Information Security

Yihai Kerry places great emphasis on information security and the protection of customer privacy. In strict compliance with national laws and regulations such as the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and the Data Security Law of the People's Republic of China, the company has improved its institutional framework by establishing policies including the Information Security Management System, Regulations on Information System Vulnerabilities and Patches, Penetration Testing Management Regulations, and Application System Classification Management Regulations. These policies are periodically revised to ensure they meet national legal requirements and business protection needs.

Information Security Management Structure
To align with the group's strategic development and information security management needs, Yihai Kerry has established a management structure in which a board member is directly responsible for information security and cybersecurity management, with the Chief Technology Officer overseeing the implementation of related tasks. An Information Security Committee has been set up as the core decision-making and coordination body for the information security management system. The Information Security Team is responsible for planning the implementation path of information security, as well as formulating and promoting the overall policies, objectives, and strategic plans for information security.

Information Security Management System
Yihai Kerry has established a comprehensive information security defense system covering pre-event, in-event, and post-event phases, referencing industry best practices such as ISO 27001 and NIST CSF methodologies. This system enables the implementation and control of technology through targeted management measures. Annual IT-specific internal audits are conducted, focusing on personal information protection, business systems, and ITOT, to strengthen information security risk management and ensure compliance. The company applied for ISO 27001:2022 certification from BSI in the third quarter of 2025 and is expected to obtain the certification in the fourth quarter.

Information Security Risk Management
To prevent and respond to major information security incidents and ensure business continuity, Yihai Kerry’s IT infrastructure department conducts annual data drills for business systems. The company tests its emergency plans and incident response procedures at least once a year to ensure rapid, efficient, and orderly emergency handling, while also developing targeted preventive measures. Information security vulnerability analyses are performed, with continuous monitoring of external vulnerabilities and internal reporting and follow-up on remediation results.

Training and Awareness
Yihai Kerry has established a relatively comprehensive information security training system. New employees receive information security awareness training upon joining, and all employees participate in regular online and offline thematic training sessions. Annual phishing simulation exercises are conducted company-wide to continuously enhance employees' awareness of information security protection. All employees are required to promptly report suspicious activities to the IT department or information security personnel.

To safeguard information security and ensure the resilience of information systems, Yihai Kerry has formulated the Information Security Policy based on actual conditions and in accordance with relevant laws and regulations.

Appendix: Information Security Policy.PDF