Corporate Governance and Sustainability Committee under the direct management of the Board of Directors is the dedicated unit for ethical management It is in charge of the establishment of the ethical management policy and the supervision of its implementation. The regulatory compliance and corporate governance units under the direct management of the President shall assist the Corporate Governance and Sustainability Committee to promote and execute the ethical management policy. The implementation status of the ethical management shall be reported to the Board of Directors every year. Besides, regular educational training is provided to relevant personnel to cultivate the corporate culture of ethical management.
To commit to improve our corporate culture in ethical management and establish good business structure, the Board of Directors approved "Ethical Corporate Management Best Practice Principles" and "Operating Procedures for Ethical Management and Conduct Management Policy" to prohibit all forms of unethical behaviors, including no bribery (both giving and receiving), no illegal political donations, no donation or sponsorship unless otherwise permitted by law, no unreasonable gift, entertainment, or other improper interest, no improper gift or entertainment, no infringement to intellectual property right, and no engagement with unfair competition, and prevention proposals and measures have been established to ensure no damage to customers or stakeholders caused by products or services offered. In addition, we established "Methods Governing Gifts and Hospitality" to restrain our employees receiving gifts or hospitality. Anyone who receive gifts or hospitality with a value over NT$3,000 or unable be to evaluated objectively should declare it to HQ Regulatory Compliance Office. Anyone who has objective evidences for reasonably believing our employees Note may involve crime, fraud, or violation of laws when performing their duty is welcomed to submit a complaint through our multiple complaint channels. After conducting investigation on HQ and branch companies, it shows there is no fraud, insider trading, anti-competitive behavior, anti-trust behavior, incidents related to ethical management in the market operated in 2024.
All the Company's directors and office and field personnel signed the declaration of complying with the ethical management policy, and we also requested our contractors to sign on the "letter of integrity commitment".
Mercuries Life Insurance established a mechanism to prevent conflict of interest on domestic equity product investment. We regulate personnel for domestic equity product investment to strictly follow the principles of honesty and good faith, treat customers' interests as the priority when executing business to avoid interest conflict with our investment or any behavior that may damage the Company's reputation and interest. Besides, all the relevant personnel have to sign on the declaration of conflict of interest. The rate of our directors signing on the declaration was 100%.
Board of Directors is the Company's highest decision-making unit for the establishment of effective risk management system and takes the ultimate responsibility of the total risk management. Board of Directors shall make decisions according to the overall operating environmental and strategy and ensure the effective operation of the risk management mechanism. Under the Board of Directors, we have Risk Management Committee. It currently consists of 5 directors and is convened by an independent director. The Committee is responsible for formulating risk management policy and procedures, executing risk management decisions by the Board of Directors, and reporting the implementation of the whole risk management to the Board of Directors every quarter. Besides, it monitors various risks, establishes relevant management indicators, and facilitates the coordination and communication among cross-unit risk management functions. In addition, Board of Directors approved the appointment of Chief Risk Officer to handle overall risk management encountered by the Company. We also have Risk Management Department in charge of daily risk control, measurement, and evaluation. It exercise its duties independent from the business unit.
Through rigorous design and various qualitative and quantitative mechanisms, we identify, measure, control/ report, and respond to the risks that the Company may encounter and implement corporate risk management cycle. With various findings discovered during the process, we optimize the control mechanism step by step to establish proper risk management structure.
- Market risk limit control of the overall investment portfolio (including equity and foreign exchange risk limits)
- Stock loss and profit warning and stop-loss mechanism
- Regular execution of pressure testing
- Credit risk control of the overall investment portfolio
- Monitoring credit risk limits by country, industry, and issuer
- Capital current ratio and cash flow management
- Monitoring the duration and convexity of assets and liabilities
- Monitoring capital current ratio
- Reinsurance planning
- Product structure design and adjustment
- Reserve risk management
- Establishing and controlling sales limits
- Risk and control self-assessment(RCSA)
- Key risk indicator(KRI)
- Disaster backup
- Important core system security control
- Establishing information security code of conduct
- Reporting and managing regulatory compliance incidents
- Implementing the Methods Governing Climate Change Risk
- Management step by step according to project planning
- Establishing project teams to actively implement relevant regulations
- Regularly reviewing progress and results of trial balance and adjusting relevant packages according to the demand
- Business continuity management plans
- Standard operating procedures for handling operational abnormality
- Critical accident reporting regulations
- Business crisis responding measures
To implement information security management, the Company formulated "Information Security Policy" and "Information Security Code of Conduct" as well as established intrusion prevention system, network firewall, website content filter, endpoint protection, email audit, log management, and database auditing management system for information security control. Abnormal incidents detected will be investigated, and its cause, scope of impact, and handling measures will be recorded in the "abnormal incident analysis report" and submitted to the departmental manager every month for regular review and approval. In 2024, we completed "maturity assessment of information security governance"; the result failed to achieve Level 1 (basic). Besides, we introduced ISO27001 Information Security Management Systems and BS10012 Personal Information Management Systems and conducted information security assessment regularly every year to fulfill information security and personal data protection in the workplace and reduce the risk of disclosing sensitive information.
In 2024, the budget for information security we invested accounted for 15.25% of the total budget for information system. It was increased from the previous year and reflects our emphasis on information security.
We appointed Chief Information Security Officer to oversee the promotion of information security policy and resource
allocation as well as assigned a dedicated unit of information security and supervisor to in charge of planning, monitoring,
and executing information security management tasks. Every year, the implementation status of information security in the
previous year will be reviewed and assessed regularly. An internal control system declaration letter will be jointly issued by
the Chairman, President, Chief Auditor, HQ Regulatory Compliance Officer, and Information Security Officer after being
approved by the Board of Director to ensure the compliance and transparency of information security management.
The Company has formulated information security policy and information security organizational structure. According
to functions, it contains three layers, "information security decision", "information governance and management", and
"information security promotion". In addition, relevant work duties and division of responsibilities are clearly specified.
- Information Security Decision Team - Consisting of President,supervisors at Information Security Department, and managers for other systems. A meeting will be held every quarter.
- Main duties:
★ Reviewing and approving information security and personal information promotion direction and strategy
★Reviewing and approving information security and personal information policy and system
★ Determination of events and topics for critical information security and personal information.
★Approval of information security and personal information implementation plans and results
- Information Security Decision Team
- Main duties:
★ Establishing and promoting information security and personal information strategies
★ Providing suggestions to information security and personal information policy and system
★ Formulating responses to critical information security and personal information incidents and topics
★ Information security and personal information implementation plan and result management
★Planning, monitoring, and conducting information security and personal information management
★Information security and personal information implementation
- Information Security Management Team - It consists of members appointed by each system. A meeting will be held every month.
- Main duties: In charge of promoting and communicating with information security and personal information methods and policy.
In 2024, the pass rate of training received by all employees was 100%. The training included concept of information security protection, information security topics and strategies for remote office, personal data protection and information disclosure, IoT information security and protective measures, and social engineering prevention. We conduct email social engineering exercise every quarter, and personnel who failed to pass the exercise will be provided further training to enhance their awareness on email security risks. In 2024, the average rate of opening email by mistake was 1.1%. It reduced more than 70% compared to that in 2023. We will continue strengthening recognition on social engineering through information security e-letters and annual educational training on information security to reinforce awareness on information security. We also devoted to develop information security personnel with diverse specialty. In 2024, our information security personnel obtained 22 international information security certificates.
The Company introduced a personal information management system under the consideration of complete operating procedures for collecting, handling, and using personal data of our policy holders. In 2024, we passed the verification of BS 10012:2017 Personal Information Management System (PIMS) again. We offer "personal data protection legal regulation promotion training" at least once every year to ensure data to be well-protected.
In terms of customer privacy protection and control mechanism, we reduce risks of personal data disclosure through network & email personal data filtering protection system and USB control mechanism. By personal information management system (PIMS) certification, introduction of the personal information management system to all departments and branch companies, and environmental inspection and educational training conducted at 33.3% of communication offices, employees' awareness on personal data protection is strengthened. We conduct exercise on regular personal information security procedures, host activities of workplace environmental inspection, and strengthen the external control mechanism to lower the risks of sensitive information disclosure. Moreover, a third-party fair institution is entrusted to evaluate our mobile device APP to ensure its security and reduce information security risks.
The regulatory compliance unit under the direct management of the President to is in charge of planning, managing, and executing the regulatory compliance system.
We also appointed one HQ Chief Compliance Officer to coordinate matters related to regulatory compliance. The matters related to regulatory compliance should be reported to the Board of Directors and the Audit Committee at least every half a year The Chief Compliance Officer should actively handle regulatory compliance training and business promotion, including regulatory compliance business promotion to senior managers at the business management meeting every month and seminars for compliance supervisors at each unit every quarter to deepen the regulatory compliance culture.
For the purpose of enhancing timely and effective response to the changes of legal regulations as well as strengthening follow-up management procedures for the changes of legal regulations, the Company introduced the management system for the changes of legal regulations in 2021. Via the automatic system, we collect information of external regulations from multiple sources and link them with our internal rules to assist compliance personnel identifying affected business units and enhance effectiveness of legal changes. Moreover, we continue improving the system after implementation and optimizing relevant functions to increase the efficiency of control measures on legal changes and reduce regulatory compliance risks.
We set up Money laundering Prevention Section under the Regulatory Compliance Office to focus on promoting antimoney
laundering and anti-terrorism financing and established "Mercuries Life Insurance Money laundering Evaluation and Terrorism Financing Risk Policy", "Mercuries Life Insurance Notice for Money laundering Prevention and Countering Terrorism Financing", and "Mercuries Life Insurance Operating Procedures for Money laundering Prevention and Countering Terrorism Financing". These regulations comprise our internal control system for money laundering prevention and countering terrorism financing, and the content covers how the Company identifies and evaluates risks of money laundering and terrorism financing on each business. Besides, we also established policies, procedures and control measures related to money laundering and terrorism financing risks to fully implement each step of the money laundering prevention procedures. We conduct regular review and discussion to enhance the efficiency of money laundering prevention and the countering of terrorism financing.
In 2024, we conducted verification of reasonableness on the monitoring parameters for the anti-laundering system and adjusted according to the result of verification. Through strengthening the transaction monitoring mechanism, we expect
to detect any suspicious transaction more effectively. Besides, we refer to the list of nations or regions that are with higher risks in terms of preventing money laundering and countering terrorism financing newly-published by international organizations to regularly review and update the country risk map to ensure it is consistent with the nations or regions published by international organizations to monitor the level of customer risk more effectively.
To comply with "Stewardship Principles for Institutional Investors" published by Taiwan Stock Exchange and "The Principles for Responsible Investment (PRI) published by United Nations, the Company established specific operating procedures in "Responsible Investment Principles" to manage information related to environment, social, and governance performed by the invested companies for investment analysis and evaluation. In addition, the Company follows above principles by strictly forbidding investment on industries in the negative list and actively investing on industries in the positive list to fulfill spirits of responsible investment.
Before investments, industrial information disclosed by Bloomberg shall be collected to understand whether the enterprise is in the negative list/ positive list/ high-carbon emission industry/ high-ESG risk industry. With the evaluation of the sustainability report and public information
of the invested enterprise and ESG rating published by MSCI and CMoney, we monitor the implementation result of sustainability development achieved by the enterprise as the accordance of investment decision. After the investment, we fully perform the obligation of investor stewardship though engagement with the enterprise and the exercise of voting rights.
The Company sent questionnaires for climate engagement to 56 enterprises invested in December 2024. 25 of them replied back, and the response rate was 44.64%. The statistics of the content replied are as follows. The analysis revealed the main difficulties that the invested enterprises faced during the process of carbon reduction transition includes financial pressure caused by high initial investment costs and increased payback period; because carbon capture and hydrogen energy technologies are still at the stage of exploration, the immature technology cannot be used for mass application; it is difficult to carry out transformation of energy structure, and the dependency to traditional energy is still high while the supply of renewable energy is unstable; the difficulty of carbon reduction in the supply chain is mainly caused by the slow progress of carbon reduction in upper-stream smallscale suppliers. The Company will use the results of the questionnaires as the reference for engagement strategies in the future.
Among the existing objects of investment, we conduct ESG review on items with high ESG risks every year and every two years on items with medium and low ESG risks. Furthermore, our investment team keeps a close eye on the change of ESG ratings performed by the invested companies. When ESG performance gets bad and drops to a rating of high risks, we will determine the communication and interaction with invested companies after considering the investment purpose, cost effectiveness, and materiality of specific topic concerned to understand causes and possible solutions for improvement and evaluate whether to continue possess the investment.
The Company has signed the compliance statement for "Stewardship Principles for Institutional Investors" and disclosed the performance of stewardship report on the official website. To fully perform the obligation of due diligence as an institutional investor, for the important asset investment, we always participate in the investor conference held by companies invested or directly visit the invested companies through the arrangement of the securities firms to communicate with the management level in the invested companies to understand the topics of management strategies, overview of operations, and financial status related to the invested company as well as focus on whether the companies have good ethics and corporate governance. Besides, we make time to participate in shareholders' meetings held by some of the invested companies to enhance the interaction with the management level and further understand the business management in the invested companies to demonstrate our emphasis on the performance of sustainable management in the invested companies.
In 2024, our attendance rate to the shareholders' meetings in TWSE/ TPEx listed companies was 100% Note. We attended a total of 69 shareholders' meetings at in the TWSE/TPEx listed companies and voted for 283 motions. The voting results are as follows:
Definition of enterprises in the positive list: Enterprises that support and promote ESG and are with good performance.
- Objects that are sanctioned by the competent authority according to Money Laundering Control Act and Counter-Terrorism Financing Act.
- Objects that involve critical violation against environmental protection or violate human rights, labor rights and interests, corporate governance, or ethical management but fail to propose concrete improvement solutions.
