SYNOPSYS INC 10-K Cybersecurity GRC - 2024-12-18

Page last updated on December 19, 2024

SYNOPSYS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-18 21:23:35 EST.

Filings

10-K filed on 2024-12-18

SYNOPSYS INC filed a 10-K at 2024-12-18 21:23:35 EST
Accession Number: 0000883241-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We maintain a cybersecurity program and incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage material risks, as well as to test and improve our incident response plan. Our approach includes, among other things: - Security and privacy reviews designed to identify risks from new features, software, suppliers and vendors; - A vulnerability management program designed to identify software vulnerabilities; - A variety of tools designed to monitor our networks, systems, and data for suspicious activity; - An internal red team program that simulates cyber threats, enhancing our ability to fix vulnerabilities before they are exploited by threat actors; - A threat intelligence program designed to model and research our adversaries; - Products and services to structure, test, and assess the rigor of our software security practices; - A variety of privacy, cybersecurity, and incident response trainings and simulations, including regular controlled penetration testing and cyber incident exercises to test the robustness of our data security protections and incident response readiness; - For suppliers and service providers, pre-engagement risk-based diligence, contractual security and notification provisions, and ongoing monitoring as appropriate; and - Maintaining cyber liability insurance that covers certain liabilities related to data breaches and related incidents. Synopsys’ cybersecurity program is designed to leverage multiple industry-recognized frameworks including the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) and the ISO/IEC 27001 Information Security Management Framework, and are assessed regularly by our internal audit department. We track our NIST CSF implementation through periodic third-party maturity assessments that provide the basis for establishing performance goals for the coming period. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process. As part of this process, appropriate personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. As part of the above approach and processes, we regularly engage with assessors, consultants, auditors, and other third-parties to help identify areas for continued focus, improvement and/or compliance. Since 2015, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none. In our risk factors, we describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. See our risk factor disclosures in Part I, Item 1A of this Annual Report. Cybersecurity Governance Information technology and data security, particularly cybersecurity, is a top area of focus for our Board of Directors (the Board), which considers these areas as essential for the success of our company and the broader technology industry in which we operate. Our Board is actively involved in overseeing cybersecurity risk management. At least once a year, senior management, including our Chief Information Security Officer (CISO) , presents to the Board on Synopsys’ cybersecurity performance and risk profile. Further, senior management and our CISO present semiannually to our Corporate Governance and Nominating Committee (CGN Committee) on Synopsys’ cybersecurity risk oversight activities and cybersecurity preparedness efforts. The CGN Committee of our Board, a majority of whom are individuals with a strong background in cybersecurity and related matters, meets with members of senior management to review our information technology and data security policies and practices, and to assess current and potential threats, cybersecurity incidents and related risks. Our CISO reports directly to our executive management team and advises Synopsys on cybersecurity risks and assesses the effectiveness of information technology and data security processes. The materials presented to our Board and CGN Committee include updates on our data security posture, results of third-party assessments, progress towards pre-determined risk-mitigation related goals, our incident response plan, and certain cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. Members of the Board and the CGN Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and to discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks may also be considered during separate Board meeting discussions. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our CISO. Our CISO has over 30 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy and implementing effective information and cybersecurity programs. Our CISO holds a Bachelor’s of Science in Information Technology and a Master of Business Administration, and is also a Certified Information Systems Security Professional. He oversees our cybersecurity program and chairs a cross-functional committee that spans information security, IT, product security, physical security, and legal. Our CISO and other members of senior management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan . If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response plan and cybersecurity disclosure controls and procedures define the process to disclose such material cybersecurity incident.

Company Information