ESG Report 2024

20 Environmental, Social and Governance Report 2024 The United Laboratories International Holdings Limited During the Year, the Group has identified that operational disruptions in the system may impact the efficiency of related business operations. The probability of this risk occurring has been assessed as medium, while its potential impact on the business is considered high. To address this risk, our short-term measures include the using backup all-in-one appliances to implement a real-time and reliable data protection solution, as well as enhancing the rapid recovery capabilities of data and systems. In our long-term plan, we will progressively examine a number of potential causes that could lead to system disruptions and address them one by one. During the Year, the Group has identified that network architecture adjustments triggered by business changes may affect the existing network boundary defenses. This could pose challenges related to external connection, external attacks and internal operations, necessitating enhanced network security measures to protect internal data. The probability of this risk occurring has been assessed as medium, while its impact on the business is considered high. To address this challenge, the Group plans to optimise its network architecture by reducing network entry points for unified management. Besides, we will establish new controlled network boundaries through firewalls and other network security measures. To further strengthen risk management and ensure business continuity, the Digital Centre has formulated the “Emergency Operation Procedures for Power Outage of Server Rooms”, which sets out in detail the emergency operation procedures in case of power outage, in view of the possible equipment damage or data loss caused by sudden power outage. The Digital Centre also arranges for security operations and maintenance personnel from both the central and branch offices to conduct drills during planned power outages. This aims to enhance the emergency response capabilities of all personnel in the event of an unexpected power outage. The tests are usually conducted in July and August each year, and the frequency must be in line with the outage fault tests. On the day of notification, all staff should switch off redundant electrical appliances and keep the door of the server room closed. During the power outage, all non-business system equipment is required to be shut down to prioritise the uninterrupted operation of the uninterruptible power supply (UPS) and ensure business continuity. Meanwhile, the Digital Centre continued to implement the “Smart United Laboratories”, which integrates mainstream applications such as mobile platforms, public accounts, instant messaging, work applications based on corporate user licences, corporate telephone and video conferencing. The system provides integrated services for employees, facilitates corporate information symmetry, enhances work efficiency and builds corporate core competitiveness. The office platform system “Smart United Laboratories” passed the National Network Security Level Protection Certification 2.0 in 2021 and will continue to implement information security management with strict reference to this standard in the future. 5.4.2 Information Management According to The United Laboratories Information Confidentiality Policy, all the information of the Group is classified into five categories by their level of importance, namely Top Secret, Secret, Confidential, Internal and Public. All personnel need to pass appropriate approval procedures based on the importance level of the information when accessing any information. Besides, the use of internal documents, advertising and promotional materials, medication instructions, and after-sales service content is strictly regulated by the product data management system. These regulations set clear limitations on the scope, purpose, and audience for data usage, ensuring the security and compliance of information. Regarding employees, the employee confidentiality system implemented by the Group requires all the employees to bear confidentiality obligations on our business secrets such as information on technology and operation, and not to allow any third parties to obtain our business secrets in form of disclosure, release or publishing. In order to further secure the interests of the Group and stakeholders, all employees should bear his/her confidentiality obligations for three years after resignation. On the other hand, when cooperating with suppliers, customers and other partners, the Group shall sign confidentiality agreements with them to ensure that the information of both parties are not disclosed, and the privacy rights are not infringed. Risk Identification Case - Information System Operational Disruption Risk Risk Identification Case – Unauthorised Network Access Risk