Cybersecurity

Cybersecurity is part of how MEGA protects trust. As a healthcare and wellness company operating across many markets, we handle information relating to employees, customers, suppliers, government entities, distributors, shareholders, products and business operations. Protecting this information is essential to business continuity, stakeholder confidence and responsible growth.

MEGA invests in physical and digital infrastructure to safeguard business assets and personal data stored on its premises and systems. Cybersecurity is managed as a governance and business continuity issue, supported by technology controls, employee awareness, data protection, cyber preparedness, disaster recovery planning and reporting to the Board of Directors and the Sustainability, Risk Management and Corporate Governance Committee

Cybersecurity at a Glance

MEGA manages cybersecurity through governance oversight, standards-aligned procedures, technology controls, employee awareness, security testing and recovery planning. These elements help protect stakeholder information, strengthen business continuity and support responsible digital operations across the Company.

Governance reporting

Board of Directors and Sustainability, Risk Management and Corporate Governance Committee

Cybersecurity leadership

Information Technology and Cyber Security teams headed by Chief Information Officer

Standard alignment

Standard Operating Procedures aligned with ISO 27001

Cyber awareness training

200hours in 2025

Core controls

Multi-Factor Authentication, email security, firewalls, access control and virus protection

Detection and response

Managed Detection and Response, multi-point defense and endpoint response systems

Security monitoring

Security Operation Center, including firewall monitoring and Active Directory monitoring

Security testing

Internal and external security audits and stress testing

Target architecture

Aim to build Zero Trust Network Architecture with data protection controls

Challenges and Opportunities

Cyber threats are becoming more sophisticated as business systems, third-party connections, cloud platforms and digital health solutions become more connected.

For MEGA, a cyber incident can affect more than technology. It can disrupt business continuity, expose personal or business data, affect stakeholder confidence and create regulatory or reputational impact.

The opportunity is to build cybersecurity into the way MEGA grows. Stronger access controls, employee awareness, security monitoring, stress testing, backup systems and disaster recovery planning help MEGA protect information while supporting digital operations, customer engagement and future innovation.

Strengthen multi-layered controls, detection and response, endpoint protection and security monitoring.

Apply data protection controls, restricted data use, vendor safeguards and cyber security measures.

Use cloud security obligations, access control, vendor restrictions and infrastructure audits.

Continue cyber awareness training, email security and responsible use of information systems.

Maintain immutable backups, disaster recovery plans, stress testing and resilience planning.

Report cyber preparedness to the Board of Directors and Sustainability, Risk Management and Corporate Governance Committee.

Why Cybersecurity Matters to MEGA

MEGA’s business depends on trust, continuity and responsible use of information. We handle information across many stakeholder groups, including employees, suppliers, government entities, distributors, shareholders, customers and business partners. When this information is protected, MEGA is better able to operate with integrity and maintain confidence in the way we conduct business.

Cybersecurity also supports MEGA’s digital direction. Digital health applications, cloud-based systems, business platforms and third-party service providers create new opportunities, but they also require stronger controls over data, access, systems and recovery.

Our Cybersecurity Approach

MEGA manages cybersecurity through a combination of governance, technology controls, employee awareness and resilience planning. Cyber preparedness is reported to the Board of Directors and the Sustainability, Risk Management and Corporate Governance Committee, while the Information Technology and Cyber Security teams are headed by the Chief Information Officer.

The Company has, or is in the process of ensuring, that important cybersecurity elements are in place. These include Standard Operating Procedures aligned with ISO 27001, Multi-Factor Authentication, Managed Detection and Response, immutable offline data backup systems, cloud-based solutions with shared security obligations, email security, employee training and awareness, a Security Operation Center, internal and external security audits, stress testing and disaster recovery plans.

MEGA also aims to build a Zero Trust Network Architecture with data protection controls. This direction supports a stronger cybersecurity environment as the Company continues to manage business data, personal data, digital systems and stakeholder information.

Cybersecurity Governance and Accountability

Cybersecurity governance at MEGA connects technology responsibility with Board-level oversight. Cyber preparedness is reported to the Board of Directors and the Sustainability, Risk Management and Corporate Governance Committee. The Information Technology and Cyber Security teams are headed by the Chief Information Officer, who supports coordination of infrastructure investment, security controls, cyber monitoring, employee awareness and recovery planning.

Click to enlarge

Roles & Responsibility of Head of Cybersecurity

Develop and execute the Information Security strategy aligned with business goals.
Establish and enforce ISO 27001-aligned security policies, standards, and best practices.
Manage security risks, compliance, and security architecture across regions and business units.
Oversee security operations, incident response, and cyber resilience to protect critical assets.
Promote security awareness and foster a strong security culture across the organization.

Standards Alignment and Security Procedures

MEGA’s cybersecurity approach is supported by Standard Operating Procedures aligned with ISO 27001. This helps organize information security expectations, controls and procedures in a disciplined manner.

MEGA should communicate this point carefully. The Company discloses SOPs aligned with ISO 27001, while certification may be procured at management’s discretion. Therefore, the website should not state that MEGA is ISO 27001 certified unless certification has been obtained and publicly confirmed.

Multi-Layered Cybersecurity Measures

MEGA protects its systems through multiple cybersecurity controls covering access management, email and endpoint security, monitoring, backup and recovery, security testing and continuous improvement. These controls help reduce exposure, detect threats, protect business and personal data, and support system resilience.

Multi-Layered Cybersecurity Controls

Layer 1: Identity and Access

Multi-Factor Authentication / access controls

Layer 2: Email and Endpoint Security

Email security, endpoint response and virus protection

Layer 3: Network and System Monitoring

Security Operation Center, firewall monitoring and Active Directory monitoring

Layer 4: Backup and Recovery

Immutable offline data backup systems and disaster recovery plans

Layer 5: Testing and Continuous Improvement

Internal and external security audits, stress testing and review of security controls

Data Protection and Stakeholder Information

Cybersecurity at MEGA is closely connected to data protection. The Company handles data relating to employees, customers, products, suppliers, government entities, distributors and shareholders. Personal data and business data must be protected from unauthorized access, misuse, leakage, theft or loss.

MEGA has a Data Privacy Policy and framework, a policy for restricted use of data in the Company’s possession, and restrictions in agreements with vendors to safeguard MEGA’s proprietary data. Stress testing and infrastructure audits by third parties also support the protection of information systems.

Cyber Preparedness, Security Audits and Stress Testing

Cyber preparedness must be tested, not only designed. MEGA has disclosed internal and external security audits and stress testing as part of its cybersecurity management. The Company also uses stress testing and infrastructure audits by third parties to help assess preparedness and strengthen controls before a serious incident occurs.

Where the current website refers to Vulnerability Assessment and Penetration Testing for the Consolidation App, this may be used as an example of vulnerability assessment and penetration testing disclosed on the existing website. The upgraded page should not expand this into a company-wide vulnerability assessment and penetration testing claim unless MEGA confirms the full scope internally.

Monitoring, Detection and Response

MEGA’s cybersecurity approach includes Managed Detection and Response, multi-point defense, endpoint response systems and a Security Operation Center covering firewall monitoring and Active Directory monitoring. These capabilities help MEGA identify suspicious activity, protect systems and support timely response when threats are detected.

Backup, Disaster Recovery and Business Continuity

Cybersecurity is part of business continuity. MEGA has immutable offline data backup systems and disaster recovery plans, and locations are directed to prepare disaster recovery and crisis plans for natural disasters, political events or pandemic situations

Immutable offline backups help protect data recovery capability in the event of ransomware or other disruptive cyber events. Disaster recovery planning also helps MEGA restore operations when unexpected events affect systems, infrastructure or business continuity.

ESG in Action

Governance and Economic

21 June 2026

Ransomware and Email Security Readiness

Employee Awareness and Cyber Culture

Disclosed Target / Management Focus

MEGA continues to strengthen cybersecurity as part of its governance, risk management and business continuity practices. Our focus is to protect stakeholder information, improve cyber preparedness, strengthen security controls, and ensure that digital systems remain reliable as the business continues to grow.

Cyber governance

Continue reporting cyber preparedness to the Board of Directors and Sustainability, Risk Management and Corporate Governance Committee.

Cyber leadership

Continue cybersecurity management under the Information Technology and Cyber Security teams headed by the Chief Information Officer.

Standards alignment

Continue maintaining Standard Operating Procedures aligned with ISO 27001 and consider certification at management’s discretion.

Access control

Continue strengthening identity and access controls, including Multi-Factor Authentication and related security measures.

Threat detection and response

Continue strengthening Managed Detection and Response, multi-point defense, endpoint response and Security Operation Center monitoring.

Data protection

Continue applying Data Privacy Policy, restricted data use, vendor safeguards and data protection controls.

Security audits and testing

Continue internal and external security audits, stress testing and infrastructure audits by third parties.

Backup and recovery

Continue maintaining immutable offline data backup systems and disaster recovery plans

Employee awareness

Continue cyber awareness training and responsible use of information systems

Zero Trust direction

Continue progressing toward Zero Trust Network Architecture with data protection controls

Business continuity

Continue linking cyber preparedness with disaster recovery, crisis plans and business continuity management