QUALCOMM INC/DE 10-K Cybersecurity GRC - 2024-11-06

Page last updated on November 6, 2024

QUALCOMM INC/DE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-06 16:09:04 EST.

Filings

10-K filed on 2024-11-06

QUALCOMM INC/DE filed a 10-K at 2024-11-06 16:09:04 EST
Accession Number: 0000804328-24-000075

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy To identify, assess and manage cybersecurity risks, we maintain an IT security/cybersecurity program (Cybersecurity Program) that is informed in part by international frameworks as well as our specific security requirements and cybersecurity risk profile. We have implemented policies, procedures, processes and administrative, physical and technical controls designed to protect, defend and mitigate effects to us from cybersecurity threats and incidents. For example, we provide recurring employee cybersecurity training to help our employees better understand cybersecurity threats, our policies, actions and approach to managing this type of risk and how they can help increase our security posture. Our Cybersecurity Program also includes an incident response process that is overseen by our Vice President of Cybersecurity and supported by an internal team of cybersecurity specialists, with involvement from business, legal and senior management as appropriate. In the event of a cybersecurity incident, a technical cybersecurity team investigates and addresses the threat, while a cross-functional team assesses the incident to inform criticality determinations and response efforts, including escalations of the incident to senior management as appropriate. We evaluate and update our cybersecurity risk profile through ongoing assessment of the cybersecurity threat landscape and security monitoring. Our cybersecurity risk profile is used as an input to identify, assess and update our Cybersecurity Program, and associated priorities are updated as new risk information becomes available. Information security, including cybersecurity, is also incorporated into our overall Enterprise Risk Management (ERM) program. Our ERM Operating Committee includes members in senior leadership positions across various functional areas that evaluate enterprise risks and develop and monitor associated mitigation plans. Cybersecurity related risks are included in the risk universe that the committee evaluates to assess top risks to the enterprise. As part of our ERM program, our executive leadership team receives annual updates on enterprise risks, including cybersecurity risks, as well as their potential impact, likelihood, potential mitigation plans and status. Our Cybersecurity Program, and portions thereof, are periodically reviewed by third-party assessors, consultants, auditors or other firms. For example, we periodically conduct penetration tests and tabletop exercises to simulate attacks against our infrastructure, systems, or portions thereof, in order to validate the efficacy of our security controls and response capabilities. Such exercises are typically conducted with assistance from third-party advisors and experts. Incident response efforts are also supported by external resources such as legal advisors, cybersecurity forensic firms, communications specialists, and other outside advisors and experts as well as law enforcement support, as appropriate. We benefit from engaging third parties to provide specialized skills, knowledge, tools and resources, and such third parties may also help reduce costs, increase efficiency and/or improve the quality of our Cybersecurity Program. Our supplier community (including suppliers of IT services and other third-party service providers) plays a large role in Qualcomm’s success, and we believe in engaging with our suppliers to help them protect against cybersecurity threats. We operate a supplier cybersecurity assurance program, which is integrated with our procurement processes and supported by the relevant groups within the legal organization, to assess and attempt to mitigate potential cybersecurity risks across our supplier community commensurate with their cybersecurity risk. Specifically, based on a risk classification of the supplier, our third-party risk management process includes steps such as the evaluation of a supplier’s security controls, posture and maturity as well as the identification and treatment of cybersecurity-related risks. Notwithstanding our Cybersecurity Program as described above, we cannot anticipate, detect, repel or implement fully effective preventative measures against all cybersecurity threats, particularly because the techniques used are increasingly sophisticated and constantly evolving. Like many companies, we have encountered intrusions and attempts to gain unauthorized access to our IT systems or other attacks and incidents, and we have had third-party service providers who have encountered intrusions. However, during fiscal 2024, we did not identify any risks from cybersecurity threats that materially affected or are reasonably anticipated to materially affect our business strategy, results of operations or financial condition. For additional information about the cybersecurity risks we face, including how such risks could affect us in the future, see Part I, Item 1A, “Risk Factors” in this Annual Report, including the Risk Factors titled " Our business and operations could suffer in the event of security breaches of our IT systems, or other misappropriation of our technology, intellectual property or other proprietary or confidential information" and “Failures in our products, or in the products of our customers or licensees, including those resulting from security vulnerabilities, defects or errors, could harm our business.” Governance Our Board of Directors has primary responsibility for oversight of our risk management efforts, with support from its standing committees. In particular, the Audit Committee of our Board assists the Board in fulfilling its oversight responsibilities with respect to our Cybersecurity Program. As part of its oversight of IT security/cybersecurity matters, the Audit Committee receives cybersecurity updates on a quarterly basis and an IT security/cybersecurity briefing from management, typically including our Vice President of Cybersecurity, on at least a semi-annual basis. At least annually, the full Board also receives updates on the Cybersecurity Program and cybersecurity risks. In addition to this regular reporting, significant cybersecurity threats or incidents may also be escalated on an as-needed basis through our organizational structure in accordance with our incident response process. Key elements of our Cybersecurity Program, including defending against key cybersecurity threats and risks, are overseen by our Vice President of Cybersecurity, the Information Security and Risk Management (ISRM) organization, and 37 certain legal functions under the office of the General Counsel, which includes subject matter experts focused on identifying and managing cybersecurity threats and consequences where technically feasible and commensurate with risk. Our Vice President of Cybersecurity has over 20 years of experience in cybersecurity gained across numerous leadership roles in Qualcomm’s IT and Cybersecurity organization, including security architecture, risk and compliance, incident response, security operations and identity management. That experience is supplemented by the collective experience and expertise across the ISRM organization, which includes the Cyber Security Operations Center, Cyber Defense Engineering Services, Cyber Identity and Architecture, Cyber Governance Risk and Compliance, and Threat Intelligence teams, among others. The Cybersecurity Program is also supported by additional members of senior management, including our Chief Financial Officer and Chief Operating Officer, Chief Technology Officer, Chief Human Resources Officer and General Counsel, through regular reporting and review.

Company Information