|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 16K. CYBERSECURITY
Risk Management and Strategy
We have implemented comprehensive cybersecurity risk assessment procedures that are integrated into our overall enterprise risk management system. These procedures aim to identify, assess and manage potential and existing cybersecurity threats. We have implemented a robust three-tier information security management structure, consisting of a data security committee, a data security management team, and a data security execution team, to ensure the Company’s information security and manage cybersecurity risks. Below are our schemes and measures to effectively protect information security of the Company and users and manage risks from potential and existing cybersecurity threats:
•
Information protection process. We have employed both user-end and enterprise-end protection measures to ensure strict management of data of users and employees. To protect consumers’ right to know, we formulated user privacy protection policies on our Weixin mini-program and third-party shopping platforms, clarifying relevant provisions on personal information acquisition for personalized advertising and information sharing. At enterprise end, we set up information extraction procedures with multiple approvals required for employees’ and customers’ information and perform necessary desensitization on the exported data according to management level to reduce the risk of data leakage. Since 2023, we have implemented “Threat Detection Platform” to protect all end users from computer virus, ransomware and phishing email attack.
•
Emergency response mechanism. We have established a reactive and scientific information security emergency response mechanism to standardize our data processing activities. The emergency response mechanism consists of five steps, including verifying and confirming the content of the incidents, taking measures to prevent further damage and tackle vulnerabilities, post-event evaluating and recording, notifying relevant parties and reviewing and proposing reinforcement plans.
•
Internal and external security assessment. We have utilized both internal security assessment and external security certification to maintain the effectiveness and compliance of the information systems. Internally, the data security execution team conducts annual data security assessments. These assessments include evaluations of key aspects such as the collection, storage, usage, and transmission of personal information within our systems. Externally, we engage security consulting agencies to conduct regular inspections and assessments of our information systems and network, which constitutes the basis of our ongoing efforts to track and enhance the information security. We have obtained the Grade III Protection of Information Security certification for our core system, including Order Management System and Weixin shopping platforms, since 2022.
•
Information security education. We hold on-boarding security awareness training and assessments for all employees, and regularly organize targeted training sessions on data compliance to effectively enhance the information security management capabilities. These training sessions are aimed to ensure that our employees have full access to the basic knowledge and principles of information security, establish a sound responding mechanism for external security attacks and violations and safeguard the confidentiality of information and data of the company, employees and users, making sure information and data can only be obtained and used when necessary.
As of the date of this annual report, we have not experienced any material cybersecurity incidents or identified any material cybersecurity threats that have affected or are reasonably likely to materially affect us, our business strategy, results of operations or financial condition.
Governance
Our board of directors is responsible for maintaining oversight of the disclosure related to cybersecurity matters in the period reports of the Company. Our chief executive officer, chief financial officer and cybersecurity officer are responsible for discussing any material cybersecurity incidents or threats with specific constituencies before sign-off, ensuring thorough review of information and disclosure. The constituencies involve (i) our disclosure committee, comprising the principal accounting officer or the head of financial reporting, the head of the legal department, the principal investor relations officer, the cybersecurity officer and appropriate business unit heads of the Company, (ii)
the board of directors and (iii) other members of senior management and external legal counsel, to the extent appropriate. Our chief executive officer, chief financial officer and cybersecurity officer are also responsible for (i) assessing, identifying and managing material risks from cybersecurity threats to the Company, (ii) monitoring the prevention, detection, mitigation and remediation of material cybersecurity incident (if any) and (iii) maintaining oversight of the disclosure in Form 6-K for material cybersecurity incidents (if any). Our chief executive officer, chief financial officer and cybersecurity officer meet with our board of directors (i) in connection with each quarterly earnings release, update the status of any material cybersecurity incidents or material risks from cybersecurity threats to the Company, if any, and the relevant disclosure issues and (ii) in connection with each annual report, present the disclosure concerning cybersecurity matters in Form 20-F, along with a report highlighting particular disclosure issues, if any, and hold a Q&A session. Our cybersecurity officer is the principal officer in charge of cybersecurity matters of the Company and has over 10 years of experience in the field of software architecture design and development, operations and security in relation to information technology system. His extensive experience will be instrumental in overseeing our cybersecurity risk management program and evaluating related risks to our business.
In addition, on the execution level, our data security committee oversees and manages cybersecurity related matters through formulating data security management strategies and implementing and improving data security management system. Our data security management team is responsible for supervising and managing the implementation of data compliance. Under the oversight of the data security committee and data security management team, our data security execution team is responsible for data asset management, data supply chain security, and metadata management, and our legal, internal control and other departments assist in the formulation of data classification standards and promote standardized data management.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have implemented comprehensive cybersecurity risk assessment procedures that are integrated into our overall enterprise risk management system. These procedures aim to identify, assess and manage potential and existing cybersecurity threats. We have implemented a robust three-tier information security management structure, consisting of a data security committee, a data security management team, and a data security execution team, to ensure the Company’s information security and manage cybersecurity risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The constituencies involve (i) our disclosure committee, comprising the principal accounting officer or the head of financial reporting, the head of the legal department, the principal investor relations officer, the cybersecurity officer and appropriate business unit heads of the Company, (ii)
the board of directors and (iii) other members of senior management and external legal counsel, to the extent appropriate. Our chief executive officer, chief financial officer and cybersecurity officer are also responsible for (i) assessing, identifying and managing material risks from cybersecurity threats to the Company, (ii) monitoring the prevention, detection, mitigation and remediation of material cybersecurity incident (if any) and (iii) maintaining oversight of the disclosure in Form 6-K for material cybersecurity incidents (if any). Our chief executive officer, chief financial officer and cybersecurity officer meet with our board of directors (i) in connection with each quarterly earnings release, update the status of any material cybersecurity incidents or material risks from cybersecurity threats to the Company, if any, and the relevant disclosure issues and (ii) in connection with each annual report, present the disclosure concerning cybersecurity matters in Form 20-F, along with a report highlighting particular disclosure issues, if any, and hold a Q&A session. Our cybersecurity officer is the principal officer in charge of cybersecurity matters of the Company and has over 10 years of experience in the field of software architecture design and development, operations and security in relation to information technology system. His extensive experience will be instrumental in overseeing our cybersecurity risk management program and evaluating related risks to our business.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors is responsible for maintaining oversight of the disclosure related to cybersecurity matters in the period reports of the Company. Our chief executive officer, chief financial officer and cybersecurity officer are responsible for discussing any material cybersecurity incidents or threats with specific constituencies before sign-off, ensuring thorough review of information and disclosure.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors is responsible for maintaining oversight of the disclosure related to cybersecurity matters in the period reports of the Company.
|Cybersecurity Risk Role of Management [Text Block]
|
Governance
Our board of directors is responsible for maintaining oversight of the disclosure related to cybersecurity matters in the period reports of the Company. Our chief executive officer, chief financial officer and cybersecurity officer are responsible for discussing any material cybersecurity incidents or threats with specific constituencies before sign-off, ensuring thorough review of information and disclosure. The constituencies involve (i) our disclosure committee, comprising the principal accounting officer or the head of financial reporting, the head of the legal department, the principal investor relations officer, the cybersecurity officer and appropriate business unit heads of the Company, (ii)
In addition, on the execution level, our data security committee oversees and manages cybersecurity related matters through formulating data security management strategies and implementing and improving data security management system. Our data security management team is responsible for supervising and managing the implementation of data compliance. Under the oversight of the data security committee and data security management team, our data security execution team is responsible for data asset management, data supply chain security, and metadata management, and our legal, internal control and other departments assist in the formulation of data classification standards and promote standardized data management.
the board of directors and (iii) other members of senior management and external legal counsel, to the extent appropriate. Our chief executive officer, chief financial officer and cybersecurity officer are also responsible for (i) assessing, identifying and managing material risks from cybersecurity threats to the Company, (ii) monitoring the prevention, detection, mitigation and remediation of material cybersecurity incident (if any) and (iii) maintaining oversight of the disclosure in Form 6-K for material cybersecurity incidents (if any). Our chief executive officer, chief financial officer and cybersecurity officer meet with our board of directors (i) in connection with each quarterly earnings release, update the status of any material cybersecurity incidents or material risks from cybersecurity threats to the Company, if any, and the relevant disclosure issues and (ii) in connection with each annual report, present the disclosure concerning cybersecurity matters in Form 20-F, along with a report highlighting particular disclosure issues, if any, and hold a Q&A session. Our cybersecurity officer is the principal officer in charge of cybersecurity matters of the Company and has over 10 years of experience in the field of software architecture design and development, operations and security in relation to information technology system. His extensive experience will be instrumental in overseeing our cybersecurity risk management program and evaluating related risks to our business.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our chief executive officer, chief financial officer and cybersecurity officer are also responsible for (i) assessing, identifying and managing material risks from cybersecurity threats to the Company, (ii) monitoring the prevention, detection, mitigation and remediation of material cybersecurity incident (if any) and (iii) maintaining oversight of the disclosure in Form 6-K for material cybersecurity incidents (if any).
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our cybersecurity officer is the principal officer in charge of cybersecurity matters of the Company and has over 10 years of experience in the field of software architecture design and development, operations and security in relation to information technology system. His extensive experience will be instrumental in overseeing our cybersecurity risk management program and evaluating related risks to our business.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
In addition, on the execution level, our data security committee oversees and manages cybersecurity related matters through formulating data security management strategies and implementing and improving data security management system. Our data security management team is responsible for supervising and managing the implementation of data compliance. Under the oversight of the data security committee and data security management team, our data security execution team is responsible for data asset management, data supply chain security, and metadata management, and our legal, internal control and other departments assist in the formulation of data classification standards and promote standardized data management.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef