Dolby Laboratories, Inc. 10-K Cybersecurity GRC - 2024-11-19

Page last updated on November 19, 2024

Dolby Laboratories, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-19 17:07:55 EST.

Filings

10-K filed on 2024-11-19

Dolby Laboratories, Inc. filed a 10-K at 2024-11-19 17:07:55 EST
Accession Number: 0001628280-24-048519

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY Our approach to cybersecurity risk is based on processes that monitor threats, adapt our capabilities and services, and align our practices with business goals in order to provide security controls that reduce information security risk to the organization and customers. We implement and maintain controls and capabilities for identifying, assessing, and managing risk from cybersecurity threats to the confidentiality, integrity, or availability of our information systems or any information residing therein. We also carry out broad-scope initiatives and project-specific initiatives aimed at continuously improving our cybersecurity posture. Our risk assessments and initiatives include identification of reasonably foreseeable internal and external risks, assessing the likelihood and potential impact that could result from such risks, and planning and implementing risk management controls as applicable. As a result, we adapt safeguards and processes in order to reduce identified risks in our security posture. Our cybersecurity processes form a part of our overall risk management practices and inform our annual enterprise risk assessment conducted by our internal audit team. We devote resources and designate high-level personnel, including our Chief Information Security Officer (“CISO”) who reports to our Chief Information Officer (“CIO”) who in turn reports to our Chief Executive Officer, to manage cybersecurity risk. We received ISO 27001 certification for our cybersecurity function and functionality for streaming media through Dolby Millicast in 2024 and are subject to annual ISO 27001 standard compliance monitoring audits in connection with that certification. We also take part in periodic security audits by our clients and partners. As part of our overall risk management processes, our employees at all levels are trained on foundational cybersecurity practices annually, and periodically participate in various activities aimed at increasing their awareness of cybersecurity threats and reinforcing their understanding of our security policies. Periodically, we engage consultants and other third party service providers in connection with our cybersecurity practices. These service providers assist us in event monitoring, conduct testing and provide feedback on our readiness and compliance, conduct tabletop exercises, and are “on-call” in the event of a significant event. We have implemented a third-party risk management process that we use to evaluate the capabilities and security posture of third-party service providers. As part of that process, we review third-party service providers to ensure that they have implemented appropriate security measures in connection with their work with us. We have not encountered any cybersecurity incident that had a material impact on our operations or financial standing. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, under the heading “Operations”. GOVERNANCE One of the key functions of our Board of Directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board of Directors is responsible for monitoring and assessing strategic risk exposure, and our officers are responsible for the day-to-day management of the material risks we face. Our Board of Directors administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee, which has responsibility for overseeing the adequacy and effectiveness of our cybersecurity and information security programs and policies according to its charter. Our CISO is primarily responsible for assessing and managing our risks from cybersecurity threats. Our CISO manages a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity strategy and operations, incident response, cybersecurity education and awareness, threat management, insider threats and regulatory compliance. Our CISO has over 25 years of experience in technology, with more than 15 years in information security, holding multiple roles including five years as a CISO for a health insurance company. Our CISO reports on cybersecurity risk management and other matters to our CIO, who in turn reports to our Chief Executive Officer. Along with our CISO our security, privacy, audit, risk and compliance council (“SPARC Council”), which is a collection of stakeholders from various functions including cybersecurity, legal, IT, engineering, finance, procurement and audit, oversees our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. O ur CISO and our SPARC Council review the results of assessments, including security simulations and tabletop exercises, and discuss and recommend improvements to our policies and processes. In addition to the general reporting structure applicable to our CISO, the other members of the SPARC Council report on those activities through the reporting lines applicable to them, as needed. Our CISO along with our CIO typically provide quarterly briefings to the Audit Committee regarding our company’s cybersecurity risks and activities, including recent cybersecurity incidents and strategy development. The findings from our annual enterprise risk assessment are also presented to the Audit Committee by our internal audit team. Our Audit Committee provides regular updates to the Board of Directors on such reports. In addition, our CISO along with our CIO typically provide annual briefings directly to the Board of Directors on cybersecurity risks and activities.

Company Information