SEMTECH CORP 10-K Cybersecurity GRC - 2024-03-28

Page last updated on July 16, 2024

SEMTECH CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 17:16:14 EDT.

Filings

10-K filed on 2024-03-28

SEMTECH CORP filed a 10-K at 2024-03-28 17:16:14 EDT
Accession Number: 0000088941-24-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As part of our overall enterprise risk management strategy, our cybersecurity processes seek to help the Company prevent or mitigate potential cybersecurity incidents, and to detect and remediate them quickly when they occur. To achieve this, the Company uses a broad selection of security tools and methodologies to assess, identify and manage material risks from cybersecurity threats. Key aspects of our cybersecurity risk management and threat mitigation strategy include: - Maintaining our ISO/IEC 27001:2022 certification and using it along with other common security frameworks to help assess, identify, and manage material risks from cybersecurity; - Utilizing dedicated IT Security Operations and Product Security teams focused on monitoring, enforcing and improving cybersecurity throughout the enterprise; - Engaging and training internal stakeholders from representative aspects of the business (product and functional teams) on our Incident Response and Reporting plan on a quarterly basis; - Maintaining and regularly testing our disaster recovery and business continuity plans; and - Creating information security awareness among our employees and partners through the use of phishing exercises and regular cyber-awareness articles & newsletter campaigns. The Company evaluates our third-party vendors and service providers to ensure appropriate oversight and to identify any risks from cybersecurity threats associated with the use of their tools or services. To that end, as part of the onboarding process, our internal IT Security Operations team: - Collects and evaluates self-certification information about each vendor’s cybersecurity program and external certifications; - Reviews independent security reports that inform us about each vendor’s security posture and historical incidents; and 35 - Provides a timely evaluation of whether to continue the vendor’s engagement based on their cybersecurity risk profile. As part of our processes, we also engage third parties and industry experts to conduct audits and other assessments of our cybersecurity system. These assessments include vulnerability assessments, penetration testing and table-top exercises. The results of these reviews help to identify areas for continued focus, improvement and/or compliance. We also regularly evaluate our cybersecurity position against benchmarks of our peers and industry leaders, and expect our strategy and management approach to change as the general cybersecurity landscape evolves. Governance Consistent with our overall risk management governance structure, the Vice President of IT Security is responsible for the day-to-day management of cybersecurity risk, while our Board and its Audit Committee play an active, ongoing oversight role. The Audit Committee or the full Board receive quarterly cybersecurity updates, which are prepared by our Vice President of IT Security. The report provides comprehensive cybersecurity updates, including topics such as security incidents, our threat landscape, compliance, key performance metrics and material risks, along with updates on general cybersecurity project execution. The Vice President of IT Security works directly with the IT Security Operation Team and the Product Security Team to ensure effective and timely monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents. In line with our incident response plan, the Vice President of IT Security provides regular updates about cybersecurity incidents to the Audit Committee, the Chief Operating Officer and other members of the executive management team. Our Vice President of IT Security has held IT security and leadership roles at the Company for over 23 years and maintains a wide range of industry certifications including Certified Information Systems Security Professional. As of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, we can give no assurance that we have detected or protected against all cybersecurity threats or incidents. For additional information on our cybersecurity risks, see “Item 1A. Risk Factors - We rely on certain critical information systems for the operation of our business and a disruption in our information systems, including those related to cybersecurity, could adversely affect our business operations.” 36

Company Information