Mobileye Global Inc. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Mobileye Global Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 06:51:22 EST.

Filings

10-K filed on 2024-02-23

Mobileye Global Inc. filed an 10-K at 2024-02-23 06:51:22 EST
Accession Number: 0001104659-24-026792

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management Cybersecurity risk management is an integral part of our overall enterprise risk management program, which we have continued to invest in developing. Our corporate cybersecurity risk management program provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party vendors and service providers, and facilitating coordination across different business units of the Company. Our corporate cybersecurity risk management program is based on and audited against industry standards, including ISO 27001 for Information Security Management Systems (ISMS) and the automotive industry s Trusted Information Security Assessment Exchange standard. Our corporate cybersecurity team is responsible for operating our cybersecurity risk management program. The cybersecurity team determines with management an annual workplan for risk assessments, reviews, audits and tests. The cybersecurity team also conducts vulnerability assessments, security reviews and penetration tests on a regular basis in accordance with such workplan. Following risk assessments that require any remediation, the cybersecurity team then conducts a risk treatment and response process, including mitigation, remediation and risk reduction efforts. Our policies also require that Internet-accessible enterprise systems and applications must undergo a penetration test at least annually, and we engage specialized, independent third parties to conduct penetration tests and specific in-depth reviews of certain enterprise systems and applications. With respect to overseeing and identifying cybersecurity risks associated with third parties, we seek to impose certain cybersecurity requirements on critical third parties with whom we do business. The cybersecurity team performs risk assessments, due diligence checks and validation of key security controls in accordance with our cybersecurity policies and standards for third-party vendors and service providers with whom we exchange information or integrate our information systems and networks. We include cybersecurity and privacy addenda and clauses in our agreements with such third parties where applicable and seek to pass through any necessary regulatory and contractual requirements to such third parties. When we do become aware that a third-party vendor or service provider has experienced a compromise or failure, we attempt to mitigate our risk, including by terminating such third party s connection to our information systems and networks where appropriate or by exercising any applicable contractual remedies we may have, such as a right to indemnification. On a semi-annual basis the cybersecurity team conducts a program performance evaluation with management to assess the continuing suitability, adequacy and effectiveness of the Company s cybersecurity risk management program, including with respect to the fulfillment of cybersecurity objectives and compliance with industry standards, and to recommend changes to the Company s threat modeling, priorities for future risk assessments, policy adjustments in response to newly identified risks or non-compliance, and overall risk acceptance. 68 Table of Contents To foster a culture of cybersecurity awareness within the Company and provide employees with further knowledge of cybersecurity-conscious behavior, all employees of the Company are required to attend cybersecurity training sessions during the onboarding process and at least once per year. Our organizational cybersecurity program is under the direction of our Chief Information Security Officer ( CISO ) who receives reports from our cybersecurity team and oversees the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents. Our CISO reports to our Chief Operating Officer ( COO ), who may discuss cybersecurity risks and other operational risks with other senior management as appropriate. Our CISO and dedicated cybersecurity team personnel are certified and experienced information systems security professionals and cybersecurity managers with many years of experience. Our CISO has served in that position since 2019 and has over 25 years of managerial and professional cybersecurity expertise. He has held the role of CISO and other senior management positions with NDS Services, Cisco Systems, Inc. and Deloitte and has also served as cybersecurity consultant for companies in multiple global industries. Our COO has extensive experience in project management and cybersecurity, including from past roles with Verint Systems Inc. and Cisco Systems, Inc. as well as the establishment and management of the Company s cybersecurity team prior to our CISO joining the Company. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. The Company s cybersecurity team regularly meets with the COO to report its findings. The COO in turn periodically reports on such matters to the Chief Executive Officer and other members of management. As part of our continued investment in developing our overall enterprise risk management program, the COO and other members of management make updates to the full board of directors, and going forward beginning in 2024, will also provide updates to the audit committee of our board of directors (the Audit Committee ), on the Company s cybersecurity programs, material cybersecurity risks and mitigation strategies. In addition to such updates, and as part of our incident response processes, our COO is also responsible for informing the Audit Committee of material cybersecurity threats and incidents, based on management s assessment of risk. Our board of directors has overall oversight responsibility for our risk management, and delegates cybersecurity risk management oversight to the Audit Committee. The Audit Committee is responsible for ensuring that management has processes in place designed to identify and assess cybersecurity risks to which the Company is exposed and implement processes and programs designed to manage cybersecurity risks and mitigate and remediate cybersecurity threats and incidents. Both management and the Audit Committee also report material cybersecurity risks to our full board of directors, based on management s assessment of risk. In 2023, we did not identify any cybersecurity risks that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see Risk Factors Risks Related to Privacy, Data, and Cybersecurity in this annual report on Form 10-K.

Company Information