NETGEAR, INC. 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

NETGEAR, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 17:02:54 EST.

Filings

10-K filed on 2025-02-14

NETGEAR, INC. filed a 10-K at 2025-02-14 17:02:54 EST
Accession Number: 0000950170-25-021413

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We implement and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”). Our cybersecurity functions include representatives from information technology, engineering, information security, legal, impacted business units or products and other departments as applicable (together, the “Cybersecurity Team”) helps identify, assess and manage the Company’s cybersecurity threats and risks. The Cybersecurity Team is responsible for identifying, assessing and managing cybersecurity risks by monitoring and evaluating our threat environment using various methods including, for example manual and automated tools such as vulnerability scans, penetration tests and a public bug bounty program; subscribing to reports and services that identify cybersecurity threats; conducting risk assessments and internal and external audits; using external intelligence feeds; and conducting tabletop incident response exercises. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: (1) having an information security incident response plan for incident detection and response; (2) maintaining a disaster recovery plan, business continuity program, vulnerability management process and vendor risk management process; (3) conducting periodic risk assessments and employee training on cybersecurity; (4) maintaining security controls intended to address certain recognized industry cyber frameworks; (5) encrypting and segregating data, having network security controls, access controls and physical security, monitoring systems, managing assets (tracking and disposal) and conducting penetration testing; and (6) maintaining cybersecurity insurance. Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of the Company’s enterprise risk management program; (2) our Cybersecurity Team works with our management team in an effort to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business; (3) our Cybersecurity Team and management team evaluates material risks from cybersecurity threats against our overall business objectives and reports to the cybersecurity committee chairperson of the board of directors who may then notify the cybersecurity committee and board of directors (as appropriate), to further evaluate our overall enterprise risk. We use third-party service providers to assist us from time to time in an effort to identify, assess, and manage material risks from cybersecurity threats. For example, these service providers include professional services firms, threat intelligence service providers, managed cybersecurity service providers, penetration testing firms and forensic investigators. We also have a public bug bounty program. We use third-party service providers to perform a variety of functions throughout our business, such as using application providers for core applications (including finance, HR, CRM, email services, collaboration tools etc.), hosting companies for our websites, contract manufacturing organizations, distributors and supply chain resources for software, hardware, manufacturing and distribution of our products. We have a vendor management process designed to manage cybersecurity risks associated with our use of these providers. This process includes risk assessments, security questionnaires, review of vendor security programs, review of available security assessments, reports, and audits. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the type of provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including " Product security vulnerabilities, system security risks, data protection breaches, cyber-attacks, improper use of artificial intelligence (“AI”) tools, and other threats and risks, could disrupt or otherwise compromise our products, services, internal operations or information technology systems, or those of third parties with whom we work. Actual or perceived non-compliance with our privacy and security obligations could lead to regulatory investigations or actions, litigation, fines and penalties, business operation disruption, reputational harm, loss of revenue or profits, loss of customers or sales, and other adverse business consequences .". Governance Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ cybersecurity committee is responsible for overseeing the Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Information Officer, our VP of Corporate Cybersecurity and our Chief Technology Officer of Software, each of whom have over 20 years of industry expertise, including past roles at other public companies and as consultants. Our Chief Information Officer and Chief Technology Officer of Software are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our Chief Information Officer and Chief Technology Officer of Software are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our information security incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including the incident response leadership team. The incident response leadership team works with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s information security incident response plan includes reporting to the cybersecurity committee chairperson of the board of directors for certain cybersecurity incidents and, if appropriate, the cybersecurity committee and the board of directors. The cybersecurity committee receives periodic notices (written and verbal) from the Cybersecurity Team concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented that are intended to address them. The cybersecurity committee also receives quarterly reports, summaries or presentations related to the Company’s cybersecurity program as it relates to both our corporate systems and products.

Company Information