Enovix Corp 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Enovix Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:18:34 EST.

Filings

10-K filed on 2026-02-25

Enovix Corp filed a 10-K at 2026-02-25 16:18:34 EST
Accession Number: 0001828318-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk management and strategy We implement and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and manufacturing-related information ("Information Systems and Data"). Our board of directors (the "Board"), through its Cybersecurity Committee, together with our company executives through our Information Security Steering Committee, and our IT and security management teams in conjunction with third-party service providers who specialize in cybersecurity, help identify, assess and manage the Company's cybersecurity threats and risks. The Cybersecurity Committee and the Information Security Steering Committee each review cybersecurity matters on a regular basis. We use a number of processes to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company's risk profile using various methods including, for example via manual and automated tools, which are internally prepared and also through external third-party vendors, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting routine scans of the threat environments, evaluating our and our industry's risk profile, performing annual assessments and penetration testing, evaluating the threats reported to us, coordinating with law enforcement concerning threats, conducting internal and external audits, conducting threat assessments for internal and external threats, reviewing third party threat assessments, conducting vulnerability assessments to identify vulnerabilities, using of external intelligence feeds, conducting third-party- red/blue team testing and tabletop incident response exercises. In addition, we conduct internal tabletop exercise, third party red-team pen testing and OT security monitoring. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example incident response plans, incident detection and response policies and procedures, vulnerability management policy, disaster recovery plans, and encryption of data. Our assessment and management of material risks from cybersecurity threats are integrated into the Company's overall risk management processes. For example, we have (1) cybersecurity risk addressed as a component of the Company's enterprise risk management program and identified in the Company's risk register; (2) the security department works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business; (3) our information security committee evaluates material risks from cybersecurity threats against our overall business objectives and our CISO reports to the Nominating and Governance committee the board of directors, which evaluates our overall enterprise risk. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, penetrating testing firms, dark web monitoring services, forensic investigators and DHS CISA monitoring service providers. We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies and supply chain resources. We have a vendor management program to manage cybersecurity risks associated with our use of these providers. The program includes risk assessment for each vendor, security questionnaires, review of the vendor's written security program, review of security assessments, reports, vulnerability scans related to vendors, imposition of information contractual obligations on the vendors and other elements of vendor management program such as continuous cyber security monitoring by third-party service. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. As of the date of this report, we have not experienced a material cybersecurity incident, nor have we incurred any significant expenses or penalties to resolve or settle any security incident that has materially affected our business strategy, results of operations, or financial condition during the periods presented. However, cybersecurity threats are continually evolving, and there can be no assurance that future incidents will not materially affect the Company's business, results of operations, or financial condition. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part I, Item 1A. Risk Factors in this Annual Report on Form 10-K. Governance Our Board oversees the Company's cybersecurity risk management as part of its overall risk oversight function. In May 2025, the Board established a standing Cybersecurity Committee to provide dedicated oversight of the Company's enterprise security posture, including safeguards for its people, facilities, information systems and data, and to oversee management's programs addressing physical and cybersecurity, privacy and data governance, regulatory compliance, and related risks. Prior to that, our Nominating and Governance committee was responsible for overseeing Company's cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The Cybersecurity committee consists of three members with years of experience in cybersecurity oversight. The committee meets at least two times each year and more frequently as needed. The committee's responsibilities include, among others: - reviewing our enterprise cybersecurity strategy and framework; - assessing cybersecurity threats and risks, including risks associated with our products and services and third-party service providers; - reviewing significant cybersecurity incidents and management's response thereto; - evaluating the effectiveness of our cybersecurity risk management and data security programs; and - overseeing our incident response and business continuity preparedness. The Cybersecurity committee receives regular reports and updates from the Company's Chief Information Security Officer ("CISO") , Chief Information Officer ("CIO"), and other members of management regarding cybersecurity risks, mitigation efforts, and emerging threat trends. Following each meeting, the Chair of the Cybersecurity committee reports to the full Board on matters addressed by the committee. The Board also receives periodic briefings to enhance its understanding of cybersecurity developments. Our cybersecurity risk assessment and management processes are maintained by certain Company management, including the members of our Information Security Steering Committee, which meets quarterly to review cybersecurity matters. Our Information Security Steering Committee is comprised of our CISO, CEO, Chief Financial Officer, Chief Accounting Officer, COO, Chief Legal Officer, Vice President of Human Resources and Vice President of Global Information Technology. At the management level, our CISO , who reports to our CIO, is responsible for overseeing the assessment and management of our material risks from cybersecurity threats. Our CISO has extensive experience and knowledge in cybersecurity with years of experience in leading security teams, developing security strategies, and managing risk across various industries. Our Vice President, Global Information Technology serves as our CIO, and has over 25 years of information technology and cybersecurity risk management experience, including at other public companies. Our CISO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company's overall risk management strategy, and communicating key priorities to relevant stakeholders at our US headquarters, and each of our international subsidiary locations. Our CISO is also responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. The CISO works in conjunction with our Nominating and Governance Committee Chair and committee members. Our cybersecurity incident prevention, detection, response and vulnerability management processes are designed to escalate certain cybersecurity incidents to appropriate members of management, including our CISO, and to the Cybersecurity committee, depending on the circumstances. These officials work with our incident response team to help mitigate and remediate cybersecurity incidents. In addition, the Company's incident response and vulnerability management processes include reporting to the Cybersecurity committee and, as appropriate, the Board.

Company Information