Sandisk Corp 10-K Cybersecurity GRC - 2025-08-20

Page last updated on August 21, 2025

Sandisk Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-08-20 20:31:19 EDT.

Filings

10-K filed on 2025-08-20

Sandisk Corp filed a 10-K at 2025-08-20 20:31:19 EDT
Accession Number: 0002023554-25-000034

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy At Sandisk, our management team is charged with managing risk and bringing to our Board of Directors’ attention all material risk exposures to our company. Our enterprise risk management (“ERM”) process is designed to facilitate the identification, assessment, management, reporting and monitoring of material risks our company may face over the short-term and long-term and promote regular communication with our Board of Directors and its committees regarding these risks. Through our ERM process, we have determined that the compromise, damage or interruption of our technology infrastructure, information systems or products by cybersecurity incidents is a key risk to our company that may have a material negative impact on our business. To help mitigate the potential impact of cybersecurity incidents on our business and protect against cybersecurity threats, we have established organizational structures, procedural measures and response plans that define roles and responsibilities related to cybersecurity risk management. Sandisk’s Information Security organization addresses cybersecurity risks with a broad spectrum of technologies, controls, and processes that focus on mitigating these risks. Our cybersecurity strategy is designed to be dynamic and adaptive to combat the rapidly-evolving cybersecurity threat landscape and is influenced by commonly leveraged frameworks such as the NIST-CSF (National Institute of Standard and Technologies - Cyber Security Framework). Our program includes, but is not limited to, endpoint protection and response systems, network security protocols, electronic communications protections, vulnerability management programs, least-privilege access controls, third-party risk management procedures, workforce education and training exercises, and compliance programs. Our dedicated 24x7 Security Operations Center incorporates specialized systems and processes for handling security incidents into its regular work and operates a robust, modern security infrastructure with appropriate security sensors and event monitoring capabilities. Upon detection of a cybersecurity incident, the Security Operations Center determines the severity of the incident in accordance with a pre-established incident severity matrix, initiates the appropriate notification and escalation protocols and begins triage. Predefined severity tiers serve as a guide to match our response to each incident’s determined severity or risk level. Additionally, we have established a Cyber Incident Response Plan that follows the structure of the Incident Handling Guide published by the U.S. National Institute of Standards and Technology (SP 800-61r2) and that serves as an operational guide for handling cybersecurity incidents at Sandisk. Our Cyber Incident Response Plan provides procedural and strategic guidance that is designed to be flexible enough to apply to a variety of different incidents, but also specific enough to provide guidelines for incident prevention, detection, analysis, escalation and notification, and containment, eradication and recovery. As part of our ongoing information security program, the Company utilizes periodic independent third-party experts to conduct assessments of our program’s effectiveness. These experts are also leveraged to design and orchestrate tabletop exercises where multiple business functions and leadership levels navigate incident scenarios based on industry trends and relevant threats, to help determine our level of preparedness for various cybersecurity incidents. As part of our business operations, the Company engages with a number of third parties, including but not limited to, online software service providers, vendors, consultants, and partners. These third parties are analyzed based on business criticality and impact and must be cleared through a formal cybersecurity risk assessment process before being allowed to integrate with Sandisk’s information systems, access confidential data, or provide electronic services to members of our workforce. The Company has in the past experienced cybersecurity incidents of varying degrees involving our technology infrastructure and information systems. While these incidents have at times resulted in some disruptions to our business operations, as of the date of this Annual Report on Form 10-K, we do not believe that known risks from cybersecurity threats, including as a result of any previous cybersecurity incident, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we can give no assurance that we have detected or protected against all such cybersecurity incidents or threats or that we will not experience such an incident in the future. Further details about the cybersecurity risks we face are described under “The compromise, damage or interruption of our technology infrastructure, information systems or products by cybersecurity incidents, data security breaches, other security problems, design defects, information system failures or other events could have a material negative impact on our business” in Part I, Item 1A., Risk Factors of this Annual Report on Form 10-K. Governance The Company has implemented a governance framework related to cybersecurity that includes operational risk-mitigation practices and Board-level cybersecurity risk oversight. Our management team is charged with managing cybersecurity risk and identifying material cybersecurity risk exposures to our company and carries out this function primarily through our Information Security organization, which is led by our Chief Information Security Officer (“CISO”) who has a CISO executive certification from the Heinz College at Carnegie Mellon University, a bachelor’s degree in Electrical Engineering, over a decade of information security leadership, and over twenty years of consolidated IT leadership experience. Additionally, our Cyber Incident Response Plan discussed above calls for the establishment of a management Impact Assessment Committee, which consists of key leadership representatives from the organization and is convened on an ad hoc basis to assess the detailed business impact of a cybersecurity incident. The Impact Assessment Committee is led by our Chief Information Security Officer and includes key representatives from the Company’s functional groups, including human resources, ethics and compliance, labor, privacy, internal audit, finance, communications, legal, risk and accounting. The Impact Assessment Committee receives updates and communications from the Security Operations Center on a fixed cadence determined by incident severity and follows our pre-established escalation framework to communicate with and include executive leadership, outside counsel and the Board of Directors, as appropriate. The Impact Assessment Committee works with the Company’s internal and external legal counsel to determine and facilitate appropriate communications with the Board of Directors. Our Board of Directors is responsible for overseeing the cybersecurity risk management process and exercises this risk oversight through both our full Board of Directors and its Audit Committee. Our Board of Directors has delegated to the Audit Committee the responsibility to oversee risks related to cybersecurity threats, and our Audit Committee Charter requires the Audit Committee to review and discuss with management the Company’s policies with respect to risk assessment and enterprise risk management and to review the risk exposure of the Company related to the Committee’s areas of responsibility, including with respect to cybersecurity. In carrying out this role, the Audit Committee meets with our Chief Information Security Officer regularly and receives at least quarterly reports on cybersecurity matters. Additionally, at least annually, our Chief Audit Executive, who manages the day-to-day activities of our ERM program, reports to our Board of Directors on enterprise risk assessment under our ERM program, providing updates on key risks, status of mitigation efforts and residual risk trends, including an analysis of cybersecurity risks. Also at least annually, our Chief Information Security Officer reports to the full Board of Directors on cybersecurity matters related to or impacting our company and our business.

Company Information