Broadcom Inc. 10-K Cybersecurity GRC - 2025-12-18

Page last updated on December 18, 2025

Broadcom Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-12-18 16:04:47 EST.

Filings

10-K filed on 2025-12-18

Broadcom Inc. filed a 10-K at 2025-12-18 16:04:47 EST
Accession Number: 0001730168-25-000121

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our cybersecurity risk management program is intended to protect the confidentiality, integrity and availability of our critical systems and information. At any given time, we face cybersecurity risks and threats, some of which are not fully mitigated, and we routinely address newly discovered vulnerabilities. We continuously work to enhance our information security program and risk management efforts. Our program includes processes for identifying, assessing and managing material risks from cybersecurity threats that are guided by the National Institute of Standards & Technology's Cybersecurity Framework, the ISO 27001 international standard for information security and other applicable industry benchmarks. Our cybersecurity risk management program is integrated into our overall enterprise risk management system and processes, and includes: - a team of professionals within our Global Technology Organization who are responsible for identifying and mitigating cybersecurity risks and managing our security controls and response activities; - risk assessment processes designed to identify cybersecurity risks to our critical systems, information, products, services and our broader enterprise IT environment; - an annual tabletop exercise to simulate a response to a cybersecurity incident; and - mandatory training annually and upon hiring for all employees and contractors on data privacy and cybersecurity topics. When appropriate, we utilize independent, external service providers to assess, test or otherwise assist with certain aspects of our cybersecurity risk management program and related processes, including for penetration testing, threat monitoring and incident response. We also employ a vendor risk assessment process to mitigate risks presented by certain third-party service providers, and we require such providers to manage their cybersecurity risks in conformance to industry standards, notify us of relevant cybersecurity events and satisfy additional contractual requirements. As of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition . However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about our cybersecurity-related risks, see Item 1A. Risk Factors in this Annual Report on Form 10-K. Cybersecurity Governance Our Board of Directors is actively involved in overseeing our cybersecurity risk management and shares oversight responsibility and processes with the Audit Committee of the Board of Directors (the "Audit Committee"). Our management, including our Chief Information Officer ("CIO"), in consultation with our Chief Information Security Officer ("CISO"), reviews with the Audit Committee quarterly, or more frequently as determined to be necessary or advisable, regarding our cybersecurity security policies, practices and protective measures, threat intelligence, cybersecurity incidents and related risks. At least quarterly, our CIO also provides the Audit Committee with an update on our enterprise security program that includes procedures and policies for testing vulnerabilities, responding to cybersecurity threats, and training and evaluating our employees. The Audit Committee and management also update our Board of Directors at least quarterly on our cybersecurity performance and risk profile and the effectiveness of our cybersecurity processes. We also have protocols in place for escalating certain cybersecurity incidents to the Audit Committee and the Board of Directors. Our management, including our CIO and CISO, are responsible for assessing and managing material risks from cybersecurity threats. Our CIO oversees our Global Technology Organization that has primary responsibility for our overall cybersecurity risk management program . Our CIO, who reports to our Chief Executive Officer, has over 20 years of experience managing global IT operations, including strategy, applications, infrastructure, information security, support and execution. Our CISO, who reports to the CIO, has approximately 30 years of cybersecurity experience assessing and managing cybersecurity programs. Our management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include, among other things, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in our IT environment.

Company Information