COHERENT CORP. 10-K Cybersecurity GRC - 2024-08-16

Page last updated on August 16, 2024

COHERENT CORP. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-16 09:20:47 EDT.

Filings

10-K filed on 2024-08-16

COHERENT CORP. filed a 10-K at 2024-08-16 09:20:47 EDT
Accession Number: 0000820318-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Coherent’s Board of Directors (the “Board”) recognizes the critical importance of maintaining the trust and confidence of our customers, suppliers, business partners, employees, shareholders and other stakeholders. One of the critical factors in maintaining this trust is by the Board being involved in oversight of the Company’s enterprise risk management (“ERM”) program, of which cybersecurity represents a critical component. Coherent’s cybersecurity policies, standards, processes and practices are fully integrated into the Company’s ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, and the International Standards Organization Risk Management Guidelines (ISO 31000), as well as other applicable industry standards. Governance: Coherent’s cybersecurity program is overseen by the Board’s Environment, Sustainability and Governance (“ESG”) committee. The ESG Committee is briefed quarterly by management on, among other things, updates to cybersecurity and related programs, and notable cyber incidents, threats and vulnerabilities, and provides direction on cybersecurity risk management. In addition, Coherent has established a Crisis Management Team (CMT) with responsibility for, among other things, oversight and management of cybersecurity events, including significant and material cybersecurity events. The CMT reports, as appropriate, to the ESG Committee. The CMT is headed by Coherent’s Chief Risk Officer (CRO). Additionally, Coherent has a dedicated internal cybersecurity team (Cybersecurity Team), managed by the Global Head of Cybersecurity. Collaborative Approach: The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. On a regular meeting cadence, Coherent’s President convenes a senior cybersecurity committee for reporting and planning. The committee consists of the Chief Information Officer (CIO), the Global Head of Cybersecurity, the Vice President of IT Operations, the Senior Director of IT Security, the General Counsel for Technology and Risk Management, and the CRO. Members of partner technology-risk advisory firms and Coherent internal experts from other disciplines participate in committee activities as needed from time to time. As to experience of the various members of Coherent’s cybersecurity functional team, the CIO is a technology executive with over 25 years of experience at public companies, specializing in IT leadership, cybersecurity, and strategic technology initiatives, including leading risk management, data governance, compliance, and SOX audits, aligning technology with business goals and robust data protection. He holds a B.S. in Electrical Engineering and ITIL certification. The Coherent Global Privacy Officer earned a B.A. and a Juris Doctor degree and has over 20 years of experience in legal practice, focusing specifically on privacy law for the past eight years. Additionally, the Coherent Global Privacy Officer is an active member of the International Association of Privacy Professionals (IAPP) and holds both the Certified Information Privacy Professional/Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) certifications from the IAPP. The General Counsel for Technology and Risk Management holds a B.S. in Industrial Engineering, and a Juris Doctor degree and has over 38 years of experience in legal practice, 25 years of which specifically representing businesses and financial institutions in data security and privacy in both private practice and as at in-house attorney at various private and public companies. The Senior Manager, Security, Risk & Compliance, has been in Information Technology for 25 years and in IT security for 16 years, and holds a B.S. in Computer Science, with a minor in Mathematics, and an ISC2 CISSP Certification. He is a member of the ACM and a Senior Member of the IEEE. The Senior Director of Information Security is a CISSP and member of ISSA, practicing security for over 30 years, with a B.S. degree. He also has served as a consultant and has managed international cybersecurity teams with Fortune 100 companies in finance, banking, technology, biotech, security consulting, and large manufacturing in broad areas of cybersecurity. The VP of IT Infrastructure Operations and Interim Head of Information Security and Compliance has 25 years of experience at public companies, specializing in IT leadership, cybersecurity, and strategic technology initiatives, and holds a M.S. in Electrical Engineering. Incident Response and Recovery Planning : Coherent has instituted a robust Cybersecurity Incident Response Plan (the CIRP), which provides a framework for responding to cybersecurity incidents at escalating severity levels. The CIRP sets out a coordinated approach to discovering, investigating, containing, tracking, mitigating, and remediating cybersecurity incidents, including a framework for elevating and reporting findings and keeping senior management and other key stakeholders informed and involved, based on assessments regarding the scope or significance of incidents. The CIRP is implemented by the Coherent Cyber Incident Response Team (CIRT), which is headed by the Global Head of Cybersecurity, and includes as members the head of the CMT, the Chief Legal Officer, the Cybersecurity Team, and select members of the ERM team. Technical Safeguards : The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. 44 Security Policy and Requirements : The Coherent Cybersecurity Team has robust processes and redundancies in place designed with the objective of deterring, detecting, mitigating, and responding to potential cybersecurity threats, which includes a vulnerability assessment and prioritization, and as necessary, remediation plans. The Cybersecurity Team also performs periodic system penetration testing to validate the Company’s security controls and assess Coherent’s infrastructure and applications. All employees take mandatory periodic security awareness training on the Company’s data security policies and procedures, which is supplemented by Company-wide testing initiatives, including periodic phishing tests. Additionally, the IT group and the Cybersecurity Team participate in annual tabletop exercises designed to simulate a response to a cybersecurity incident. The Cybersecurity Team incorporates the findings from these exercises into the Coherent processes. Further, in 2023, select members of the senior management team and the Cybersecurity Team participated in a tabletop exercise. Third-Party Risk Management : The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties. This includes external third parties that may have permission to access Coherent IT systems and assets, such as consultants, and review of the systems of third parties that could adversely impact Coherent’s infrastructure in the event of a cybersecurity incident affecting those third-party systems, such as through vendors and other service providers. The Company also regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Risk Management Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Education and Awareness : The Company provides regular, mandatory training for personnel regarding cybersecurity threats as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices. Cybersecurity risks and threats, including as a result of any previous cybersecurity incidents, have not materially impacted and are not reasonably expected to materially impact Coherent or Coherent’s operations to date. However, the Company recognizes the ever-evolving cyber risk landscape and cannot provide any assurances that it will not be subject to a material cybersecurity incident in the future.

Company Information