Risk Management and Strategy

We rely increasingly on information technology systems and network infrastructure to conduct operations and engage with our customers and business partners. As the complexity of our engagements grows, so do the potential threats from cyber intrusion, ransomware, denial of service, phishing, account takeover, data manipulation, and other cyber misconduct. To counter these threats, we have implemented comprehensive cybersecurity risk assessment procedures and taken various measures to ensure their effectiveness in reporting and managing cybersecurity risks. We have also integrated cybersecurity risk management procedures into our overall risk management system.

We have developed a comprehensive cybersecurity threat defense system to address both internal and external threats. This system encompasses various operational levels, including access management, network management, system maintenance, data integrity, and proper use of information resources. We strive to manage cybersecurity risks and protect sensitive information through various means and processes, including, but not limited to, the following: (i) an incident response team designated to assess, contain, and mitigate the potentially harmful effects of cybersecurity incidents, including developing a comprehensive plan outlining the appropriate steps of incident response and disciplinary measures to be implemented upon the occurrence of such incidents, (ii) access control protocols based on a “least privilege” principle, which allows user access only to the resources necessary to perform their respective function(s); (iii) network security monitoring, including firewalls, Intrusion Detection Systems (IDS) and other programs to monitor suspect activity on our network, (iii) regular updates to keep our software and systems current through the use of automated patching solutions, and monitor news sources, industry consortia, and vendors for updates and threat information, and (iv) periodic review of information security controls by internal and external staff, and regular training sessions on information security conducted for employees. addition, we work with third-party cybersecurity professionals to guide and support our cybersecurity management efforts..We have implemented information technology access control procedures to oversee and identify cybersecurity risks associated with our third-party service providers. For example, third-party access may be evaluated and approved by our chief digital officer on a case-by-case basis and granted strictly in accordance with the “least privilege” principle, after such third parties have undergone a background check or other due-diligence process. Any third-party service providers connecting to our network must demonstrate that they are capable of maintaining appropriate safeguards to comply with applicable cybersecurity laws and regulations. 

Although we have implemented various measures to mitigate cybersecurity threats, we cannot guarantee that cybersecurity risks will be completely eliminated, and we may from time to time be exposed to risks from cybersecurity threats. As of the date of this annual report, we have not experienced any cybersecurity incidents or identified any risks from cybersecurity threats that have affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.

For more information regarding the risks associated with cybersecurity incidents, see “Item 3. Key Information—D. Risk Factors—Risks Related to Our Business and Industry—A computer system failure, cyber-attacks, any failure to protect the confidential information of our customers or other security breaches may disrupt our business, loss of customers, damage our reputation, result in potential liability and adversely affect our results of operations and financial condition.”

Cybersecurity Oversight and Governance

The audit committee of our board of directors is responsible for overseeing the Company’s risk management processes and the implementation of our cybersecurity policy. The board and the audit committee are aware of the rapidly evolving nature of threats presented by cybersecurity incidents and are committed to the prevention, timely detection, and mitigation of the effects of cybersecurity incidents on the Company. The audit committee shall review, approve and maintain oversight of the disclosure (i) on Form 6-K for material cybersecurity incidents (if any) and (ii) related to cybersecurity matters in the periodic reports (including annual report on Form 20-F) of the Company. The audit committee routinely provides updates to the board on the matters related to cybersecurity, and is responsible for reviewing and evaluating the sufficiency of our cybersecurity policy and proposing any necessary changes to the board for approval.

The audit committee also receives regular reports and updates from our chief digital officer, such as the internal and external cybersecurity threat landscape, material risks arising from cybersecurity threats, and any material cybersecurity incidents.

Our management is committed to cybersecurity risk management. The head of our information technology department, who leads a dedicated cybersecurity team, is responsible for assessing and managing cybersecurity risks and monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents related to HPH’s legacy IT system. He has over 18 years of experiences in in application, infrastructure, development, security and governance. He reports to our chief executive officer and provides timely and routine updates to the audit committee on any material cybersecurity incidents.

Upon the identification of a cybersecurity incident, the head of our information technology department will organize an incident response team. The incident response team coordinates with internal and external IT personnel and advisors, and internal and external counsel, as appropriate, to minimize the threat of damage resulting from a cybersecurity incident. 

The audit committee of our board of directors is responsible for overseeing the Company’s risk management processes and the implementation of our cybersecurity policy. The board and the audit committee are aware of the rapidly evolving nature of threats presented by cybersecurity incidents and are committed to the prevention, timely detection, and mitigation of the effects of cybersecurity incidents on the Company. The audit committee shall review, approve and maintain oversight of the disclosure (i) on Form 6-K for material cybersecurity incidents (if any) and (ii) related to cybersecurity matters in the periodic reports (including annual report on Form 20-F) of the Company. The audit committee routinely provides updates to the board on the matters related to cybersecurity, and is responsible for reviewing and evaluating the sufficiency of our cybersecurity policy and proposing any necessary changes to the board for approval.