MKS INSTRUMENTS INC 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

MKS INSTRUMENTS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 14:30:38 EST.

Filings

10-K filed on 2025-02-25

MKS INSTRUMENTS INC filed a 10-K at 2025-02-25 14:30:38 EST
Accession Number: 0000950170-25-026433

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats We primarily assess, identify and manage material risks from cybersecurity threats through our enterprise information security program, which is maintained by our Chief Information Security Officer (“CISO”) and overseen by our Executive Vice President and Chief Information Officer (“CIO”). Our enterprise information security program, which is designed to ensure that our information systems are adequately protected, is based on frameworks established by the National Institute of Standards and Technology and other applicable industry standards. We consider our enterprise information security program to be a key component of our overall risk management system, with program elements evaluated annually and briefings provided to management each quarter. As part of our enterprise information security program, we regularly assess and deploy technical safeguards designed to detect cybersecurity threats and protect our information systems from these threats. In addition, we maintain incident response and recovery plans, the effectiveness of which is tested and evaluated on a regular basis. We also provide privacy and security training, including quarterly phishing education campaigns, to enhance employee awareness of how to detect and respond to cybersecurity threats. We regularly engage assessors, consultants, auditors and other third parties to support our enterprise information security program. These engagements encompass a variety of activities, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The information gleaned from these assessments, audits and reviews is used to enhance our enterprise information security program, including cybersecurity policies, standards, processes and practices. In addition, significant findings from these assessments are reported to management and the Audit Committee of our Board of Directors (the “Board”). We also have processes in place to oversee and identify risks from cybersecurity threats associated with the use of third-party service providers. Third-party service providers are subject to security risk assessments at the time of on-boarding, contract 35 renewal, and upon detection of an increase in risk profile. We have similar processes in place to oversee and identify cybersecurity-related risks posed by our suppliers. Risks from Cybersecurity Threats We and our third-party administrators, vendors and partners are subject to ongoing cybersecurity threats. While we cannot guarantee that these threats will not have an adverse impact on us, these threats did not materially affect us during the year ended December 31, 2024 and we do not believe such threats are reasonably likely to materially affect us in the future, including with respect to our business strategy, results of operations, or financial condition. For more information on risks related to cybersecurity, refer to “Risk Factors-Risks Related to Cybersecurity, Data Privacy and Intellectual Property Protection.” Governance Board of Directors’ Oversight of Risks from Cybersecurity Threats The Audit Committee is primarily responsible for oversight of risks from cybersecurity threats. As set forth in the Amended & Restated Audit Committee Charter, the Audit Committee oversees the steps management takes to monitor and control our data privacy and cybersecurity risk exposure. The Board delegated this responsibility to the Audit Committee in part because it includes members with significant experience and/or expertise in cybersecurity and other technology matters. The Audit Committee is informed of risks from cybersecurity threats through regular reports from our CIO and CISO. Our CIO and CISO report to the Audit Committee at least quarterly. The Audit Committee actively engages with our CIO and CISO regarding these risks. Depending on the materiality of a risk, the Audit Committee, CIO or CISO may report on such risk to the full Board. In addition, from time to time, the Board may constitute a special committee to focus on a particular cybersecurity matter or risk. Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats Management is integral to assessing and managing our material risks from cybersecurity threats. While all members of management are involved in the review of these risks, our CIO oversees and is responsible for our cybersecurity program. Our CIO is a seasoned technology leader and change agent who has served as the top technology executive for multi-billion-dollar global organizations spanning diverse industries. With over 25 years of experience, our CIO has led business and information technology transformations, implemented global digital strategies, and optimized and integrated governance, risk, and compliance frameworks, processes and technologies in complex regulatory and industry environments. We believe our CIO’s knowledge, skills and experience provide significant value to our Company. Our CIO and CISO provide regular reports to management regarding risks from cybersecurity threats and the prevention, detection, mitigation and remediation of cybersecurity incidents. Within our information technology organization, our CISO and other key members of our information security team provide regular reports to our CIO. As discussed above, our CIO and CISO also provide regular reports regarding risks from cybersecurity threats to our Audit Committee and, depending on the materiality of a risk, the full Board. In addition, from time to time, members of management may provide reports to a special committee of the Board for cybersecurity. 36

Company Information