Shimmick Corp 10-K Cybersecurity GRC - 2025-03-20

Page last updated on March 20, 2025

Shimmick Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-20 16:35:04 EDT.

Filings

10-K filed on 2025-03-20

Shimmick Corp filed a 10-K at 2025-03-20 16:35:04 EDT
Accession Number: 0000950170-25-042721

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity. We maintain a data security plan designed to provide a documented and formalized information security policy to detect, identify, classify and mitigate internal and external cybersecurity and other data security threats. This cybersecurity program is based in-part on, and its effectiveness is measured using applicable industry standards, and 38 is integrated into our overall enterprise risk management program. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes. In furtherance of detecting, identifying, classifying and mitigating cybersecurity and other data security threats, including such threats associated with our use of any third-party service providers, we also: - assess and analyze baseline configuration standards to ensure that they meet the intent and effectiveness required for the overall safety and security (both logically and physically) of critical system components; - ensure the asset inventory for relevant system components is kept current and accurate; - ensure that network connection arrangement documents are kept current and accurate; - limit access rights to system components to authorized personnel only, with all end-users being properly granted access in accordance with stated access rights policies and procedures; - deploy anti-virus solutions on all applicable system components, with the respective anti-virus solutions being the most current versions available from applicable vendors, enabled for automatic updates and configured for conducting periodic scans as necessary; - provision, hardens, secures and locks down critical system resources; - use internal and external vulnerability scanning procedures, along with network layer and anti-hacking tests; - facilitate requests for validation of baseline configurations for purposes of regulatory compliance assessments and audits; and - provide mandatory training and optional certification accreditation for purposes of maintaining an acceptable level of information security expertise necessary for configuration management. Conducting our businesses involves the collection, storage, use, disclosure, processing, transfer, and other handling of a wide variety of information, including personally identifiable information, for various purposes in our businesses. Like other comparable-sized companies that process a wide variety of information, our information technology systems, networks and infrastructure and technology have been, and may in the future be, vulnerable to cybersecurity attacks and other data security threats. As of the date of this Form 10-K, we do not believe any risks from previous cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our results of operations or financial condition. However, cybersecurity attacks are constantly evolving, may be difficult to detect quickly, and often are not recognized until after they have been launched against a target. Despite our security measures, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. For more information about these and other cybersecurity risks faced by us, see " Risk Factors - Risks Related to Our Business and Industry - We rely on IT systems to conduct our business, and disruption, failure or security breaches of these systems could adversely affect our business and results of operations " and " - Cybersecurity attacks on or breaches of our information technology environment could result in business interruptions, remediation costs and/or legal claims “. Our board of directors has ultimate oversight for risks relating to our data security plan. In addition, the board of directors has delegated primary responsibility to the Audit Committee for assessing and managing data privacy and cybersecurity risks, reviewing data security and cybersecurity policies and processes with respect to data privacy and cybersecurity risk assessment and management, reviewing steps management has taken to monitor and control such risks, and regularly inquires with our management team, internal auditors and independent auditors in connection therewith. The Audit Committee is also responsible for overseeing our investigation of, and response to, any cybersecurity attacks or threats. We also have a dedicated team of employees overseeing its data security plan and initiatives, led by our Director of IT. With over fifteen years of experience in the field of cybersecurity, our Director of IT brings a wealth of expertise to his role. His background includes extensive experience in all facets of information technology and information security. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our Director of IT also works directly in consultation with internal and external advisors in connection 39 data security planning and initiatives. We engage such external advisors to assist with the evaluation of our technology, security, critical risk areas and related controls to improve our ability to identify and detect, protect against, and recover from, cybersecurity incidents and other evolving threats and to appropriately benchmark against industry practices . We have developed a procedure by which the board of directors and management are informed about relevant cybersecurity risks, allowing for effective cybersecurity oversight and the ability of the Company to monitor, prevent, detect, mitigate and remediate cybersecurity incidents. The results of our evaluations and the feedback from its engagements are used to drive alignment on, and prioritization of, initiatives to enhance our cybersecurity strategies, policies, and processes and make recommendations to improve processes. In the event of a potential or actual cybersecurity event, the Director of IT immediately notifies general counsel at which point the information security incident response plan is activated if warranted. The information security incident response plan provides the procedures for responding, including personnel required to be informed and updated. The board of directors is informed promptly in the event such incident is, or is reasonably expected to have, a material impact on operations or financial condition.

Company Information