Item 16K. Cybersecurity

Risk Management and Strategy

The Company recognizes the importance of safeguarding the security of its information systems, networks, and other technology assets. The Company has established measures and processes for assessing, identifying, and managing material risks arising from cybersecurity threats, and these measures and processes operate within the framework of the Company’s overall risk management. These processes are continuously reviewed and improved in accordance with the Company’s business operations and evolving risk environment. The Company maintains internal cybersecurity capabilities, including a Computer Security Incident Response Team (CSIRT), a Security Operations Center (SOC), red team functions, and product security functions. These teams are responsible for incident response, continuous monitoring and alert management, proactive security testing, and product-related security, respectively. The Company conducts ongoing risk assessments through continuous vulnerability assessments and annual threat-led penetration testing (TLPT). In addition, the Company continuously utilizes threat intelligence and conducts post-incident reviews following significant incidents to strengthen its cybersecurity posture. Identified risks are prioritized, and where prioritization is not clear, decisions are escalated

to the Chief Information Security Officer (CISO). The Company monitors its systems using tools such as Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) solutions. Initial analysis of alerts is partially automated, including through the use of AI-based processes, with further analysis conducted by internal teams. While the Company primarily manages its cybersecurity operations in-house, it engages third-party service providers for limited operational support, including certain 24/7/365 SOC monitoring activities. The Company does not materially rely on external assessors, consultants, or auditors for its core cybersecurity risk management processes, but may engage external specialists with relevant expertise as necessary. Risks associated with such third parties are appropriately managed through contractual controls, due diligence, and ongoing oversight. The Company maintains company-wide cybersecurity policies and provides ongoing security training to its employees.

As of the date of this report, the Company has not identified any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, its business strategy, results of operations, or financial condition. However, cybersecurity threats continue to evolve, and such threats may affect the Company in the future. For additional information regarding cybersecurity-related risks, see “Item 3.D. Risk Factors.”

Governance

The board of directors oversees the Company’s cybersecurity risks as part of its overall risk oversight responsibilities. The Company’s Audit and Supervisory Committee members and independent directors provide independent oversight and supervision of the Company’s risk management framework, including cybersecurity-related risks. The Company reports cybersecurity matters to the board of directors through its Risk and Compliance Committee, which is responsible for reviewing and reporting on risk-related matters. Written reports are provided on a monthly basis, and oral briefings are conducted on a quarterly basis. Management is responsible for assessing and managing the Company’s cybersecurity risks. The Company has designated a Chief Information Security Officer (CISO), who has ultimate responsibility for cybersecurity-related decision-making. In the event of a material cybersecurity incident, the CISO is responsible for promptly notifying the board of directors. The CISO has relevant experience and expertise in cybersecurity, information security risk management, and incident response. In addition, the CISO has a background in system development and possesses deep knowledge of system architecture and development processes, and leads the development and operation of the Company’s cybersecurity framework. The CISO regularly reports cybersecurity risks, incidents, and response activities to the Risk and Compliance Committee, the Audit and Supervisory Committee, and the board of directors in accordance with the Company’s governance and reporting processes. Operational responsibility for cybersecurity activities, including prevention, detection, response, and remediation, is carried out by the Company’s internal security teams under the direction of the CISO. The Company also maintains a Risk and Compliance Committee, which meets on a monthly basis to review risk matters, including cybersecurity-related risks.