and timely information reporting, and compliance with relevant laws and regulations. It is regularly reviewed to adapt to changes in the internal and external environment, ensuring the ongoing effectiveness of system design and implementation. In 2024, the Company established an internal control system for sustainable information management, which was approved by the Board of Directors in December 2024.
ECOVE has an internal audit unit under the oversight of the Board of Directors. The unit has established an internal audit system, which is approved by the Board of Directors. It is staffed with a dedicated audit manager and works in conjunction with the Audit Committee to assist the Board of Directors and managers in examining and reviewing deficiencies in the internal control system, measuring operational effectiveness and efficiency, and providing improvement recommendations as necessary. This ensures the continuous and effective implementation of the internal control system and serves as a basis for reviewing and revising the system.
The audit department develops an annual audit plan based on risk assessments and submits it for approval by the Board of Directors. It then carries out various audit procedures according to the plan. Identified deficiencies and abnormal issues related to the internal control system are disclosed in audit reports, which are tracked and followed up on after submission. Follow-up reports are prepared at least quarterly until improvements are implemented to ensure that relevant departments have taken timely and appropriate corrective measures. The audit manager reports the results of the independent director audit plan execution monthly and has individual face-to-face meetings with independent directors every quarter to discuss internal control and audit-related matters. The audit manager also attends Audit Committee and Board of Directors meetings to present audit business reports and demonstrate the effectiveness of the audit function.
Information Security
ECOVE adheres to the protection of our customers' important intellectual assets. We strengthen the reliability and quality of project execution through a sound information security governance system, regular information security risk assessment, and a diversified information security management mechanism, etc., and comply with the industry's major requirements or legal regulations in order to enhance the trust of our customers. ECOVE also actively identifies and reduces information security risks through standards such as the Regulations Governing Establishment of Internal Control Systems by Public Companies, the Trade Secrets Act, the Personal Data Protection Act, and the Cyber Security Management Act, to enhance the quality of information security on all fronts. To comply with legal requirements and operational demands, and to protect the personal data of the Company’s employees and relevant individuals, the "Principles for the Protection of Personal Data Security" have been formulated. These principles apply to all employees hired by the Company (including its subsidiaries) as well as personnel dispatched to work at the Company. The responsible units include the Human Resources Department, Information Services Center, Safety and Health Management Department, all department heads, and the Personnel Committee. In 2024, the completion rate for internal training on the Personal Data Protection Act was 99.57%, totaling 924 training hours. In 2024, one incident of information security took place
in ECOVE, which did not caused any damage to the Company's goodwill, nor did it harm customer relationships or affect the Company'srevenue; there were no substantiated complaints about infringement of customer privacy.
Information Security Management System
ECOVE complies with the requirements of Article 9-1 of the Regulations Governing Establishment of Internal Control Systems by Public Companies, and has announced the establishment of a dedicated information security unit in 2023. A dedicated head of information security and a dedicated employee of information security have been appointed. The Chief Information Security Officer oversees the promotion, coordination, and supervision of the Company's information security policies, with dedicated information security personnel responsible for planning and executing various information security operations. In addition, an information security management review meeting should be convened at least once a year to review matters related to information security management. The review meeting can be held along with the meetings of Risk Management Executive Committee, and in accordance with the relevant provisions of the Risk Management Guidelines, the Risk Management Executive Committee is the main promotion organization of the Company's risk management. Upon the instruction of the Committee, the Committee is required to submit a "Security Management Report" on the results and effectiveness of the implementation of the social drills, anti-virus system, firewall, email filtering system, and email audit system on a regular basis every year, which will be consolidated into the "Risk Management Executive Committee Report," and report the status and plans of the annual work to the Board of Directors every year.
The dedicated employee of information security has passed the training of the new version of ISO27001:2022 for leading auditors. We have re-examined the "InformationSecurity Management Guidelines" and the accompanying standards in the spirit of ISO/IEC 27001 to regulate the Company's information security management system, in order to ensure the confidentiality, completeness, and usability of information under the
Company's jurisdiction, and to further safeguard the rights and interests of the Company and all colleagues. In 2024, ECOVE, its subsidiaries, and domestic and overseas factories, projects, and sites were randomly inspected for a total of 36 safety audits, with a total of 54 items, all of which have been improved.
Information Security Management Mechanisms
Information Security Management Mechanisms
In order to continuously strengthen information security management operations, ECOVE continues to invest resources in information security-related matters every year. In 2024, the investment in information security-related software, hardware, and service rentals reached NT$8.28 million. Resource allocations include strengthening security defense equipment, relocating the email system to the cloud, upgrading and revising antivirus software, replacing outdated equipment, establishing remote backup validation mechanism, commissioning external professional cybersecurity vendors for security assessments and improvements, and reinforcing security management systems and education training. These efforts span from management to technical aspects to enhance information security capabilities.
Due to the significant damage caused to well-known companies by ransomware attacks in recent years, ECOVE has established a "Social Engineering Attack Prevention" website and a "Fraudulent Email Reporting Inbox" to assist employees in identifying and avoiding risks associated with "fraudulent/phishing emails" and more precise "Business Email Compromise (BEC)" attacks. Based on information security risk considerations, we have conducted a comprehensive inventory and implemented security protection work, such as the replacement of old equipment and improvement of old systems, the replacement of the work hourmanagement system, and the expansion of the deployment of MDR threat detection and response services. To effectively distribute the potential losses caused by information security risks, the Company purchased "Electronic Equipment Comprehensive Insurance" in 2024, with a total coverage amount exceeding NT$56.50 million. Employees in the Information Service Center have set different items and goals for their respective responsibilities within the "2024 KPI Performance Targets and Scoring Method," including incidents of computer infection within the domain, network, servers, application systems, etc., unplanned service interruptions, non-disaster or external force-induced service disruptions, high-risk individuals in social engineering drills, security inspections, information security audits, etc., to ensure the implementation of various information security measures.
In terms of outsourcing management, the Company has established comprehensive outsourcing management guidelines within the Information Security Management Guidelines. All outsourced vendors must sign a Non-Disclosure Agreement, and their project personnel are also required to individually sign a Confidentiality Agreement for Project Personnel of Outsourced Vendors to ensure that responsibilities for information security are clearly delineated. In addition, we require all outsourced vendors to cooperate with the Company in executing the project information security audit to maintain the overall security standards of the information environment.
Business Continuity Planning
To ensure the continuous operation of business and to minimize the impact of significant incidents or disasters on critical operations, ECOVE has established a business continuity management procedure for information services. This procedure involves conducting risk assessments and identifications regarding the severity of the impact of various system architectures on critical operational processes. The severity levels (degree) are defined and serve as the basis for determining the frequency of disaster recovery drills. To verify the effectiveness of the Business Continuity Plan and ensure that relevant personnel are familiar with the latest plan content, the Company mandates that a test drill be conducted at least once a year. In 2024, two significant drills have been completed, focusing on the scenarios of SQL database server damage and the damage and reset of various endpoint network devices. This has allowed us to comprehensively review and strengthen our disaster recovery capabilities.
Information Security Incident Notification
According to the "Information Security Management Guidelines," if employees detect a computer virus intrusion or other malicious software, they should immediately notify the nearest Information Center or the computer administrator of their department for handling. In practice, when the Information Service Center receives notifications from the antivirus system (indicating that automatic cleaning or isolation has failed), they proactively intervene to prevent individual employees from neglecting the antivirus system's alarm notifications. In 2024, there were 0 warnings or notifications of computer virus infection, 0 automatic cleanups, 0 automatic quarantine, and 25 notifications of information security incidents, which did not result in any data loss or customer damage. However, internal education training has been held to address the potential risk factors associated with the reported incidents. In the future, we will continue to refine and review the relevant processes to comprehensively improve the management of information security and align with the international quality requirements.
On September 21, 2024, the Company's key server was allegedly attacked by hackers utilizing a work account of old multi-function printers, launching a "brute force attack" on the firewall's VPN communication port to infiltrate the system. During the intruders' period of lurking within the system, they familiarized themselves with the information environment structure of the Company before launching a ransomware attack. After the incident occurred, the Company has implemented measures to comprehensively upgrade the cybersecurity risk environment. These measures include changes to operational modes (such as deleting the work accounts of multi-function printers, switching to scanning files directly to the printer's hard drive, and setting up individual directories and account passwords), preventing improper use (such as strengthening VPN connection management and maintaining a registry of external accounts), expanding the scope of detection (by deploying MDR threat detection and response services more widely), and enhancing protection (such as introducing a PAM privileged account management system and a DLP data leakage protection system). In addition, CoreCloud Technology and Microsoft, both external cybersecurity firms, are commissioned to investigate whether there has been any infiltration by and lurking of hackers in the internal network; after thorough checking, there are no cybersecurity concerns. After the inventory assessment, the Human Resources System and the Financial Accounting System are uniformly managed by the Group and are not affected by this incident; the IT operations at each plant site are conducted independently and are also not impacted by this incident. The systems affected by the recent ransomware attack include the Company's document processing file server, email server, and internal website server. No personal data or vital internal documents have been found to have been leaked.
Raising Awareness on Information Security Risks
To enhance employees' understanding of the importance of information security, improve their awareness of security issues and emergency response capabilities, and effectively manage risks, we continue to promote social engineering drills and conduct these drills every quarter. According to the results of the
drill, the occurrence rate for high-risk incidents in 2024 is 0%, while the occurrence rate for medium-risk incidents is 0.17%.
Business Results and Industry Outlook
Sustainable Economic Activities
ECOVE actively assesses and enhances the positive impact of its economic activities on the environment and society, based on the six environmental objectives defined in the "Guidance for Identifying Sustainable Economic Activities (Second Edition)." The Company achieves these objectives by introducing innovative technologies and optimizing processing procedures, continuously improving the
sustainability of its economic activities.
In 2024, approximately 81.1% of the total revenue of ECOVE can be categorized as sustainablerelated economic activities. Among these, general activities account for about 4.7% (including waste removal, waste treatment, and recycling)*Note 1, while supportive activities account for approximately 76.4% (including solar energy and waste-to-energy). Sustainable economic activities not only contribute to "mitigating climate change" and "circular economy" but also demonstrate the Company's concrete actions in implementing green energy transformation and low-carbon operations
Industry Outlook
n 2024, ECOVE continues to integrate SDGs, deepens the domestic market, expands overseas presence, and strives for more project collaboration opportunities. Additionally, we respond to the development trend towards a circular economy model in the market by actively expanding operations in waste resource utilization to enhance resource cycling efficiency. Leveraging our core capabilities and existing business expansion, we will continue to deepen our presence in the areas of "resource management," "recycling," "renewable energy," and "electrical and mechanical maintenance and refurbishment," showcasing Taiwan's technical expertise and strength in the resource cycling industry to the world.
Sustainable Solutions for Future Cities: The Application of Green Technologies from Seawater Desalination to Carbon Capture
ECOVE has strengthened the integration of its core capabilities with sustainable innovation. Recently, through its subsidiary ECOVE Environment Services Corp. and its parent company CTCI, the Company has successfully secured the "Hsinchu Seawater Demineralization Plant Construction and Operation Maintenance Project" in collaboration with SUEZ, a leading company in the international water affairs and solid waste sectors, and Hong Hua Construction, which specializes in maritime engineering. The plant has a daily water production capacity of 100,000 tons. It is expected that after its completion in 2028, ECOVE Environment Services Corp. will be responsible for subsequent operations and maintenance. This is anticipated to provide stable operational revenue and demonstrate the Company's innovative capabilities in climate resilience and water resource management, as well as the potential for improved financial performance.
In addition, ECOVE Environment Services Corp. has also collaborated with HDEC Corporation to undertake the operation and maintenance project of the local sewage system in Zhongli District, Taoyuan City. This project officially commenced commercial operations in January 2025. This marks ECOVE Environment Services Corp.'s first foray into the maintenance of sewage networks, further expanding its service portfolio, creating diverse revenue opportunities, and strengthening its core competitiveness. In the future, ECOVE will continue to leverage the integrated engineering capabilities of EPC of our parent company to develop more innovative businesses related to climate adaptation, including the reuse of water and seawater desalination.
In response to changes in electricity laws and regulations and the trend towards net-zero transformation, ECOVE is actively innovating its business model. One of our subsidiaries, ECOVE Environment Consulting Corp., has added a renewable energy sales business while simultaneously developing a solar power self-consumption business. The renewable energy certificate (REC) obtained can provide corporate clients with comprehensive and diverse green energy solutions.
To expand the carbon management market, ECOVE has partnered with Membrane Technology and Research, Inc. (MTR), which specializes in membrane separation technology, to promote the application of membrane separation carbon capture technology that does not utilize any chemical solvents in the Asian market. The separation unit of the technology adopts a modular design, featuring high efficiency, scalability, and environmental advantages. It is easy to integrate into various industrial processes, further promoting commercialization and enhancing the Company's innovative deployment and future operational potential in the field of carbon neutrality solutions.
