ANALOG DEVICES INC 10-K Cybersecurity GRC - 2024-11-26

Page last updated on November 26, 2024

ANALOG DEVICES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-26 16:01:53 EST.

Filings

10-K filed on 2024-11-26

ANALOG DEVICES INC filed a 10-K at 2024-11-26 16:01:53 EST
Accession Number: 0000006281-24-000204

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy As part of our enterprise security program, we perform risk assessments relating to cybersecurity and technology risks. Our enterprise security program has been developed based on industry standards, including those published by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology. The program includes a comprehensive set of enterprise security policies and procedures that guide our protection strategy. Our policies, procedures and practices include, but are not limited to: - identifying critical assets and high-risk threats and analyzing identified risks to determine the potential impact on the organization and the likelihood of occurrence; - cybersecurity detection, controls and remediation practices, including vulnerability assessments, penetration testing and tabletop exercises; - an incident response and recovery plan that includes escalation protocols, procedures for containment of incidents and investigation and remediation procedures; - installation of and regular updates to antivirus software on all company managed systems and workstations to detect and prevent malicious code from impacting our systems; - conducting regular workforce trainings for employees to identify cybersecurity concerns and educate employees on potential risks and best practices; 23 - evaluating the effectiveness of our program by performing internal assessments; - periodic external audits by an independent third party to test for the adequacy of, and compliance with, controls and standards; and - regular collaboration with leading global security providers, intelligence and law enforcement communities and industry peers to exchange information on trends and best practices in order to address new and evolving cybersecurity risks. We have in place a third-party risk management program to evaluate the cyber postures of our critical partners’ who handle the Company’s sensitive data in order to identify, monitor and address material cybersecurity risks that may arise from such third-party relationships. While we have experienced cybersecurity incidents in the past, in the last three years we have not experienced any cybersecurity incidents that have materially affected or are currently viewed as reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, the scope and impact of any future incidents cannot be predicted and there can be no assurance that our enterprise security program will be effective in preventing material cybersecurity incidents in the future. See the risk factor titled “Our computer systems and networks are subject to attempted security breaches and other cyber incidents and a significant disruption in, or breach in security of, our information technology systems or certain products could materially and adversely affect our business or reputation.” in Risk Factors in Part I, Item 1A of this Annual Report on Form 10-K for further information. Governance Management is responsible for assessing and managing our day-to-day risks and control systems, and our Board is responsible for overseeing our enterprise risk management programs as a whole. The Board has delegated the oversight of cybersecurity risk assessment and management to the audit committee. As reflected in its charter, the audit committee is responsible for overseeing and reviewing the Company’s cybersecurity and information security programs, practices and risk mitigation efforts. The audit committee receives quarterly reports on cybersecurity risks, or more frequent reports if circumstances dictate. We have established a cross-functional Cybersecurity Steering Committee, comprised of our Chief Information Officer (CIO), our Chief Information Security Officer (CISO) and other senior management. The Cybersecurity Steering Committee is charged with overseeing the management of our enterprise security program, including reviewing and prioritizing cybersecurity risks, monitoring potential incidents, establishing key mitigation initiatives, overseeing cybersecurity governance and promoting and supporting cybersecurity best practices. The Cybersecurity Steering Committee is chaired by our CISO, who reports to our CIO. Both our CISO and our CIO have extensive experience in assessing and managing cybersecurity programs and risk management through serving in various senior roles in information technology and cybersecurity, serving on external Boards of Directors and holding multiple industry-recognized certifications. The prevention, detection, mitigation and remediation of cybersecurity incidents is accomplished pursuant to various policies, procedures and processes, including our incident response and recovery plan and the other elements of our enterprise security program described above under “Risk Management and Strategy.” These measures include escalation protocols through which the Cybersecurity Steering Committee is informed about cybersecurity and incidents by our CISO. As part of our enterprise security program, we have communication processes enabled for employees to identify and report threats or potential vulnerabilities. Our CIO and CISO provide regular updates to the full Board on the performance of, and enhancements to, key information technology projects, our enterprise security program and risk mitigation efforts, including relevant findings of the Cybersecurity Steering Committee. The full Board also receives updates from the audit committee. In addition, there are protocols in place for immediate escalation in the event of any cybersecurity issues or developments that may require consideration between regularly scheduled audit committee or Board meetings. Our internal audit team also provides regular updates to the audit committee on the performance of our enterprise security program from an internal audit perspective. In addition, our Chief Compliance and Risk Officer, who oversees our overall enterprise risk management and compliance programs and chairs our Enterprise Risk Management Committee, provides regular reports to the full Board, including periodic updates on risk management. 24

Company Information