SkyWater Technology, Inc 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

SkyWater Technology, Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 17:13:14 EDT.

Filings

10-K filed on 2024-03-15

SkyWater Technology, Inc filed an 10-K at 2024-03-15 17:13:14 EDT
Accession Number: 0001819974-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company s Board of Directors (the Board ) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company s risk management program, and cybersecurity represents an important component of the Company s overall approach to enterprise risk management. In general, the Company seeks to address cybersecurity risks through a comprehensive and cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Our enterprise security program has been developed based on industry standards, including those published by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology ( NIST ). Governance - The Board has designated that the Audit Committee is responsible for overseeing cybersecurity risks, and our Senior Vice President of Information Technology and Supply Chain Management ( SVP of IT & SCM ) reports to the Audit Committee on cybersecurity matters. The SVP of IT & SCM has over 20 years of experience in IT systems, IT infrastructure, fab and manufacturing environments, and site disaster recovery and compliance. Our IT administration team supports the SVP of IT & SCM and has deep working knowledge of the NIST cybersecurity framework, the Cybersecurity Maturity Model Certification (CMMC) program, ISO 27001, and extensive experience in systems and technology infrastructure management. In addition, our Director of Corporate Security reports to our Chief Legal Officer and is involved in the ongoing compliance with relevant cybersecurity regulations, including with regard to cybersecurity monitoring and incident response (as noted below). The Director of Corporate Security has over 20 years of experience in quality systems, semiconductor manufacturing, and industrial security. Risk Assessment - Our enterprise risk assessment is performed by executives, management, and functional and department-level subject matter experts. This group engages in the ongoing monitoring of identified risks to the Company and risk mitigation efforts. Our enterprise risk management process captures the potential impact and likelihood of cybersecurity risk events by evaluating our current cybersecurity risk environment and our existing cybersecurity controls. Risks identified by our cybersecurity program are analyzed to determine the potential impact on us and the likelihood of occurrence. Such risks are continuously monitored to ensure that the circumstances and severity of such risks have not changed. The SVP of IT & SCM, senior leadership, and our internal audit function provide both the full Board and the Audit Committee with periodic updates on the performance of our cybersecurity program. Monitoring and Incident Response - The Company s cybersecurity program protects against threats through use of the following measures: identifying critical assets and high-risk threats implementing cybersecurity detection, controls and remediation practices implementing a third-party risk management program to evaluate our critical partners cyber posture and evaluating our program effectiveness by performing internal and external assessments. The Company engages a third-party service provider to perform annual internal and external penetration testing under NIST special paper (SP) 800-171 requirements to identify potential gaps that require remediation. In addition, the Company utilizes several industry-standard software applications to monitor for cybersecurity threats and alert our Director of Corporate Security and IT administration of any incidents that require escalation to the SVP of IT & SCM and the Audit Committee. Threats and incidents identified are immediately investigated by the IT administration team and appropriate action is taken to mitigate the impact to the Company. Education and Awareness - We conduct regular workforce training to instruct employees to identify cybersecurity concerns and take the appropriate action. We install and regularly update antivirus software on all company managed systems and workstations to detect and prevent malicious code from impacting our systems. In addition, we have a product security team focused on integrating risk and security best practices into our product development life cycle. Periodically, we are audited by an independent information systems expert to determine both the adequacy of, and compliance with, controls and standards. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that we will not be materially affected in the future by cybersecurity risks, threats or incidents. The potential consequences of a future material cybersecurity incident may include reputational damage, litigation with third parties, government enforcement actions, penalties, disruption to our systems or operations of our facilities, unauthorized release of confidential or otherwise protected information, corruption of data, diminution in the value of our investment in research, development and engineering, increased cybersecurity protection costs and unplanned remediation costs, which in turn could adversely affect our business strategy, results of operations and financial condition. See Item 1A under the caption A breach of our security systems or a cyberattack that disrupts our operations or results in the breach of confidential information about us, our technology, or our customers could harm our business and expose us to costly regulatory enforcement and other liability. for additional information on cybersecurity risks applicable to the Company. 37

Company Information