ONTO INNOVATION INC. 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

ONTO INNOVATION INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 16:10:23 EST.

Filings

10-K filed on 2024-02-26

ONTO INNOVATION INC. filed an 10-K at 2024-02-26 16:10:23 EST
Accession Number: 0000950170-24-020150

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We rely heavily on information technology (IT) systems in all aspects of our operations, and data security plays an important role in the protection of our proprietary information and that of our customers and suppliers. For these reasons, we take a number of steps to protect Onto Innovation s IT systems from internal and external cybersecurity threats. Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, and privacy and compliance issues are identified and addressed through a multi-faceted approach including third-party assessments, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive cybersecurity reviews of systems and applications, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes. We have implemented incident response processes which have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and review of an incident, 3) containment and remediation, and 4) post-incident review and analysis. Cybersecurity incident responses are managed by our Corporate Incident Response Team and overseen by our Vice President of IT. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. We also conduct tabletop exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies. As part of the above processes, we regularly engage external auditors and subject matter experts to assess our internal cybersecurity programs and compliance with applicable practices and standards. Since 2021, our Information Security Management System has been certified to conform to the requirements of ISO/IEC 27001:2013. Our cybersecurity program also includes third-party assessments to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential risks when handling and/or processing our employee, business or customer data. In addition to new vendor onboarding, we perform risk assessments during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents. Our individual employees also play an important role in our information security systems. All employees are required to familiarize themselves with the Company s information security policies and, at least annually, employees are required to participate in an information security training program, which is designed to help employees identify potentially threats and train them on how to respond. Throughout the year, the IT department conducts phishing campaigns and other simulated hacking attacks with employees as a way of reminding them of their security obligations and ensuing that our SETA (security education and training awareness) has been effective. As of the date of this Form 10-K, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For more information on the cybersecurity risks we face that could adversely impact us, please see Part I, Item IA - Risk Factors - If our network security measures are breached and unauthorized access is obtained to a customer s data, to our data, 28 Table of Contents or to our information technology systems, we may incur significant legal and financial exposure and liabilities and may experience disruptions in our operations . Cybersecurity Governance The Company s Board of Directors has oversight of information security matters at the Company, including reviewing the Company s cybersecurity practices. At least annually, the Vice President of IT presents the Company s information security policies and programs to the Board. Our Audit Committee is tasked with overseeing the risks from cybersecurity threats. Members of the Audit Committee receive updates on cybersecurity matters on a quarterly basis from one or more representatives from the Company s Cyber Security Council ( CSC ), which is composed of our business unit general managers, other members of senior management, our Vice President of IT and our IT Security Manager. These updates include a discussion of existing and new cybersecurity risks (if any), updates on how management is addressing and/or mitigating those risks, and the status of information security initiatives. Other Board members also engage in conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs outside of the scheduled meetings. The CSC is also responsible for the executive level supervision of the Company s cybersecurity risk, information security, and technology risk, as well as the IT department s actions to identify, assess, mitigate, and remediate cyber related issues. The CSC receives regular quarterly reports from the Vice President of IT on the Company s cybersecurity risk profile and enterprise cybersecurity program. We have also established a process whereby potentially material cybersecurity incidents are escalated to a Cybersecurity Disclosure Committee ( CDC ) consisting of our CEO, CFO, Vice President and General Counsel, Vice President of IT and Corporate Controller. The Cybersecurity Disclosure Committee is tasked with evaluating whether such incidents have material impact on the Company, and thus require disclosure, as well as any other actions that may be appropriate in response to the incident. The CDC promptly notifies the Audit Committee if it determines that an incident is likely to have a material impact on the Company and updates the Audit Committee on a quarterly basis of any incidents that it determined were not material. The Vice President of IT acts as our head of information security in leading our information security organization. Our VP of IT has over 20 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Team members who support our information security program have relevant educational and industry experience, including holding similar positions at large technology companies. 29 Table of Contents

Company Information