RAMBUS INC 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

RAMBUS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 13:04:34 EST.

Filings

10-K filed on 2024-02-23

RAMBUS INC filed an 10-K at 2024-02-23 13:04:34 EST
Accession Number: 0000917273-24-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess potential material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Following these risk assessments, if material risks and/or gaps are identified, we will re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our Chief Information Security Officer who reports to our Chief Information Officer, to manage the risk assessment and mitigation process. As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with IT. Personnel at all levels and departments are made aware of cybersecurity issues through trainings. We engage third party assessors/consultants in connection with our risk assessment processes. These service providers assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We conduct vendor risk assessments before onboarding identified third-party service providers to review each such service provider s cybersecurity practices and to assess factors such as access controls, incident response capabilities, overall cyber maturity and applicable certifications. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, Risk Factors, in this Form 10-K. Governance One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through the Cyber Risk Committee. Our Chief Information Officer, Chief Information Security Officer and our Security Team, which includes Security Engineers, our Senior Manager of Cybersecurity and our Chief Information Security Officer, are primarily responsible to assess and manage our material risks from cybersecurity threats. Our Security Team has deep expertise in cybersecurity practices, including security threat evaluation, security operations, incident response, investigations, forensics, threat containment, data security vulnerability management, security policies and procedures, vulnerability scans, penetration testing, infrastructure security, network security, cloud security, identity and access management, role-based access, server and endpoint security, e-mail security, security awareness, logging, security governance and risk mitigations. Our Chief Information Security Officer has over twenty years of experience in security leadership over all aspects of cybersecurity, including security operations, security incident management and cybersecurity governance, policies and procedures, as well as deep expertise in defense in depth, zero trust security architectures and security controls for perimeter, network, endpoint, application and data security layers. Our Chief Information Security Officer and our Security Team oversee our cybersecurity policies and processes, including those described in Risk Management and Strategy above. The processes by which our Chief Information Security Officer and our Security Team are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents include the following: regular penetration testing, independent security posture assessments, phishing tests (with trainings for the failed users), general cybersecurity and phishing training for all Rambus personnel and tabletop exercises to simulate threats and identify gaps. 30 Table of Contents In the event of a cybersecurity incident, our Chief Information Security Officer and our Security Team are equipped with a well-defined incident response plan to guide response actions. This incident response plan includes immediate actions to mitigate the impact of the incident, long-term strategies for remediation and prevention of future incidents, and provides for internal notification of the incident to functional areas, as well as senior leadership and the Cyber Risk and/or Audit Committees of our board of directors, as appropriate. Our Chief Information Security Officer also provides quarterly briefings to the Cyber Risk Committee regarding our company s cybersecurity risks and activities, including any recent cybersecurity incidents of interest and related responses, cybersecurity systems testing, applicable activities of third parties, and the like. Our Cyber Risk Committee provides regular updates to the board of directors on such reports.

Company Information