FLEX LTD. 10-K Cybersecurity GRC - 2024-05-17

Page last updated on July 16, 2024

FLEX LTD. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-17 16:49:01 EDT.

Filings

10-K filed on 2024-05-17

FLEX LTD. filed a 10-K at 2024-05-17 16:49:01 EDT
Accession Number: 0000866374-24-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our cybersecurity risk management program is intended to protect the confidentiality, integrity, and availability of our critical information technology (“IT”) systems and information. Our program is integrated into, and among the risks evaluated and considered by, our broader enterprise risk management program, which is designed to identify, assess, prioritize and mitigate risks across the organization to enhance our resilience and support the achievement of our strategic objectives. We designed and assess our cybersecurity risk management program based on multiple cybersecurity frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework, as well as information security standards issued by the International Organization for Standardization, including ISO 27001, which we use as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our global information security management program is ISO 27001:2013 certified. Our cybersecurity risk management program is led by our Chief Information Security Officer (“CISO”), who manages our security team principally responsible for managing our cybersecurity risk assessment processes, our security controls, and our detection and response to cybersecurity incidents. Our program includes protocols for preventing, detecting and responding to cybersecurity incidents, and cross-functional coordination and governance of business continuity and disaster recovery plans. Components of our program include: - risk assessments designed to help identify cybersecurity threats to our critical IT systems, information, and our broader enterprise IT environment; 32 Table of Content s - the periodic engagement of independent security firms and other third-party experts, where appropriate, to assess, test, and certify components of our cybersecurity program, and to otherwise assist with aspects of our cybersecurity processes and controls; - annual cybersecurity awareness training for our employees; - regular assessments of the design and operational effectiveness of the program’s key processes and controls by our internal audit team as well as external consultants; and - a risk management process for third-party service providers and vendors that includes due diligence in the selection process and periodic monitoring regarding adherence to applicable cybersecurity standards. We also have a cybersecurity incident response plan to assess and manage cybersecurity incidents, which includes escalation procedures based on the nature and severity of the incident including, where appropriate, escalation to the Audit Committee and the Board. We periodically (at least annually) perform tabletop exercises to test our incident response procedures, identify gaps and improvement opportunities and exercise team preparedness. As part of our overall risk mitigation strategy, we maintain insurance coverage that is intended to address certain aspects of cybersecurity risks; however, such insurance may not be sufficient in type or amount to cover us against claims related to cybersecurity breaches, cyberattacks and other related breaches. As of the date of this report, we do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations or financial condition. Despite our security measures, however, there can be no assurance that we, or third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. For more information on our cybersecurity related risks, see Item IA,, “Risk Factors - " A breach of our IT or physical security systems, or violation of data privacy laws, may cause us to incur significant legal and financial exposure and adversely affect our operations. " Governance The Audit Committee of our Board of Directors has primary responsibility for overseeing our cybersecurity risks and other information technology risks, including our plans to mitigate cybersecurity risks and to respond to data breaches. The Audit Committee receives regular reports (at least quarterly) from our CISO and our Chief Information Officer (“CIO”) on cybersecurity matters. These reports include a range of topics, including our cybersecurity risk profile, the current cybersecurity and emerging threat landscape, the status of ongoing cybersecurity initiatives, incident reports, and the results of internal and external assessments of our information systems. The Audit Committee also annually reviews the adequacy and effectiveness of our information and technology security policies and the internal controls regarding information and technology security and cybersecurity, and periodically receives updates from our internal audit function on the results of our cybersecurity audits and related mitigation activities. The Chair of the Audit Committee reports to the full Board on these discussions as appropriate. The full Board also receives briefings from our CISO and CIO on cybersecurity matters twice annually. In addition, Board members periodically receive presentations on cybersecurity matters from external experts as part of the Board’s continuing education and overall risk oversight. At the management level, our CISO leads our enterprise-wide cybersecurity program, and is responsible for assessing and managing our materials risks from cybersecurity threats. In performing his role, our CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through the management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. Our CISO reports to our CIO who, in turn, reports directly to our CEO. Our CISO is an experienced cybersecurity executive with more than 20 years of experience building and leading cybersecurity, risk management, and information technology teams. Our CISO holds industry-recognized cybersecurity certifications, including Certified Information Systems Security Professional (CISSP) certification.

Company Information