Information Security and Private Information Protection System

Information Protection Policy

Coway has established information-protection policies and guidelines to protect private information of its customers and is operating information-protection systems based on principles. Coway has divided its information-protection regulations into policies on basic principles of information protection and guidelines for each detailed information protection practice area in order for employees to easily apply them to their actual work. Information-protection policies and guidelines are established and revised after going through a regular review process in order to reflect ever-expanding information-protection areas according to changes in the business environment. In 2023, regarding a total of 16 existing information-protection guidelines, such as the request for disclosure by information entities, separation and establishment of the article on fixed and portable video information process devices, and others, in accordance with the recent second revision of the Personal Information Protection Act, we reflected them in the compliance details of laws related to the information-protection protection and revised details reflected in the current business accordingly. Coway thoroughly protects information by applying all guidelines and policies related to personal information not only to its internal business areas but also to operational organizations, consignees and business partners.

Guarantee of Data Subject‘s Private Information Rights

Coway is swiftly responding to requests made by data subjects to delete personal information or matters received through the *e-Privacy Clean Service so as to guarantee rights of data subjects.

* The e-Privacy Clean Service: It is a service for data subjects to exercise their rights, which is operated by the Personal Information Protection Committee. It helps users to check previously subscribed websites through their ID verification records and supports them to withdrawal from unnecessary websites.

Information Security Management System

With the increase in various IoT products and services and changes in new technologies, businesses, and environments, corporate responsibilities for information protection and personal information protection are gradually increasing. Coway is fully aware of this matter and establishes and operates information- protection management systems. Together with information protection and personal information protection organizations, the Information Protection Committee discusses major agendas and makes decisions for the management to participate in the overall activities for protecting information. By establishing the company-wide information protection governance, we are striving to provide services for our customers to safely use.

Organization Dedicated to Information Protection and Private Information Protection

In the Information Protection Committee made up of executives, the Chief Information Protection Officer (CISO) that meets the requirements set by the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., and has ‘more than 10 years of experience in performing work in the field of information protection or information technology’ serves as the chairperson, and heads of related departments attend as members of the Information Protection Committee. Activities related to information protection, such as information protection audit, information protection training, information protection awareness promotion, mock training, etc.,, are carried out by the information-security team, which is a department in charge. Through close cooperation with relevant departments, periodic monitoring, and risk management, we work hard to establish a thorough information-protection system and protect private information.

Organizational Chart of Information Protection and Private Information Protection

Formation of Information Protection Committee

Main Activities Conducted by the Information Protection Committee in 2023

Following the second amendment to the Personal Information Protection Act in September, 2023, private information regulations in both online and offline areas were intensified, making it more important to manage private information. The Information Protection Committee has completely revised the information protection policies and guidelines to reflect the compliance matters regarding the revised laws for personal-information protection and current business operations. By doing so, we are actively protecting customer rights and more practically and systematically operating the information-protection management system both in online and offline areas.

Main Activities and Performance

Category Main activities and performance Evaluation indicators Measurement results
Compliance

Checking private information access records/destruction status

Notifying data subjects of details on the use of their information, resolving complaints and conflicts

Rate of implementing mandatory legal compliance activities 100%
Operating the management system

Renewing ISO 27001 certification and acquiring ISO 27701 certification

Acquiring ISMP-P certification

Rate of internalizing security standards 100%
Operating the security system

Improving the operation of the security system

Checking security system access rights and unnecessary policies

Rate of implementing improvement plans 100%
Information protection prevention

Detecting and responding to PC security vulnerabilities and information leakage threats

Inspecting security of main business sites and operational sites and providing training

Rate of responding to detected risks 100%
Increasing awareness

Activities for information security campaign and case dissemination

Distributing on-site information security customized guides

Rate of implementing awareness-raising plans 100%
Strengthening training

Implementing IDC mock training

Implementing disaster recovery mock trainings for grade 1 failure situations once a year

Implementing private information leakage mock training once a year

Completion rate of trainees 100%
Managing risks

Reviewing security and taking actions to remove company-wide risks

Strengthening END-POINT security risk detection and minimizing security blind spots

Rate of taking actions to remove security vulnerabilities 100%
Internal audit

Checking the status of information protection management system

Checking the security management status of business partners and consignees

Rate of diagnosing management levels 100%

Information Protection Certification

Coway has acquired information protection certification from an accredited third party by obtaining domestic and international certificates for personal information security and personal information protection. And we are beefing up the level of information protection every year through post-examinations (every year) and renewal examinations (every three years).

Status of Information Protection Certification

Possessed Certificates ISMS-P ISO/IEC 27001:2022 & ISO/IEC 27701:2019
Standard

Domestic

International

Expiration date

2022.06.15 ~ 2025.06.14

2023.12.21 ~ 2026.12.20

Certifiers

Korea Internet & Security Agency (KISA)

DNV

Certification scope

Coway online services (coway.com, cosmetics)

Coway online services: 11 services in total, including coway.com, cosmetic on-line service, and corporate site

Business apps: A total of 5 services, including Cody App, Home Care Doctor App, Smart Sales App, and Service Manager App

Certification effect

Enhancing business stability through information protection risk management

Complying with information protection laws for ethics and transparent management

Minimizing social and economic damages from infringement accidents and collective lawsuits

Complying with laws related to information protection and personal information protection that meet international requirements

Providing systemic risk management environments against information protection threats

Improving external credibility when obtaining certification for the prevention of information leakage

Impact on business contributions (external) By continuously carrying out activities for systemic prevention and improvements while maintaining certification, we not only can prevent personal information infringement incidents from hacking and insider threats, but also protect against legal violations, financial (fines and others) and reputation risks in connection with such incidents. As such, it is expected to contribute to improving the business safety.

Information Security and Private Information Protection Strategies

Information Protection Risk Monitoring

Based on the abnormality-detecting system, Coway conducted monthly inspections by selecting risk factors, including large-scale inquiries and export of private information and activities beyond working hours, in 2023. If a suspected case of violating security policies is confirmed, we take action to prevent such cases. In addition, we have strengthened operational stability and monitoring by replacing outdated security systems so as to respond to new security threats. We have also implemented mock training for all employees, our business partners and their partners to respond to malicious emails. In addition, we have checked the sustainability of our information protection system by diagnosing infrastructure vulnerabilities, reviewing security and verifying the efficiency of disaster recovery procedures.

Follow-up Measures after Security Accidents

Through security-incident response guidelines and guides, we promptly respond to prevent the spread of damage. According to the severity and types of security incidents and the scope of damage, we have established a four-step treat-alerting standard and formed a security incident response team as a control tower when facing incidents in order to have a company-wide responsive system in place.

Security Review Process

01

Requests for security reviews

02

Establishing a plan for security reviews

03

Implementing security reviews

04

Follow-up management

Responsive System for Infringements of Private Information Protection

When facing personal-information infringement incidents and information- leakage cases, we operate an incident responsive system in which we make a swift initial response to minimize secondary damage. Coway has divided incidents related to personal information into infringements and leakages (personal information leakages and internal information leakages) to come up with type-based responsive measures. By operating a security control and all-time monitoring system, we make an immediate report on suspected security incidents to persons in charge of information security and form a relevant responsive team. In response to an incident, we go through the process of taking initial actions, identifying the case, and collecting and preserving evidence so as to scrutinize the information leakage route and others. During the follow-up process, we establish measure to prevent recurrence and work hard to take actions accordingly and normalize the service. By preparing such a responsive system, Coway organizes the incident route, countermeasures and others to prevent recurrence and distributes and trains them to relevant departments on a regular basis.

Responsive System Process

Category Infringement incidents Private information leakage Internal information leakage Note
Control/monitoring

Remote security control

Malicious code infections (worm/virus)

Hacking attacks (website forgery/falsification, transit abuse)

DDoS attacks, etc.

Remote security control

Private information leakage

Internal information leakage

Remote security control

Accident-recognizing departments:

Reporting suspected security accidents to persons in charge of information protection

Recognizing and reporting incidents

I. Responding to infringement incidents

Internal report,

Reporting to national agencies

Forming a security accident responsive team

Ⅱ. Responding to private information leakage

Reporting accidents and notifying customers

Forming an accident responsive team and convening an emergency executive meeting

Ⅲ. Responding to internal information leakage

Internal report,
Reporting to national agencies (when necessary)

Forming a security accident responsive team

Reporting to the CEO

Reporting to the CISO

Respond
i
ng

t
o

i
nc
i
den
t
s
Taking initial actions

F/W blocking, ACL policy application, NMS monitoring, vaccine

Minimizing leakage damage

Prohibiting additional information leakage

Prec
i
se

ana
l
ys
i
s
Fact checking

Gathering and analyzing system logs (existence of falsification and others)

Checking recently-changed files, programs and services

Checking hidden or abnormal processes

Checking abnormal ports and external connections

Finding out leakage route,

Responding to customer complaints,

Damage relief

Interview

Collecting and keeping evidence

Forensic

Collecting evidence

Reporting to the CISO

Follow-up measures (recurrence prevention)

Normalizing services,

Actions for supplementation and against recurrence

Monitoring countermeasures,

Establishing measures against recurrence

Disciplinary actions, and civil or criminal charges,

Establishing measures against recurrence

Reporting to the CEO

Reporting to the CISO

Information Security and Private Information Protection Activities and Goals

Increasing the Awareness of Information Security and Private Information Protection

In order to raise employees‘awareness of information protection, Coway conducts information security training for all employees twice a year. And through periodic information security campaigns, we strive to increase the implementation of information security and intensity security-related capabilities.

Information Security Training for Employees

Category Schedule Training targets Training contents
Information security visit inspection and training February, November (twice a year) Bureaus/branch bureaus (24) Private information management status inspection and training
Agencies and branch offices (7), consignees (24) Private information management status inspection

Information Security Campaign

Category Schedule Training targets Training contents
Mock training to respond to malicious emails April, August, December (3 times per year) All employees Activities to raise awareness of the prevention of malicious code infections and information leakages due to the influx of malicious emails
Clean Desk April, October (twice a year) HQs, R&D center, factories (inspection of relevant departments) Preventing security accidents that may occur in working environments through Clean Desk activities
On-site (self-inspection)
CASE

Preventing security accidents that may occur in working environments through Clean Desk activities

Coway‘s Training against Malicious emails Coway conducts responsive training on a regular basis to raise employees‘awareness of the response to malicious emails. The number of employees subject to the training is about 6,072 persons (as of 2023) that use Coway email (@coway.com) account, and various types of suspicious points are delivered in emails during the training. Some of the suspicious points include unclear sending email addresses, service name errors, unknown attachments, requests to enter personal information, and others, aiming to help employees take preventive actions by themselves.

Information Protection Investment

Coway is obliged to disclose information-protection details and has been disclosing the status of the company's information protection investment, human resources, certification, and activities in accordance with the Act on the Promotion of Information Security Industry since 2022. The purpose of this system is to encourage and vitalize voluntary information protection investments by ensuring users‘ safe Internet use and making companies consider the information protection as an important element in doing their businesses. As of the end of 2023, the amount of money invested in the information protection area by Coway stood at 3.6 billion Won in total, accounting for 4.7% of the IT budget. We are continuously increasing our attention to and investment in information protection.

Information Protection Investment Status

Category 2021 2022 2023
Investment in information protection KRW 2.25 billion KRW 3.13 billion KRW 3.6 billion

Information Security Goals

Coway has established and is managing a mid-and long-term road map to minimize internal and external security risks and prepare a global-level security management system.

Mid-and Long-term Road Map for Information Security