UNIVERSAL ELECTRONICS INC - (UEIC)
10-K Filing Date: March 14, 2024
ITEM 1C. CYBERSECURITY
We have developed cybersecurity risk management processes to identify, manage, and prevent risks related to cybersecurity. Our Information Technology ("IT") team manages our cybersecurity program and the security measures and processes we have in place.
Risk Management and Strategy
Global cybersecurity threats and incidents can pose risks to UEI, impacting data security, operational efficiency, and financial stability. Our business requires collection, processing, and retention of large volumes of Company and sensitive and confidential third party data, including personally identifiable information in various information systems that we maintain and in those maintained by third parties with whom we contract, including in areas such as customer product servicing, human resources outsourcing, website hosting, and various forms of electronic communications. Cybersecurity incidents risk disclosure of sensitive information and disruption of our operations. Financial consequences include recovery costs, fines, and potential legal repercussions. Such incidents could result in losses, severely damage our reputation or expose us to the risks of litigation and liability.
Cybersecurity is managed as part of the Company's enterprise risk management program. We have integrated cybersecurity risk management into our enterprise-wide risk assessment through evaluations of IT infrastructure, compliance audits and aligning cybersecurity goals with overall business objectives. We work with cybersecurity experts to better understand potential cybersecurity threats.
Measures we have employed to identify potential cybersecurity threats include advanced threat detection systems, such as intrusion detection systems and security information and event management tools. We manage and work to prevent these cybersecurity threats using a variety of strategies, including deploying firewalls and anti-malware tools, implementing access controls and leading security audits. Our incident response plans and monitoring systems also support detection and prevention of cybersecurity threats.
We aim to monitor these risks in connection with third parties in addition to our own operations. We collaborate with external cybersecurity consultants and auditors for independent audits and vulnerability assessments of our existing processes and systems. Our third-party cyber risk assessment program is designed to oversee certain third parties and have those third parties adhere to cybersecurity standards. This program has measures to help further manage and attempt to mitigate potential cybersecurity risks arising from third-party engagements, including security audits, compliance checks for cybersecurity standards, risk evaluation procedures for certain third parties, contractual security requirements in certain third party agreements and monitoring tools. We conduct cybersecurity training with our employees as appropriate based on their roles within the Company.
26
Governance
Our Board of Directors plays a role in guiding and overseeing our cybersecurity strategies. Our Audit Committee maintains responsibility for cybersecurity oversight by setting policies, reviewing risk management strategies and reviewing compliance with legal and regulatory requirements. The Audit Committee, as appropriate, briefs the broader Board of Directors on cybersecurity matters.
Management is also responsible for upholding our cybersecurity processes. Our Vice President of IT Infrastructure is responsible for cybersecurity oversight and for developing strategies to mitigate cyber risks, monitoring policy compliance and educating staff on security practices. Our Cybersecurity Management team, led by our Vice President of IT Infrastructure, reports to the Audit Committee of the Board of Directors on cybersecurity matters, including incident reports, compliance status and updates on cybersecurity initiatives. The Audit Committee aims to meet at least once each fiscal quarter to specifically address cybersecurity matters, but convenes as necessary to fulfill its cybersecurity oversight responsibilities.
To date, management has not identified risks from cybersecurity incidents, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. While we work to maintain our cybersecurity processes, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to such systems, networks, and data or those of our third-party providers.