ESG Report 2025

23 5.4.1 Information Security Management System The United Laboratories has established a governance structure centred on the Information Security Management Committee, which is responsible for the strategic planning and supervisory guidance of information security management. The Committee is chaired by the Chairman of the Board, and its members include the heads of various business segments. It is responsible for formulating the information security management framework, reviewing information security policies, guiding operating units in implementing security measures, and reporting its work to the Board. The Digital Centre serves as the execution and assurance department for information security. It is responsible for building and maintaining data security systems, deploying technical safeguards such as data encryption, access control, intrusion detection, vulnerability remediation and data backup, monitoring the security posture in real time, and identifying and responding to threats in a timely manner. Meanwhile, the Digital Centre regularly organises data security training and awareness activities to enhance employees' information security awareness. The Audit Centre, in coordination with the Digital Centre, conducts special audits each year on the implementation of information security policies, the effectiveness of technical protection measures and the execution of privacy protection requirements to ensure the continued effective operation of the information security management system. During the Year, the Group's IT audit covered the entire Group and completed 10 special audit assignments, covering key areas such as information security in the R&D system, user access rights management, cloud service system risks and foundational controls of document systems. Audit results showed that most system risks were controllable, while the remaining findings were either rectified according to plan or had been effectively brought under control. With regard to information classification and access control and based on the “United Laboratories Information Management Regulations”, the Group classifies all information into five levels according to its importance and the potential harm that may result from disclosure: Top Secret, Confidential, Secret, Internal and Public. Different levels of information correspond to different access rights, storage requirements and approval procedures, thereby ensuring graded and classified protection of information assets. Stored in designated places, managed by designated personnel, subject to strict approval and encrypted transmission. Restricted scope of knowledge, borrowing subject to approval, encrypted storage. Core company information, the disclosure of which would cause major losses to the Company's interests. Information of significant value, the disclosure of which would cause serious losses. Definition Core Control Requirements Information Level Access Rights Top Secret Restricted to core management personnel and directly related personnel after strict approval. Accessible to relevant business personnel after approval by department heads. Managed within departments with limited sharing. Relatively important information that is generally not disclosed externally. Confidential Secret Internally accessible, external dissemination prohibited. Released in a standardised manner and may be disseminated externally. Information disclosed internally but kept confidential externally. Information approved for external release. Internal Public Accessible on a need-to-know basis within departments; cross-departmental access requires approval. Accessible to all employees, but not for external dissemination. Accessible to all. 5.4.2 Technical Protection and Operation & Maintenance Support The United Laboratories adopts a three-pronged approach of “local deployment, technical protection and access control” to build a security protection system covering the entire data lifecycle. At the system deployment level, business systems and databases involving core data are prioritised for local deployment to reduce the risk of data outflow at the physical level. The Group has established independent encryption systems for its office systems, R&D departments and clinical research departments, with different encryption methods in place. Personnel responsible for decryption must obtain prior authorisation before carrying out decryption operations. The United Laboratories International Holdings Limited 2025 Environmental, Social and Governance Report