Chroma is committed to enhancing security management throughout the Group. As part of this effort, it regularly reports on the status of its information security management to the board of directors. The most recent update was provided during the board meeting on October 31, 2023. Chroma has also established an Information Security Management Office to consolidate and formulate information security policies and the allocation of resources for planning, monitoring, and implementing information security systems and managing operations related to information security.

The Information Security Management Office has been set up by the Security Audit, Security Management, and the Information Security Emergency Response Teams, and information security management is carried out in each business unit.

The Information Security Management Office manages and promotes all the various matters related to information security. The office holds at least one management meeting each year to review the status of improvement of issues found in previous audits, to study the internal and external issues in relation to the information security management system, and to implement them in the management system.

Based on the information security implementation model, actual information security management actions are as follows:

1. Network security:
Introduction of advanced detection technology to monitor the information network, block malicious cyberattacks, gather intelligence on information security threats, and prevent the spread of computer viruses.
2.  Device security:
(1) Optimize end-point antivirus and virus scan mechanisms to prevent ransomware and malware.
(2) Enhance the detection of malware, Trojan attachments, and phishing mails in the email system.
(3) Detect suspicious networking behavior and block malicious and high-risk websites, links or file downloads.3.  Application security:
Set security check and assessment standards and improvement targets in the application development process. Continuously enhance the security control mechanisms and patch potential application loopholes.
4.  Data protection:
Establish a user password management mechanism, network security area quarantine and maintain access control and data security.
5.  Personnel account management, education and training:
Set password principles and requirements and ensure regular password changes. Arrange education, training, and tests, to determine the awareness of information security in employees.
6. Information security incident performance:
The ubiquitous monitoring and collection of security protection operation records, the gathering and analysis of information security intelligence, and the establishment of procedures for reporting and handling information security incidents.

The aim of information security management is the development of a set of assessment criteria to continuously raise the level of information security defense. Three important elements are involved: personnel, technology, and process as well as five important security management technology aspects: identification, protection, detection, response, and recovery. These and other information security plans, processes as well as the maturity of information security, encompass the life cycle of cyber security risk management.

The review of this year's information security implementation across various units has confirmed that there were no incidents that compromised the Company's information security. This includes no reported complaints from external parties (e.g., customers) or complaints from regulatory authorities.
Each year, an ISO 27001 external auditing organization conducts audits and oversight of information security management.

Any employee who identifies a security risk can immediately contact the designated personnel in the Information Security Management Office.