Risk Management and Strategy

The PRC operating entities have established policies and processes for assessing, identifying, and managing material risks from cybersecurity threats and have integrated these processes into their overall risk management systems and processes. The PRC operating entities routinely assess material risks from cybersecurity threats that may result in adverse effects on the confidentiality, integrity, or availability of their information systems or any information residing therein.

The PRC operating entities conduct quarterly and monthly risk assessments to identify cybersecurity threats. These risk assessments are conducted by the IT operation and maintenance (“ITOM”) team and information security (“InfoSec”) team of the PRC operating entities, collectively. The PRC operating entities’ server was provided by Alibaba Cloud’s Elastic Compute Service (ECS) located in China. The PRC operating entities purchased and utilized add-on ser-vices and tools provided by Alibaba Cloud to conduct risk assessments. The quarterly risk assessments are conducted through in-depth inspections of servers, operating systems, databases and applications, protection equipment rules configuration and routing policy verification, review and analysis of existing policies and analysis of inspected vulnerabilities to identify reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. The monthly risk assessments are conducted primarily through server inspection and vulnerability scanning for identification of existing or potential technic risks.

In the event of a material change in the business of the PRC operating entities or a new project to be launched, the PRC operating entities also conduct risk assessments accordingly. In the event of a cybersecurity incident occurred to the PRC operating entities, employees are required to re-port to the InfoSec team immediately and records the details of the event pursuant to the Cyber-security Policies and Rules as described below. The InfoSec team will follow the guidance and procedures to take remedial actions accordingly and conduct risk assessments for such particular incident afterwards.

Following these risk assessments, the PRC operating entities will upgrade, implement, and maintain reasonable safeguards to address identified risks, reasonably address any identified gaps in existing safeguards, and regularly monitor the effectiveness of our safeguards. During the fiscal year 2024, the PRC operating entities identified certain risks through their risk assessments in connection with the network access control strategies, detection of high-risk ports, securities vulnerability of host operating systems and application software and configuration weaknesses of operating systems and application software. To address these risks, the PRC operating entities installed cloud firewall to conduct real-time access and invasion risks control through network intrusion preventions, full traffic visualized analysis, access control, traceability analysis and other functions. The PRC operating entities also subscribed Cloud Security Center services provided by Alibaba Cloud, which conducts automated threat detection, response and traceability with anti-ransomware, vulnerability scanning and repair, anti-virus, anti-tampering, compliance check and other functions. The PRC operating entities also optimized security configuration of ECS. We believe that these risks did not have a material impact to the results of operations or financial condition of the Company or the PRC operating entities.

Zhongchao Shanghai has obtained the ISO 27001 certificate, an international standard to manage information security, and established and maintained a comprehensive security management system in reference to ISO 27001. The PRC operating entities have implemented a series measures to provide safeguards, including but not limited to, information security management, access control, authentication requirements, data backup and recovery function. The PRC operating entities have designated a Security and Information Officer, with the support of the ITOM team and InfoSec team, to manage the risk assessment and mitigation process.

The PRC operating entities regularly review and analyze cybersecurity and data security policies, practices and security measures of third-party service providers with respect to their ability to implement and maintain appropriate security measures in connection with their work with us. In the event of any failure to comply with the PRC operating entities’ security requirements or material violations, the PRC operating entities will require the service providers to make rectifications timely or terminate the agreements. As of the date of this Annual Report, no such failure or material violations by third-party service providers have occurred.

As part of the overall risk management strategies, the PRC operating entities also conduct cyber-security trainings for their employees.

During the fiscal year ended December 31, 2024 and to the date of this Annual Report, neither we or the PRC operating entities have experienced any material cybersecurity incidents or identified any material cybersecurity threats that have affected or are reasonably likely to materially affect us or the PRC operating entities, business strategy, results of operations or financial condition. For additional information regarding whether any risks from cybersecurity threats, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K.

Governance

Our Chief Executive Officer and Chief Financial Officer will annually present to the Audit Committee and the Board of Directors about the Company’s and the PRC operating entities’ cybersecurity related risk assessments and management, including but not limited to, relevant internal rules and policies, assessment of potential cybersecurity threats or risks, improvements and prevention measures. In the event that the management discovers that a material cybersecurity incident occurs, the Chief Executive Officer and/or the Chief Financial Officer will timely report such incident to the Audit Committee and the Board of Directors, with respect to material aspects, including but not limited to, the nature, scope, timing, the remedial measures and risk mitigation processes taken by the Company and the PRC operating entitles, material impact to the Company and the PRC operating entities, and any prevention measures or improvements to be implemented. Our Audit Committee is responsible to discuss guidelines and policies governing the process in connection with the assessment and management of the Company’s exposure to risks. Our Board of Directors shall (i) maintain oversight of the disclosure related to cybersecurity matters in current reports or periodic reports of our company, (ii) review updates to the status of any material cybersecurity incidents or material risks from cybersecurity threats to our Company and the PRC operating entities, and the relevant disclosure issues, if any, presented by our Chief Executive Officer, Chief Financial Officer, and (iii) review disclosure concerning cybersecurity matters in our annual report on Form 20-F presented by our Chief Executive Officer and Chief Financial Officer.

The PRC operating entities have adopted the Data Classification and Grading Rules for the purposes to achieve efficient data management and ensure the integrity, confidentiality and availability of data. The Information and Security Officer, together with the InfoSec team, is responsible for the maintenance, amendment, and the interpretation of the Data Classification and Grading Rules and the review and identification of classification and grading of data. The head of each department is responsible for the management of data classification and grading within the department. InfoSec team will annually review the implementation of data classification and grading among the different departments.

The PRC operating entities have also adopted the Cybersecurity Incident Response Policies and Rules (the “Cybersecurity Policies and Rules”), which regulates the discovery, reporting, response, recovery and prevention of cybersecurity incidents. The Cybersecurity Policies and Rules provides the guidance and procedures for various information security/data breach scenarios, including but not limited to, incident discovery and initial response, internal reporting, emergency response team establishment, event classification and priority determination, investigation and implementation of containment measures, repair and recovery, incident reporting and post-incident analysis and improvement, and regular internal training. The Cybersecurity Policies and Rules applies to cybersecurity incidents that occur among all the departments, employees and third-party service providers of Zhongchao Shanghai that use the company’s network, systems and data.

The Information and Security Officer are primarily responsible for building strategies of the IT infrastructures (including security matters), software and hardware management, security training and security monitoring of online operations, including those described in “Risk Management and Strategy” above. The Information and Security Officer has over 10-year working experience in risk management, information technology and cybersecurity with a bachelor degree in Computer Science and Technology.

Governance

Our Chief Executive Officer and Chief Financial Officer will annually present to the Audit Committee and the Board of Directors about the Company’s and the PRC operating entities’ cybersecurity related risk assessments and management, including but not limited to, relevant internal rules and policies, assessment of potential cybersecurity threats or risks, improvements and prevention measures. In the event that the management discovers that a material cybersecurity incident occurs, the Chief Executive Officer and/or the Chief Financial Officer will timely report such incident to the Audit Committee and the Board of Directors, with respect to material aspects, including but not limited to, the nature, scope, timing, the remedial measures and risk mitigation processes taken by the Company and the PRC operating entitles, material impact to the Company and the PRC operating entities, and any prevention measures or improvements to be implemented. Our Audit Committee is responsible to discuss guidelines and policies governing the process in connection with the assessment and management of the Company’s exposure to risks. Our Board of Directors shall (i) maintain oversight of the disclosure related to cybersecurity matters in current reports or periodic reports of our company, (ii) review updates to the status of any material cybersecurity incidents or material risks from cybersecurity threats to our Company and the PRC operating entities, and the relevant disclosure issues, if any, presented by our Chief Executive Officer, Chief Financial Officer, and (iii) review disclosure concerning cybersecurity matters in our annual report on Form 20-F presented by our Chief Executive Officer and Chief Financial Officer.

The PRC operating entities have adopted the Data Classification and Grading Rules for the purposes to achieve efficient data management and ensure the integrity, confidentiality and availability of data. The Information and Security Officer, together with the InfoSec team, is responsible for the maintenance, amendment, and the interpretation of the Data Classification and Grading Rules and the review and identification of classification and grading of data. The head of each department is responsible for the management of data classification and grading within the department. InfoSec team will annually review the implementation of data classification and grading among the different departments.

The PRC operating entities have also adopted the Cybersecurity Incident Response Policies and Rules (the “Cybersecurity Policies and Rules”), which regulates the discovery, reporting, response, recovery and prevention of cybersecurity incidents. The Cybersecurity Policies and Rules provides the guidance and procedures for various information security/data breach scenarios, including but not limited to, incident discovery and initial response, internal reporting, emergency response team establishment, event classification and priority determination, investigation and implementation of containment measures, repair and recovery, incident reporting and post-incident analysis and improvement, and regular internal training. The Cybersecurity Policies and Rules applies to cybersecurity incidents that occur among all the departments, employees and third-party service providers of Zhongchao Shanghai that use the company’s network, systems and data.

The Information and Security Officer are primarily responsible for building strategies of the IT infrastructures (including security matters), software and hardware management, security training and security monitoring of online operations, including those described in “Risk Management and Strategy” above. The Information and Security Officer has over 10-year working experience in risk management, information technology and cybersecurity with a bachelor degree in Computer Science and Technology.