Keysight Technologies, Inc. 10-K Cybersecurity GRC - 2024-12-17

Page last updated on December 17, 2024

Keysight Technologies, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-17 16:05:47 EST.

Filings

10-K filed on 2024-12-17

Keysight Technologies, Inc. filed a 10-K at 2024-12-17 16:05:47 EST
Accession Number: 0001601046-24-000159

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our overall information security program applies an enterprise-wide, risk-based approach to information security that enables us to assess, identify and manage risk exposures, including material risks from cybersecurity threats, in a timely manner. Our information security operations and procedures provide a comprehensive Information Security Management System (‘‘ISMS’’) that enable us to maintain the confidentiality, integrity, and availability of information and systems in our environment. Our information security policies are based on National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 framework and apply to the entire enterprise. We have a dedicated Information Security and Compliance organization (“ISC”) that owns and operates the ISMS. The ISC organization reports directly to Keysight’s Chief Information Security Officer (“CISO”) and includes functions such as information security policy management, risk management, vulnerability management, compliance assurance, identify and access management, incident management, security awareness and education and information technology (“IT’’) disaster recovery. Our management team has relevant expertise and experience in understanding risks from cybersecurity threats and overseeing risk management processes. Our CISO is an experienced cybersecurity senior executive with more than 25 years experience in building and leading cybersecurity, risk management and information technology teams. Our cybersecurity risk management program includes: - Cybersecurity incident detection and response plan to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. - Risk Assessment: Our enterprise-wide risk management programs and Information Security Review process is designed to identify, assess, document, monitor and report information security risks. Based on this information, we evaluate the likelihood and impact of harmful events and deliver recommendations regarding a response to risks presented. Feedback from internal audits, external assessments, and industry benchmarks is used to improve our cybersecurity posture. - Training and Awareness: Implementation of enterprise-wide mandatory annual security awareness training for employees, including cybersecurity and data privacy training. We regularly deploy enterprise-wide phishing simulation tests with mandatory follow-up training and education, which are reviewed at least annually and are updated as needed. Additionally, we provide an easy mechanism for employees to report suspicious email messages to the information security team for additional investigation. - Security Tools Optimization: Utilize a variety of tools designed to protect our network and systems, including firewalls, intrusion detection and prevention systems, web content filtering protection, anti-virus and malware detection tools, system scans and full disk encryption. - Third Party Risk: Keysight’s Third Party Cyber Risk Management (“TPCRM”) is a systematic process for managing exposure to cybersecurity risks throughout the supply chain and developing appropriate response strategies, policies, processes, and procedures. In addition, Keysight maintains information security risk insurance to offset the costs of an information security breach. The policy is reviewed annually and updated as needed. We also engage with approved third-party companies that review our regulatory compliance, validate control performance, perform penetration testing and provide impartial risk assessments. To date, we have not identified risks from cybersecurity threats or incidents, including as a result of any previous cybersecurity incidents, that have materially affected the company or are reasonably likely to materially affect our operations, business strategy, results of operations, or financial condition. For more information on how cybersecurity risk could materially affect the company’s business strategy, results of operations, or financial condition, please refer to “Item 1A. Risk Factors.” Governance and Oversight Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. The Audit and Finance Committee, which is comprised entirely of independent directors with information security experience, oversees and monitors the company’s information security programs. Additionally, one of our independent directors has a CERT Certification in Cybersecurity Oversight from Carnegie Mellon University Software Engineering Institute. The Chief Information Officer (‘‘CIO’’) meets with the Audit and Finance Committee regularly to report on risks, mitigation, initiatives, compliance and outcomes and the Audit and Finance Committee reports relevant information to the full Board. The CISO is responsible for the ISMS and reports directly to the CIO. The CIO is the head of the company’s global IT team which has an integrated governance structure consisting of a Senior Executive Committee, a Cyber Executive Committee and Cyber Leaders. The Senior Executive Committee meets quarterly, prioritizes the information technology components of strategic business imperatives and oversees IT capability and security programs. The Cyber Executive Committee meets monthly, reviews identified risks, sponsors initiatives to address risk and oversees security and compliance responses. Cyber Leaders are management representatives from all functions and lines of business who are responsible for executing programs and initiatives sponsored by the Senior Executive Committee.

Company Information