Lumentum Holdings Inc. 10-K Cybersecurity GRC - 2024-08-21

Page last updated on August 22, 2024

Lumentum Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-21 16:11:25 EDT.

Filings

10-K filed on 2024-08-21

Lumentum Holdings Inc. filed a 10-K at 2024-08-21 16:11:25 EDT
Accession Number: 0001628280-24-038024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Cybersecurity risk management is an important part of and is integrated into our overall enterprise risk management framework, with cybersecurity risks being among the core enterprise risks identified for oversight by our Board of Directors (the “Board”) through our annual enterprise risk assessment. We maintain an enterprise-wide cybersecurity risk assessment program and framework that is designed to identify, assess, and manage cybersecurity risk, vulnerabilities, and threats. The foundation of our cybersecurity program is based on the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. In alignment with the concepts and principles articulated in these standards, we have implemented controls related to cybersecurity threats and incidents including monitoring, log collection and analysis, threat hunting and intelligence surveillance, and regular vulnerability scans/penetration tests. Additionally, in furtherance of assessing, identifying, and managing material cybersecurity risks, we: - Leverage technology solutions to provide protection for our assets and detect threats in our environment; - Regular vulnerability assessments and penetration testing to identify, assess, and remediate weaknesses; - Maintain an enterprise-wide disaster recovery governance program, which includes cybersecurity-related disaster recovery policies and procedures related thereto; - Regularly perform cybersecurity-related disaster recovery testing designed to ensure that the Company’s mission-critical systems are recoverable, in support of our business continuity needs; and - Work with each of our business and corporate groups with our internal cybersecurity program to integrate cybersecurity requirements into operating environments as appropriate, which drives business strategies, budgeting, 37 and similar processes. In addition, executive management, as well as our Board, regularly review our financial planning processes for these areas, inclusive of our cybersecurity programs. Changes or additions to our cybersecurity risk assessment program and related practices and procedures described above in response to cybersecurity needs are reviewed by our Cybersecurity Steering Committee (“CSC”), which is an executive management-level cross-functional group. We regularly engage independent third parties to assess our cybersecurity program and practices, and to assist with risk mitigation. The effectiveness of our cybersecurity environment is regularly tested by internal personnel and these third parties. These assessments are performed in conformance with ISO standards and requirements. Enhancements to our cybersecurity program and practices are identified from assessment findings, and if deemed appropriate, implemented. In addition, we evaluate critical systems and applications hosted by third parties for cybersecurity risks and we also assess the security posture and features of those services. This includes review and monitoring of the third party, and inclusion of cybersecurity requirements in contractual agreements to ensure third party services meet our standards for such providers, and the cybersecurity risks associated with the use of these services is appropriate. For additional information regarding whether any risks from cybersecurity threats are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors - Any failure, disruption or security breach or incident of or impacting our information technology infrastructure or information systems have an adverse impact on our business and operations.” We believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. However, we can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition. Governance Our Board oversees our enterprise risk management program and practices, and the Audit Committee assists the Board in its oversight of cybersecurity matters. Quarterly updates are presented to our Audit Committee by our Chief Information Security Officer (“CISO”) on cybersecurity risks and threats. In addition, our Audit Committee provides Board-level oversight for management’s actions with respect to practices, procedures and controls used to identify, assess, and manage our key cybersecurity programs and risks, and, as necessary, responses to any significant cybersecurity incidents. Our cybersecurity program is led by our CISO who manages a team of cybersecurity professionals. Our CISO has over 20 years of experience in cybersecurity and technology, including as a CISO at another public company. Members of our cybersecurity team, combined, have over 80 years of cybersecurity experience and hold professional certifications, including Certified Information Systems Security Professional (“CISSP”). As noted above, we also maintain a Cybersecurity Steering Committee, or CSC, which consists of our Group Vice President, IT and CISO, Executive Vice President, Chief Financial Officer, Executive Vice President, Chief Human Resources Officer, Senior Vice President, General Counsel, Senior Vice President, Global Operations, Senior Vice President, Chief Accounting Officer, and Vice President, Internal Audit. The CSC group has the primary day to day responsibility to monitor and manage cybersecurity risks. The CSC provides oversight of the cybersecurity initiatives within Lumentum and is responsible integrating cybersecurity risk management practices with critical business processes so that cybersecurity is appropriately addressed throughout Lumentum. 38

Company Information