MICROCHIP TECHNOLOGY INC 10-K Cybersecurity GRC - 2024-05-23

Page last updated on August 21, 2024

MICROCHIP TECHNOLOGY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-23 17:24:35 EDT.

Company Summary

Microchip Technology develops and manufactures semiconductor products for various embedded control applications worldwide.

Filings

10-K filed on 2024-05-23

MICROCHIP TECHNOLOGY INC filed a 10-K at 2024-05-23 17:24:35 EDT
Accession Number: 0000827054-24-000098

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Governance Risk Management and Strategy We define cyber risk governance as a program of measures designed to protect our IT assets and information from unauthorized access, attacks or service disruptions. Our risk governance processes were designed by our IT Shared Services (ITSS) team, which maintains knowledge about the types of high-profile security breaches being reported more frequently across the globe. The secure processing, maintenance, and transmission of sensitive data, including confidential and other proprietary information about our business and our employees, and information belonging to our customers, suppliers, and business partners, is important to our operations and business strategy. As a result, cybersecurity and data protection are key components of our long-term business strategies. We use various processes to inform our assessment, identification and management of risk from cybersecurity threats. Key areas of our cybersecurity risk management processes and strategy currently include: Processes and Coordination We manage cyber security and assess associated risks in these ways: - ITSS, led by our Chief Information Security Officer (CISO), has first-line responsibility for our cybersecurity risk management processes, and works to coordinate efforts, priorities and oversight of cybersecurity risk; - ITSS works with functional groups such as manufacturing, business operations, engineering, human resources, legal, and finance and is responsible for evaluating and assessing overall cybersecurity risk, and advising senior management and the Audit Committee regarding our cybersecurity risk profile and priorities as they evolve; - we have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes; and - our Internal Audit group monitors certain IT systems controls that are integrated into our larger Sarbanes-Oxley control environment. Ongoing Evaluation and Assessment of Systems and Processes We take steps to monitor evolving regulatory, industry and legal requirements and best practices relating to cyber risk mitigation, and we employ standards and frameworks that we deem appropriate to address identified risks. In addition to periodic in-depth evaluations of our applicable systems and processes, we monitor our IT systems and processes on an ongoing basis with the goal of identifying and remediating real and potential threats as they arise. We adjust our systems, procedures, and policies as we deem necessary and in response to identified threats and risks. For example, ITSS has implemented improvements to our protective measures that have included, but have not been limited to: endpoint intrusion detection and response software, vulnerability scans, regular patching of vulnerabilities, evaluating and reviewing log monitors, event correlation tools, network segmentation, system audits, data partitioning, privileged account segregation and monitoring, and tabletop exercises. Security Awareness Program to Train and Test Personnel We sponsor a multi-faceted security awareness program that includes regular, mandatory trainings for our personnel on best practices for cyber-hygiene including: multifactor authentication and single sign-on use for cloud applications; ways to identify social engineering techniques, policy and process awareness, periodic phishing simulations and other preparedness testing. Cyber Incident Response Plan We maintain a cross-functional cyber incident response plan with defined roles and responsibilities and reporting protocols. This plan focuses on responding to, identifying the severity of, and recovering from a breach as well as mitigating any impact to our business. Generally, when a suspected breach is identified, the ITSS team will escalate the issue to the personnel identified in the plan for initial analysis and guidance. In the event of an actual breach, the CISO will prepare an initial assessment and consult with our general counsel (GC) and our Chief Financial Officer (CFO). Together, our GC, CFO and CISO will consult with other executives, including our Chief Executive Officer and our Chief Operating Officer, to determine the incident’s impact to our business. This management group (in consultation with outside experts) will be responsible for determining whether a particular incident (alone or in combination with other factors) triggers any public reporting or third-party notification requirements. Regular Evaluation of Initiatives, Results and Priorities The ITSS team, in consultation with members of senior management, updates its strategy at least annually to account for changes in our business strategy, legal and regulatory developments across our geographic footprint, results of recent ITSS initiatives, and developments in the cybersecurity threat landscape. On an annual basis the CISO updates the Audit Committee (generally with all other Board members in attendance) on the performance of cyber risk key performance indicators (KPIs), cyber risks, staffing and key ITSS initiatives. On a quarterly basis the CISO updates the Audit Committee (generally with all other Board members in attendance) on the KPIs and any changes to our cyber risk mitigation efforts, and any cyber breaches that may have occurred. Feedback from the Audit Committee and senior management assists us in determining whether any further changes to our existing policies and practices are warranted. We expect that our cybersecurity risk management processes and strategy will continue to adapt as the cybersecurity threat landscape evolves. We engage third parties to assist us with our cybersecurity risk management and strategy. Some of these third parties provide us with ongoing assistance (such as threat monitoring, mitigation strategies, updates on emerging trends and developments and policy guidance) while others provide targeted assistance (such as security and forensic expertise) as needed. Review of Third Parties There are risks associated with sharing information with third parties, and with allowing third parties to access our systems. Therefore, prior to integrating any third-party provider’s information into our systems, we assess their security maturity against our standards, assess business risks associated with integration and request changes as we deem necessary. Governance Consistent with our overall risk management governance structure, management is responsible for the day-to-day management of cybersecurity risk while our Board and its Audit Committee play an active, ongoing oversight role. Board Oversight Our Board has delegated to its Audit Committee specific, first-line responsibility for overseeing major cybersecurity risk exposures in addition to our broader enterprise risk management program. Specifically, under its charter, the Audit Committee is responsible for overseeing and monitoring enterprise risk management, privacy, cybersecurity and data security matters, including the potential impact of those exposures on Microchip’s business, financial results, operations and reputation, and the steps management has taken to monitor and mitigate such exposures. The CISO reports at least quarterly to the Audit Committee on information security and data privacy and protection. These presentations address a wide range of topics, including trends in cyber threats and the status of initiatives designed to bolster our security systems. Our full Board is typically in attendance at these presentations made to the Audit Committee. At least annually, the Board meets with members of our senior management team to review and discuss our enterprise risk management program, including areas of material risk and how these risks, which may include cybersecurity risk, are being managed and reported to the Board and its committees. Management’s Role Our ITSS team is led by our CISO, who reports to our Executive Vice President and Chief Financial Officer. Our CISO is a former CPA that has 34 years of experience in leading global accounting and business information systems groups including strategy, applications, infrastructure, information security, support, and execution. Digital security at Microchip is the primary responsibility of our ITSS team. Our ITSS team is responsible for infrastructure services and business continuity as it relates to digital information. The ITSS team oversees compliance with our cybersecurity framework within our Company and facilitates cybersecurity risk management activities. The ITSS team also assists with the review and approval of policies, completes benchmarking against applicable standards and oversees the security awareness training program. ITSS works to address and respond to cyber risk, including cyber risks related to security architecture and engineering, identity and access management and security operations. Collectively, ITSS has decades of relevant education and experience and maintain a wide range of industry certifications. We invest in regular, ongoing cybersecurity and architecture training for our team members. Conclusion As of March 31, 2024, we have not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents that have materially affected Microchip, our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see our Risk Factors discussion under the heading, “We continue to be the target of attacks on our IT systems. Interruptions in and unauthorized access to our IT systems, and security breaches or incidents impacting our systems or data that we or our service providers maintain or otherwise process, could adversely affect our business”, in this Annual Report on Form 10-K.

Company Information