Qorvo, Inc. 10-K Cybersecurity GRC - 2024-05-20

Page last updated on July 16, 2024

Qorvo, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-20 16:06:13 EDT.

Filings

10-K filed on 2024-05-20

Qorvo, Inc. filed a 10-K at 2024-05-20 16:06:13 EDT
Accession Number: 0001604778-24-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. We recognize the critical importance of maintaining the safety and security of our systems and data and have a cross-organizational approach to addressing cybersecurity risk. We are committed to maintaining robust governance and oversight of cybersecurity risk and have implemented mechanisms, controls, technologies and processes designed to help us assess, identify and manage these risks. The Board of Directors, its Audit Committee and our management, including our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), contribute to our cybersecurity and risk management processes designed to help us respond in a timely and effective manner to emerging threats in a dynamic cybersecurity landscape. Cybersecurity risks are identified as part of our Enterprise Risk Management Program and regular cybersecurity assessment and planning. We aim to incorporate industry best practices throughout our cybersecurity program. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies and other processes to assess, identify and manage cybersecurity risks. We engage with industry groups for benchmarking and awareness of cybersecurity best practices. We monitor internal and external cybersecurity developments that may affect our systems and our supply chain partners’ systems, and have procedures to assess those issues for potential cybersecurity impact or risk. The Audit Committee oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, our CIO and our CISO regularly brief the Audit Committee on cybersecurity matters. In its oversight role, the Audit Committee receives reports on cybersecurity, including internal and external cybersecurity audits, on at least a quarterly basis. We have procedures led by our CISO which govern our assessment, response and notification of internal and external parties upon the occurrence of a cybersecurity incident. Depending on the nature and severity of an incident, this process provides for escalating notification to our executive team, to evaluate the overall impact and appropriate or required external notifications. Based on its nature and severity, the Audit Committee would be informed of an incident by our executive team. Our CISO reports to the CIO and is generally responsible for management of cybersecurity risk and the protection and defense of our networks and systems. The CISO works with a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. This team manages and works to enhance the IT security structure with the goal of preventing significant cybersecurity incidents and increasing the resilience of our systems to minimize the business impact should an incident occur. Our CISO is informed about and monitors prevention, detection, mitigation and remediation efforts through regular communication and reporting from professionals on the information security team. We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements, customer expectations, business priorities and emerging cybersecurity risks, and we expect to continue to make investments to maintain the security of our data and infrastructure. The underlying controls of the cyber risk management program are based on industry standards for cybersecurity and IT, including the National Institute of Standards and Technology (“NIST”) frameworks and ISO 27001 requirements, although this does not mean that we meet all technical standards, specifications or requirements under NIST or ISO 27001 standards. In addition, we provide awareness training to our employees to help identify, avoid and mitigate cybersecurity threats and to remind them of the importance of handling and protecting our information. We engage third-parties to conduct evaluations of our security controls, including testing both the design and operational effectiveness of our controls. We also participate in cybersecurity information-sharing with our peers, industry groups and government agencies. We rely heavily on our supply chain to deliver our products and services to our customers, and a cybersecurity incident at a supplier, subcontractor or business partner could materially adversely impact us. We require our key suppliers to comply with our security terms and conditions, in addition to any requirements from our customers, as a condition of doing business with us and require each to notify us in the event of any known or suspected cyber incident. We face numerous cybersecurity risks in connection with our business. Such risks can impact our systems, results of operations and financial condition. We have, from time to time, experienced threats to and breaches of our data and systems, including malware, ransomware and computer viruses. Our customers, suppliers, subcontractors and business partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. As of the date of this Form 10-K, we have not identified any risks from cybersecurity threats that have materially affected our business strategy, our results of operations or our financial condition. For more information about the cybersecurity risks we face and the potential impacts on our Company due to a cybersecurity incident, please refer to Item 1A - Risk Factors - “Risks Related to Intellectual Property, Cybersecurity and Information Technology and Data Privacy”.

Company Information