Risk Management and Strategy

We have implemented comprehensive cybersecurity management and security emergency response management policies that are integrated into our overall risk management system. These procedures aim to ensure our overall network security, protect our data transmission system and prevent data leakage and other cybersecurity incidents. We have a strong in-house cybersecurity management working group, led by our cybersecurity officer, that consists of the information security department, the IT foundational service department, and the system operation and maintenance department. Working together, these departments identify, assess, and manage cybersecurity risks on a daily basis. We have established a sound responding mechanism for external security attacks and violations and safeguarded the confidentiality of information and data of our company, employees and users. More specifically, we have established a strict data control system, taking a series of measures including data encryption, network firewall, network monitoring, and access control to ensure data security. In this way, we strive to ensure that information and data can only be obtained and used when necessary. We also regularly conduct inspections, cleaning, data backup of our databases, equipment, and network supporting facilities. In order to implement cybersecurity awareness to every grassroots position, we have provided training programs to ensure that our employees have full access to the basic knowledge and principles of information security and promulgated data governance policies, such as our Cybersecurity Management System, Data Classification and Grading Management System, and Personal Information Protection and Data Governance Basic Policy, to regulate the data and network usage within our company.

In addition, we have also launched a data security governance project. This initiative comprehensively clarifies user data and its protection measures, and further improves and strengthens the details and depth of data security protection. We have conducted a more meticulous review of the entire data lifecycle and formulated strict and operable standard processes around it. For data at different levels, we adopt differentiated security protection strategies to ensure that highly sensitive data receives the highest level of protection. At the same time, we strengthen cooperation and communication with external professional institutions, learn from advanced network security concepts and technologies, and continuously optimize our security system. We closely monitor industry trends and the latest security threats, and promptly adjust and update our security strategies and measures. Through these efforts, we will continuously consolidate and enhance the company’s network security level, and safeguard the data security of the company, employees, and users.

At the level of network security devices, we have implemented the Zero Trust system, which have:

(i) enhanced our security protection: by implementing the Zero Trust strategy, we have successfully extended security controls from the network perimeter to every access point and user, significantly boosting the overall security protection level of the system;

(ii) improved user experience: although the security controls are strengthened, by optimizing the authentication process and access policies, we have ensured a smooth experience for users when accessing our company’s resources;

(iii) reduced security risks: the implementation of the Zero Trust architecture has effectively minimized the risk of internal breaches and external attacks, as every access request is subject to authentication and authorization; and

(iv) enhanced compliance: through the adoption of the Zero Trust strategy, we have better met industry security standards and regulatory requirements, thereby enhanced the company’s compliance level.

To address cybersecurity emergencies, we have designed and implemented the Emergency Response Management Regulations. Under these regulations, we established a cybersecurity emergency management team, which consists of the emergency response leadership group, the emergency response cybersecurity assurance group, the emergency response technical process group and the emergency response information notification group. Under the guidance of the regulations, these groups maintain a cybersecurity risk detection system, operate a multi-layer data protection regime, conduct regular risk assessments of our network and business infrastructures and carry out regular cybersecurity drills. These measures help us promptly identify cybersecurity risks and incidents. Our Emergency Response Management Regulations also serve to standardize and strengthen our emergency response procedures. They form a step-by-step cybersecurity response plan, covering a wide range of topics, including incident notification, impact assessment, response initiation, department coordination, data restoration, case analysis and outcome disclosure. When a cybersecurity incident occurs, we evaluate the type and impact of the incident, report and notify working parties and affected individuals, and carry out appropriate plans that we prepare in advance.

Besides, we engage law firms and auditors to conduct thorough due diligence of data compliance and assessments of our information system annually. We also work closely with third-party service providers to ensure their compliance with our cybersecurity standards and to assess risks arising from our engagements with them. We strive to provide the highest standards of data protection and information security for our consumers and maintain and enhance the reliability, stability and scalability of our network infrastructure. In addition, we regularly conduct IT audits. Internally, we regularly conduct security audits of network configuration changes, sensitive authority accounts and operation log audits. Externally, we regularly accept IT audits, equal assurance inspections and ESG assessments from third-party audit teams to fully protect our information, network, and data security. To ensure the smooth and secure operations of our business during peak traffic, we intend to continue to conduct regular maintenance of our security system, closely monitor the development of information technology and security technologies used in the industry and make necessary upgrades to enhance our information technology systems.

As of the date of this annual report, we have not experienced any material cybersecurity incidents or identified any material cybersecurity threats that have affected or are reasonably likely to materially affect us, our business strategy, results of operations or financial condition.