COHU INC 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

COHU INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 16:36:02 EST.

Filings

10-K filed on 2024-02-16

COHU INC filed an 10-K at 2024-02-16 16:36:02 EST
Accession Number: 0001437749-24-004596

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C entitled Cybersecurity for additional information about our cybersecurity processes, oversight, risk mitigation and governance. To the extent that any security breach results in inappropriate disclosure of our customers or licensees confidential information, we may incur liability as a result. In response to these risks, we expect to continue to devote additional resources to the security of our information technology systems. Any future attacks which may disrupt our IT systems, or those of our suppliers, could impact our sales, financial results and stock price. 26 Table of Contents We may fail to adequately protect our intellectual property and, therefore, lose our competitive advantage. Our future success and competitive position depend in part upon our ability to obtain and maintain proprietary technology for our principal product families. If we fail to adequately protect our intellectual property, it will give our competitors a significant advantage. We own or have licensed a number of patents relating to our products, and have filed applications for additional patents. Any of our pending patent applications may be rejected, however, and we may be unable to develop additional proprietary technology that is patentable in the future. In addition, the patents that we do own or that have been issued or licensed to us may not provide us with competitive advantages and/or may be challenged by third parties. Third parties may also design around our patents or copy our patented inventions without our knowledge. In addition to patent protection, we rely upon copyrights for protection of our proprietary software and documentation, trademarks for protection of our brand and source of goods, and trade secret law and confidentiality and exclusivity agreements for protection of our confidential and proprietary information and technology. These measures do not guarantee protection of our intellectual property, however. We can give no assurance that our copyrights will be upheld or will successfully deter infringement by third parties. Even though we routinely enter into confidentiality agreements with our employees and other third parties there can be no assurances that trade secrets and proprietary information will not be disclosed, that others will not independently develop substantially equivalent proprietary information and techniques or otherwise gain access to our trade secrets, or that we can fully protect our trade secrets and proprietary information. Violations by others of our confidentiality agreements and the loss of employees who have specialized knowledge and expertise could harm our competitive position and cause our sales and operating results to decline as a result of increased competition. It is also possible that third parties will misappropriate our trade secrets or other confidential information. We may be subject to cybersecurity breaches in which a third party obtains our confidential information. Third parties may also reverse engineer our products to copy our technology. Any of these circumstances could result in harm to our competitive position in the market. Failure to protect our trademarks can lead to other companies selling products using confusing similar names, thereby damaging our brand. In some countries, it can be difficult to register trademarks because of the strict examination process or blocking trademarks for other goods. Costly and time-consuming litigation might be necessary to enforce and determine the scope of our intellectual property rights, and failure to obtain or maintain trade secret protection might adversely affect our ability to continue our research or bring products to market. From time to time, we may find it necessary to initiate litigation against other persons or entities to protect and/or enforce our intellectual property or contractual rights. However, litigation is costly and time consuming and there is no assurance that any lawsuit we bring will yield the result that we seek, as (i) the lawsuit may be dismissed or there could be an adverse finding, (ii) we may not be able to pursue the lawsuit due to the laws of the applicable country or (iii) there may be a subsequent unfavorable change in law that limits our ability to pursue the lawsuit. For example, litigation discovery practice in China, Japan, South Korea, continental Europe and Taiwan is not as robust as the United States, so it can be more difficult to determine if a company is infringing on our patents and more challenging to bring a lawsuit. Monitoring and preventing unauthorized use are also difficult and the measures we take to protect our intellectual property rights may not be adequate. Accordingly, infringement of our intellectual property rights poses a serious risk of doing business. There is a risk that we may be unable to adequately protect our intellectual property rights in certain foreign countries. For example, our competitors may independently develop similar technology or duplicate our products. If this occurs, it would be easier for our competitors to develop and sell competing products in these countries resulting in a loss of sales. We may not be able to adequately protect or defend ourselves against intellectual property infringement claims, which may be time-consuming and expensive, or affect the freedom to operate our business. Our competitors or other third parties may hold or obtain patents, copyrights, trademarks or other proprietary rights that could prevent, limit or interfere with our ability to make, use, develop, sell or market our products and services, which could make it more difficult for us to operate our business. From time to time, the holders of such intellectual property rights may assert their rights and urge us to take licenses and/or may bring suits alleging infringement or misappropriation of such rights, which could result in substantial costs, negative publicity and management attention, regardless of merit. 27 Table of Contents While we endeavor to obtain and protect the intellectual property rights that we expect will allow us to retain or advance our strategic initiatives in these circumstances, there can be no assurance that we will be able to adequately identify and protect the portions of intellectual property that are strategic to our business or mitigate the risk of potential suits or other legal demands by third parties. Accordingly, we may consider the entering into licensing agreements with respect to such rights, although no assurance can be given that such licenses can be obtained on acceptable terms or that litigation will not occur, and such licenses and associated litigation could significantly increase our operating expenses. Further, if we are determined to have or believe there is a high likelihood that we have infringed upon a third party s intellectual property rights, we may be required to cease making, selling or incorporating certain components or intellectual property into the goods and services we offer, to pay substantial damages and/or license royalties, to redesign our products and services and/or to establish and maintain alternative branding for our products and services. In the event that we are required to take one or more such actions, our brand, business, financial condition and operating results may be harmed. Data privacy, identity protection and information security compliance may require significant resources and presents certain risks. We collect, store, have access to and otherwise process certain confidential or sensitive data, including proprietary business information, customer data, personal data or other information that is subject to privacy and security laws, regulations and/or customer-imposed controls. We continue to monitor global privacy laws and legislation to determine its impact on our business. We do not process individual credit card information, but we do maintain certain personally identifiable information on our employees. Such employee information may be subject to the EU General Data Protection Regulation and/or the California Consumer Protection Act. We believe that we have implemented reasonable procedures and internal controls in compliance with these laws, but should such actions be insufficient, we may be subject to regulatory investigations, fines and legal costs. In addition, we operate in an environment in which there are different and potentially conflicting data privacy laws in effect in the various U.S. states and foreign jurisdictions in which we operate and we must understand and comply with each law and standard in each of these jurisdictions while ensuring the data is secure. Government enforcement actions can be costly and interrupt the regular operation of our business, and violations of data privacy laws can result in fines, reputational damage and civil lawsuits, any of which may adversely affect our business, reputation and financial statements. We could face negative consequences in the future if we, our suppliers, channel partners, customers or other third parties experience the actual or perceived risk of theft, loss, fraudulent use or misuse of data. Such an event could lead customers to select the products and services of our competitors. An incident could harm our reputation, cause unfavorable publicity or otherwise adversely affect certain potential customers perception of the security and reliability of our services as well as our credibility and reputation, which could result in the loss of sales or curtailed growth. While we maintain general liability and cybersecurity insurance coverage, such coverage might not be adequate or otherwise protect us from liabilities or damages with respect to claims alleging compromises of customer data, that such coverage will continue to be available to us on acceptable terms or at all, or that such coverage will pay future claims. The successful assertion of one or more large claims against us that exceeds our available insurance coverage, or results in changes to our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), could have an adverse effect on our business. We currently are, and in the future may be, subject to litigation or regulatory proceedings that could have an adverse effect on our business. From time to time, we may be subject to litigation or other administrative, regulatory or governmental proceedings, including tax audits and resulting claims that could require significant management time and resources and cause us to incur expenses and, in the event of an adverse decision, pay damages or incur costs in an amount that could have a material adverse effect on our financial position or results of operations. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our intellectual property and data. We maintain policies and procedures designed to allow management to assess, identify, and manage material risks from cybersecurity threats. We integrate our cybersecurity policies and procedures into our overall enterprise risk management program, which is implemented by management and overseen by the Board of Directors through its Audit Committee. 28 Table of Contents We utilize the Center for Internet Security ( CIS ) Critical Security Controls as a framework for managing our cybersecurity program. The CIS framework outlines 18 critical control areas relating to organizational security and provides effective methodologies, guidelines, and industry standard best practices to develop and manage a comprehensive cybersecurity program. Additionally, we align our controls to various international security certifications and standards and have adopted best practices from industry leading frameworks. Our cybersecurity program includes policies and procedures relating to encryption, data loss prevention technology, authentication technology, access control, anti-malware software, third-party risk monitoring, insider risk management and identity management. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also regularly obtain system and organization control ( SOC ) reports from our service providers ( SOC 2 ). Members of our corporate information security organization receive information exchanges from their professional networks and attend training, webinars, and conferences to stay up to date on both trends and system-specific updates. In addition, all Cohu employees are required to complete regular security awareness training including testing, each of which are designed to promote a company-wide culture of cybersecurity risk awareness and management. As part of the Board of Directors role in overseeing our enterprise risk management program, which includes our cybersecurity risk management, the Board is responsible for exercising oversight of management s identification and management of, and planning for, material cybersecurity risks that may reasonably be expected to have an adverse effect on us. While the full Board has overall responsibility for risk oversight, the Board has delegated oversight responsibility related to risks from cybersecurity threats to the Audit Committee. The Audit Committee conducts reviews of the effectiveness of our risk management strategies. This review helps in identifying areas for improvement and in aligning cybersecurity efforts with the overall risk management framework and promotion of our business objective and operational needs. In addition to our scheduled meetings, the Audit Committee maintains an ongoing dialogue with management, including emerging or potential cybersecurity risks. Our corporate information security organization, led by our Chief Information Security Officer ( CISO ), is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. Our CISO has over 35 years of experience in various roles in information technology and information security, including serving as SVP and CIO or VP and CIO at various defense, aerospace and semiconductor supplier companies. He holds a bachelor s degree in Computer Science, an MBA, and holds several relevant certifications, including ITIL Certification. The corporate information security organization manages and regularly enhances our enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. Central to this organization is our cybersecurity incident response team ( CIRT ), which is responsible for the protection, detection and response capabilities used in the defense of Cohu s data and enterprise computing networks. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, mitigation or eradication, recovery and notification, including notifying key functional areas, as well as the CEO, Chairperson and Chairperson of the Audit Committee and other members of the Board, as appropriate. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from security incidents were immaterial. As a result, we do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected us, our results of operations or financial condition. Notwithstanding the measures we take to assess, identify, and manage cybersecurity risks, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For a discussion of how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, may materially affect or are reasonably likely to materially affect us, see the risk factor entitled Our business and operations could suffer in the event of cybersecurity breaches within our operational systems or products . 29 Table of Contents
Item 1C. Cybersecurity. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our intellectual property and data. We maintain policies and procedures designed to allow management to assess, identify, and manage material risks from cybersecurity threats. We integrate our cybersecurity policies and procedures into our overall enterprise risk management program, which is implemented by management and overseen by the Board of Directors through its Audit Committee. 28 Table of Contents We utilize the Center for Internet Security ( CIS ) Critical Security Controls as a framework for managing our cybersecurity program. The CIS framework outlines 18 critical control areas relating to organizational security and provides effective methodologies, guidelines, and industry standard best practices to develop and manage a comprehensive cybersecurity program. Additionally, we align our controls to various international security certifications and standards and have adopted best practices from industry leading frameworks. Our cybersecurity program includes policies and procedures relating to encryption, data loss prevention technology, authentication technology, access control, anti-malware software, third-party risk monitoring, insider risk management and identity management. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also regularly obtain system and organization control ( SOC ) reports from our service providers ( SOC 2 ). Members of our corporate information security organization receive information exchanges from their professional networks and attend training, webinars, and conferences to stay up to date on both trends and system-specific updates. In addition, all Cohu employees are required to complete regular security awareness training including testing, each of which are designed to promote a company-wide culture of cybersecurity risk awareness and management. As part of the Board of Directors role in overseeing our enterprise risk management program, which includes our cybersecurity risk management, the Board is responsible for exercising oversight of management s identification and management of, and planning for, material cybersecurity risks that may reasonably be expected to have an adverse effect on us. While the full Board has overall responsibility for risk oversight, the Board has delegated oversight responsibility related to risks from cybersecurity threats to the Audit Committee. The Audit Committee conducts reviews of the effectiveness of our risk management strategies. This review helps in identifying areas for improvement and in aligning cybersecurity efforts with the overall risk management framework and promotion of our business objective and operational needs. In addition to our scheduled meetings, the Audit Committee maintains an ongoing dialogue with management, including emerging or potential cybersecurity risks. Our corporate information security organization, led by our Chief Information Security Officer ( CISO ), is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. Our CISO has over 35 years of experience in various roles in information technology and information security, including serving as SVP and CIO or VP and CIO at various defense, aerospace and semiconductor supplier companies. He holds a bachelor s degree in Computer Science, an MBA, and holds several relevant certifications, including ITIL Certification. The corporate information security organization manages and regularly enhances our enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. Central to this organization is our cybersecurity incident response team ( CIRT ), which is responsible for the protection, detection and response capabilities used in the defense of Cohu s data and enterprise computing networks. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, mitigation or eradication, recovery and notification, including notifying key functional areas, as well as the CEO, Chairperson and Chairperson of the Audit Committee and other members of the Board, as appropriate. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from security incidents were immaterial. As a result, we do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected us, our results of operations or financial condition. Notwithstanding the measures we take to assess, identify, and manage cybersecurity risks, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For a discussion of how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, may materially affect or are reasonably likely to materially affect us, see the risk factor entitled Our business and operations could suffer in the event of cybersecurity breaches within our operational systems or products . 29 Table of Contents

Company Information