IPG PHOTONICS CORP 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

IPG PHOTONICS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:32:36 EST.

Filings

10-K filed on 2024-02-21

IPG PHOTONICS CORP filed an 10-K at 2024-02-21 16:32:36 EST
Accession Number: 0001111928-24-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company understands the importance of preventing, assessing, identifying and managing material risks associated with cybersecurity threats. Cyber Risk Management and Strategy We have implemented a number of technical and organizational safeguards designed to manage our risks from cybersecurity threats and to protect against, detect and prepare to respond to cybersecurity incidents. These include employee training, incident response capability reviews and exercises, cybersecurity insurance and business continuity mechanisms. Additionally, we engage a third-party cybersecurity firm to assist with security features such as network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures. Our incident response plan coordinates the activities that we and our third-party cybersecurity provider take to prepare, to respond and to recover from cybersecurity incidents. We have processes designed to triage, assess severity, investigate, escalate, contain and remediate an incident. We also have processes to comply with potentially applicable legal obligations and mitigate brand and reputational damage. As part of the above processes, we engage with consultants to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance. Our processes include assessing cybersecurity risks associated with our use of third-party service providers in the normal course of business, including those in our supply chain or who have access to our customer and employee data or our systems. Additionally, we assess cybersecurity considerations in the selection and oversight of our third-party service providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data. Governance Related to Cybersecurity Risks The Company s Global Director, Information Security (Security Director) directs the Company s cybersecurity team. He reports to the Company s Global Director of Information Technologies (IT Director), who reports to the Chief Executive Officer of the Company. The Security Director is responsible for assessing and managing the Company s cyber risk management program, informing senior management, as appropriate, regarding the prevention, detection, mitigation and remediation of cybersecurity incidents and supervising such efforts generally by the cybersecurity team. Our Security Director is a Certified Information Systems Security Professional (CISSP) and has over 20 years of experience in cybersecurity in a broad range of industries. Our IT Director has a master s degree in information systems and has prior experience managing global security efforts. Our Security Director manages a team of cybersecurity professionals with relevant experience and expertise, including in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. In addition, the Company s IT Steering Committee (ITSC) considers, among other IT matters, risks relating to cybersecurity and applicable mitigation plans to address such risks. The ITSC is comprised of certain members of the Company s senior management. The IT Director and Security Director attend each ITSC meeting. The ITSC generally meets quarterly during the year with the IT Director and Security Director to review risk mitigation activities as well as updated status of global security operations and metrics, including the prevention, detection, mitigation and remediation of cyber incidents. The IT Director, Security Director and ITSC monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in the cybersecurity risk management and strategy processes, including the operation of the Company s incident response plan. The Company has an established process led by our Security Director governing our assessment, response and notifications internally and externally upon the occurrence of a cybersecurity incident. Our Board of Directors (the “Board”) is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The full Board receives an update on the Company s risks, risk management process and the risk trends related to cybersecurity at least annually, which includes a review of key performance indicators, recent threats and the Company s management of such threats. The Audit Committee specifically assists the Board in its oversight of risks related to cybersecurity. The Security Director and IT Director brief the Audit Committee on information security and cybersecurity annually and as necessary in response to certain incidents. Although risks from cybersecurity incidents and threats have to date not materially impacted us, our business strategy, results of operations or financial condition, we have from time to time and will continue to experience threats to and security 28 Table of Contents incidents related to our and our third party vendors data and systems. For more information, please see Item 1A, Risk Factors.

Company Information