ICHOR HOLDINGS, LTD. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

ICHOR HOLDINGS, LTD. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 09:21:23 EST.

Filings

10-K filed on 2024-02-23

ICHOR HOLDINGS, LTD. filed an 10-K at 2024-02-23 09:21:23 EST
Accession Number: 0001628280-24-006527

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our cybersecurity program is designed from a risk- and compliance-based approach to achieve systemwide resilience and protection across our operations. We regularly assess risks from cybersecurity threats and monitor our information systems for potential vulnerabilities. We utilize the National Institute of Standards and Technology Cybersecurity Framework to deliver clear and proactive processes, multi-layered defenses, and relevant technologies that are designed to control, audit, monitor, and protect access to sensitive information. Our cybersecurity program includes physical, administrative, and technical safeguards, and we maintain plans and procedures the objective of which is to help us prevent, detect and timely and effectively respond to, and as necessary, recover from, cybersecurity incidents. Through our cybersecurity risk management program, we have established operational processes to address issues including monitoring and patching of vulnerabilities, regularly updating our information systems, and evaluating new countermeasures made to defend against an evolving landscape of threats. This process is overseen by the Audit Committee of our Board. In addition, we periodically engage third-party consultants and providers to assist us in assessing, testing, enhancing and monitoring our cybersecurity risk management programs and responding to any incidents. These third parties work in conjunction with our information security team in an effort to continuously improve our cyber risk posture. Examples of third-party actions include the engagement of a security operations center for real-time monitoring and response to incidents, independent audits, risk assessments and security certifications. We believe cybersecurity awareness is important in helping prevent cyber threats. To that end, we provide annual cybersecurity awareness training and regular phishing awareness exercises to our tech-enabled employees. We monitor and assess the success rate of employees reporting phishing scams, and the results inform the development of our security trainings, systems and programs. Additionally, role-based security training is provided to employees in certain higher-risk positions (including those who handle sensitive information, technology or funds), which is tailored to the heightened cybersecurity risks they face. 31 Table of Contents We have experienced, and may in the future experience, whether directly or through our service providers or other channels, cybersecurity incidents. While prior incidents have not had a material impact on us, future incidents could have a material impact on our business, operations and reputation. Although our processes are designed to help prevent, detect, respond to and mitigate the impact of such incidents, there is no guarantee that they will be sufficient to prevent or mitigate the risk of a cyberattack or the potentially serious reputational, operational, legal or financial impacts that may result. Refer to Item 1A. Risk Factors in this annual report on Form 10-K, including, We may be subject to interruptions or failures in our information technology systems, for additional discussion on our cybersecurity related risks. Cybersecurity Governance Cybersecurity is an important part of our risk management and strategy activities and an area of focus for our Board and management. Our Audit Committee is responsible for reviewing and monitoring our cybersecurity and information security policies and our internal controls regarding cybersecurity and information security. Our Audit Committee receives regular reports from members of our senior management and other personnel that include assessments and potential mitigation of the risks and exposures to cybersecurity incidents. Our cybersecurity risk management and strategy activities are overseen by executive management, made up of the IT Steering Committee and Chief Information Officer. Our Chief Information Officer has over 25 years of experience in information technology and security as well as extensive experience working in and leading our information systems and technology function. The IT Steering Committee and Chief Information Officer receive regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation through the management of, and participation in, the cybersecurity risk management and strategy activities described above, and report to the Audit Committee on any appropriate items.

Company Information