NXP Semiconductors N.V. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

NXP Semiconductors N.V. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 06:07:33 EST.

Filings

10-K filed on 2024-02-22

NXP Semiconductors N.V. filed an 10-K at 2024-02-22 06:07:33 EST
Accession Number: 0001413447-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity NXP, similar to other semiconductor companies, operates in a complex and rapidly changing environment that involves many risks, including information and cybersecurity risks. As a leading technology company, we are committed to helping strengthen internet security and to implementing measures designed to protect our company against illicit activities, including cyberattacks and malware. Our management is directly responsible for executing the Company s risk management processes. Our Board is responsible for overseeing these risk management processes. In exercising its oversight, the Board and, as appropriate, the relevant Board committees, assesses the material risks facing the Company and evaluate management s plans for managing material risk exposures. The Company conducts a formal annual risk assessment to identify, analyze and report on enterprise risks. The results of this risk assessment are reported to and discussed with the Board. Our Board performs this oversight function through periodic reports from management and Board committees. While our Board generally has ultimate oversight responsibility of the Company s risk management processes, it has delegated to its committees the responsibility to oversee risk management processes associated with their respective areas of responsibility and expertise. The Audit Committee has oversight responsibility for reviewing the effectiveness of NXP s governance and management of IT risks, including those relating to business continuity, cybersecurity, malware, regulatory compliance and data management. NXP senior leadership regularly briefs the Audit Committee on cybersecurity matters and briefs the full Board on these issues at least annually or as needed. NXP s program for Information Technology (IT) Risk Management is a component of NXP s overall process for Enterprise Risk Management ( ERM ). The objectives of ERM are to: Identify our key risks in a timely manner, based upon quantitative and qualitative factors. Mitigate risk and keep risk impact at acceptable levels, particularly those risks that could result in a strategic impact event. Ensure there is an effective risk-management framework in place which covers our key risks and is supported by risk-monitoring mechanisms. Prioritize and align risk-management efforts, to use resources effectively. Ensure risk-management governance, including quarterly monitoring, reporting and evaluation. Key ERM activities include: Assessment (identification and evaluation of risks) Response (building capabilities, mitigation) Management Assurance (effective management methods, clear accountabilities) 30 Monitoring (audit, inquire, verify) Communication (internally and externally) Periodically evaluate effectiveness method NXP s Chief Information Security Officer is primarily responsible for managing the cybersecurity risks identified in the ERM process. This includes performing risk assessments, prioritizing the most likely and impactful risk elements, and recommending appropriate measures to mitigate the risk. NXP s cybersecurity initiatives focus on strengthening our Core IT infrastructure and services against external threats, securing our manufacturing operations from compromise, limiting damage through processes and controls, and protecting our intellectual property. On a day-to-day basis, NXP identifies vulnerabilities, breach attempts, and possible criminal activity by external threat actors. Additionally, NXP has a supplier security framework that helps with monitoring and accessing the security of suppliers and third-party service providers. As part of the framework, we conduct due diligence which covers topics such as data protection, confidentiality, security, business continuity and incident management. These activities are covered by our process for cybersecurity risk management under our ERM. NXP uses a multi-layer approach to identify and mitigate information security risks. On a tactical level, NXP maintains a 24x7 Security Operating Center (SOC) that actively monitors for and identifies cyber security threats and initiates appropriate mitigation processes. The SOC reports to the Computer Security Incident Response Team (CSIRT). When needed, a task force containing Security, IT, Communications, Legal and Business representatives is established. This task force leads mitigation activities where the potential threat or risk is elevated. In addition to SOC, the NXP IT Service Desk and NXP employees are trained to identify Cyber Security issues and to escalate them to correct owners. Furthermore, NXP has an Identify and Access Management System integrated with HR systems which helps manage employee life cycle processes, including both onboarding and offboarding NXP workers. These systems are audited by internal and external audit teams. On a strategic level, NXP s information technology risk management program is a component of the ERM process described above. NXP is certified and externally audited to ISO 27001 with certain additional certifications such as Common Criteria 6+, PCI DSS and GSMA Security for focused functions, and we maintain information security risk insurance coverage. We have multiple cybersecurity training initiatives as part of our information security training and compliance program. We regularly deploy simulated attacks and related trainings. We deliver a Cyber Security orientation to new employees and maintain a library of cyber security learning sessions available to our employees. To date, we have experienced no cybersecurity incidents that have materially affected NXP, including our business strategy, results of operations or financial condition. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect NXP. For additional information on certain risks associated with cybersecurity, refer to the risk factors set forth under the caption Risks related to cybersecurity and IT systems in Part I, Item 1A. Risk Factors.

Company Information