Marvell Technology, Inc. - (MRVL)
10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K, and have implemented processes for our systems taking guidance from recognized cybersecurity frameworks, such as U.S. National Institute of Standards and Technology (“NIST”) Cyber Security Framework (“CSF”) in an effort to mitigate risks. As part of these proactive measures, we maintain a Cybersecurity Incident Response and Escalation Process with defined roles, responsibilities, and reporting protocols that is periodically reviewed, tested, and updated. The Company has an Executive Cyber Response and Disclosure Committee (consisting of senior executives from the business, finance, operations and legal functions), which is responsible for determining what actions are necessary to respond to cybersecurity events, with input from the Chief Information Security Officer and other subject matter experts directly participating in incident response efforts.
Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Additionally, on a quarterly basis, our Audit Committee receives reports from the Chief Information Officer, Chief Information Security Officer, and other members of management. As part of its annual assessment, the Audit Committee evaluates significant risks related to our business including cybersecurity risks, and provides such information to our Board of Directors. Our Internal Audit Group also reviews our cybersecurity governance and controls annually.
41
Our cybersecurity risk management program encompasses periodic risk assessments, designed to help identify cybersecurity risks to our critical systems, information, services, and our broader enterprise IT environment. More specifically, an independent third-party performs a regular penetration test of Marvell’s IT infrastructure. In addition to our penetration testing, an independent third-party security firm is engaged to perform additional security controls testing and provide an independent report to our executive team. This external assessment provides us and our Audit Committee with a comprehensive evaluation of our security posture.
Our information security team plays a pivotal role in managing our cybersecurity risk. They oversee security controls and orchestrate our response to incidents—whether they originate internally or from our vendors, suppliers or other third parties that we conduct business with. As part of our vendor selection process, we evaluate cybersecurity risks in appropriate situations. Furthermore, we conduct tabletop exercises periodically. These simulations allow us to test our response strategies across various business functions, allowing preparedness for real-world incidents. When risks are identified through our processes, we analyze their potential impact on the Company and assess the likelihood of occurrence. Our monitoring efforts help us to timely mitigate and remediate risks and incidents. As part of our commitment to security awareness, information security training is mandatory for every employee and contractor. This ongoing compliance program reinforces best practices and helps to foster a security-conscious culture.
To safeguard our systems, we regularly install and update anti-malware and endpoint detection and response software across all IT-managed systems and workstations. These measures help detect and prevent malicious code from compromising our infrastructure.
We also engage third-party providers to bolster our cybersecurity risk management and strategy. Some provide ongoing assistance, including threat monitoring, mitigation strategies, and updates on emerging trends. Others provide targeted expertise, such as security assessments and forensic analysis.
Cybersecurity Governance
Our Board of Directors considers cybersecurity and other information technology risk as part of its risk oversight function. The Audit Committee receives quarterly reports from our Chief Information Security Officer (“CISO”) on our cybersecurity risks and risk management program. Our cybersecurity team, led by our CISO, who reports directly to our Executive Vice President and Chief Operations Officer, is responsible for assessing and managing risks from cybersecurity threats. The CISO and his team have primary responsibility for our overall cybersecurity risk management program and supervise both our internal cybersecurity personnel and any retained external cybersecurity experts. Our CISO has over 20 years of security experience managing global security organizations including architecture, operations, strategy, applications, infrastructure, support and execution. The information security team collectively have decades of relevant experience in the industry and many hold various cybersecurity certifications such as a Certified Information Systems Security Professional or Certified Information Security Manager. Further, we invest in regular, ongoing cybersecurity training for our team.
The CISO reports such cybersecurity threats and incidents to the Audit Committee. These reports may be included in, or in addition to, his regular quarterly reports to the Audit Committee. In addition, pursuant to our internal procedures, in the event of a significant cybersecurity incident, members of senior management will report such threats and incidents in a timely manner directly to the Audit Committee and, when appropriate, to the full Board of Directors.
We, like other technology companies operating in the current environment, have experienced cybersecurity incidents, but in the last three years we have not experienced an incident which has been determined to be material. For additional information regarding whether any risks from cybersecurity threats are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to “Cybersecurity risks could adversely affect our business and disrupt our operations” in Item 1A, “Risk Factors,” in this annual report on Form 10-K.
42