GARMIN LTD 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

GARMIN LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 07:00:41 EST.

Filings

10-K filed on 2024-02-21

GARMIN LTD filed an 10-K at 2024-02-21 07:00:41 EST
Accession Number: 0000950170-24-017559

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Garmin has a cybersecurity risk management program, generally aligned with the tenets and methodologies of industry standards and best practices such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, designed to protect the confidentiality, integrity, and availability of the Company s information systems through assessing, identifying, and managing material risks from cybersecurity threats. The management of our information system platforms and the related cybersecurity is tightly integrated with Garmin’s product development and technology management teams. Cybersecurity risks are identified, reported, and managed by the Company s in-house cybersecurity experts as well as third-party providers of penetration test reporting, cyber-threat intelligence, and incident forensics services. Material Risk Identification The Company identifies risks from cybersecurity threats through a variety of methods including, but not limited to, internal and external assessments, security incidents, evaluations of changes to the business environment, systems, or technology, and reporting by associates, vendors, customers, and security researchers. These processes occur during the procurement, development, integration, modification, operation, and maintenance of the Company s information systems and the integration with or introduction, purchase, acquisition, or renewal of any third-party information systems and services. Notable changes to the Company s operating environment are scrutinized to ensure the confidentiality, integrity, and availability of the Company’s information systems. 25 Material Risk Assessment The Company evaluates material risks from cybersecurity threats in terms of the potential impact on technology, information, data, and business operations, taking into account applicable laws and regulations, and with a focus on protecting the confidentiality, integrity, and availability of information, data and systems. Associated risk assessments are performed by the Company s risk analysts, subject matter experts, and information technology associates to identify, analyze, and quantify the risks and relevant objectives, and to determine the appropriate management action and priorities for managing the risks and implementing mitigating controls. Additional assessments to evaluate residual risk are performed when there are changes to controls that have the potential to create a material risk. Risk assessments also include appropriate considerations for regulatory and contractual requirements, and involve the Company s legal, data privacy, finance, and risk assurance functions as applicable. Material Risk Management The Company continually analyzes and responds to material risks from cybersecurity threats in order to manage them to acceptable levels. The results of related risk assessments are used to prioritize the risks based on their potential impact to the Company and to inform the necessary actions and the appropriate functions to be involved in responding to those risks. Garmin s cybersecurity risk management processes are integrated into the Company s overall risk management processes. Material risks from cybersecurity threats are communicated to the Company s management and Board of Directors and are evaluated and considered alongside operational, legal, and other risks faced by the Company in determining mitigating actions and the allocation of resources. Risks Related to Third-party Service Providers Garmin operates a third-party risk management program, which is aligned to NIST principles, to oversee and identify material risks from cybersecurity threats, undertake appropriate remediation, and establish and maintain compensating controls when appropriate. We conduct cybersecurity assessments of third-party service providers that will process personal, confidential, or proprietary information. Before proceeding with any such third-party service provider, we require them to remediate or mitigate any material findings from our cybersecurity assessment and to agree contractually to maintain acceptable cybersecurity practices throughout the duration of their service to Garmin and after for so long as they retain any personal, confidential, or proprietary information, and to promptly notify Garmin of any cybersecurity incidents that impact Garmin. Risks from Cybersecurity Threats While the Company has technology and processes in place designed to detect and respond to cybersecurity threats, we are continually at risk from the evolving cybersecurity threat landscape. Management does not believe our business strategy, results of operations, or financial condition have been materially affected by risks from cybersecurity threats, but we cannot provide assurance that they will not be materially affected in the future by such risks. For additional information about risks from cybersecurity threats, see Part I, Item 1A, Risk Factors of this Annual Report on Form 10-K. Governance Board of Directors Oversight Garmin s entire Board of Directors performs the risk oversight role, including with respect to risks from cybersecurity threats. Garmin s Chief Executive Officer is a member of the Board, and Garmin s Chief Financial Officer and its General Counsel regularly attend Board meetings, which helps facilitate discussions regarding risk between the Board and Garmin s senior management. In addition, on an annual basis Garmin s head of cybersecurity provides a comprehensive update of the Company s cybersecurity practices, risks and risk mitigation strategies to the Board of Directors. Each member of the Board of Directors actively participates in those discussions and has an opportunity to ask questions or provide direction. Garmin s Chief Executive Officer and head of cybersecurity also have discussions with members of the Board of Directors on an ad hoc basis as appropriate if and when a specific cybersecurity risk arises. 26 Management s Role Managing Risk and Monitoring Incidents Garmin’s head of cybersecurity, who has over 30 years of relevant cybersecurity experience, oversees the Company s cybersecurity risk management program and is responsible for assessing and managing the Company s material risks from cybersecurity threats. Garmin s head of cybersecurity regularly meets with the Company s senior management, including the Chief Executive Officer, to discuss the Company s cybersecurity practices, risks, risk mitigation strategies, and whether further investments in internal or external cybersecurity resources are warranted. If the cybersecurity team detects a potentially significant cybersecurity incident it is escalated promptly to the Company s head of cybersecurity, who then activates the Company s incident response plan and convenes the incident response team, which includes leaders of the Company s Legal, Finance, Operations, Communications, Risk Assurance, and other departments and executive leadership as appropriate. The Chief Executive Officer will inform the Company s Board of Directors of any material cybersecurity incidents. 27

Company Information