MAGNACHIP SEMICONDUCTOR Corp - (MX)

10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
Cybersecurity risks and data protection are key components of our long-term strategy and enterprise risk management program and are integrated into our overall risk management systems and processes. We maintain processes for assessing, identifying and managing material risks from cybersecurity threats, and we routinely invest in the development and implementation of essential cybersecurity systems, infrastructures and processes to protect the security and integrity of our systems, networks, databases and proprietary information. Key areas of our cybersecurity risk management processes and strategy currently include:
 
   
Compliance with industry standards and regulatory frameworks
: Our information security management system is ISO 27001 certified. In addition, we align our standards to comply with South Korea’s industrial technology protection law (Act on Prevention of Divulgence and Protection of Industrial Technology), which prevents technologies vital to South Korean national security or economic competitiveness from being divulged to or shared with foreign countries or corporations without the government’s approval.
 
   
Ongoing Evaluation and Assessment of Systems and Procedure
: We monitor compliance with regulatory, industry and evolving data privacy requirements and update our cybersecurity risk management program from time to time as appropriate. We also continuously monitor our information security systems and processes on an ongoing basis to identify and remediate cybersecurity threats and vulnerabilities that could be exploited to adversely impact our business operations. To better preemptively identify risks and vulnerabilities in our security systems, we perform penetration testing for security controls using external third-party tools and encourage vulnerability reporting within our organization,
 
38

   
Cross-Collaboration and Coordination
: Cybersecurity risks related to our business, privacy and compliance issues are identified and managed through a multifaceted approach, including third-party monitoring, internal and external IT security audits and reviews by relevant committees.
 
   
Third-Party Service Providers
: We engage leading third-party product and service providers to assist us with our cybersecurity risk management. We use an Information Prevention and Data Loss Prevention System on networks and endpoints, which is designed to prevent unauthorized access to or transfer of sensitive data. We also use centrally managed antivirus systems for blocking illegal software to detect and remove malware and illegal software from devices in real time. In particular, we use a Managed Security Service provider for Security Information and Event Management services for matters such as firewall management, intrusion detection and prevention, vulnerability management and incident response.
 
   
Cyber Incident Response Plan
: We maintain a comprehensive cyber incident response plan that sets forth the applicable processes, roles, engagements, escalations and notifications to promptly respond to a cybersecurity incident. This plan covers steps to be taken upon the detection of a cybersecurity incident detection, review by relevant committees, identification of damages, recovery process, post-incident analysis and the introduction of improvement measures. Such incident responses are managed in a timely manner by a dedicated team and overseen by relevant organizations, including IT, finance, legal and compliance.
 
   
Security Awareness Training for Personnel
: We provide comprehensive employee training on cybersecurity awareness, confidential information protection and simulated phishing attacks.
 
   
Review of Third-Party Risks
: We routinely conduct risk and compliance assessments of third-party service providers prior to exchanging any sensitive data or integrating with any key third-party provider.
As of December 31, 2023, we have not identified any risks from cybersecurity threats, including any previous cybersecurity incidents, that have materially affected the Company, our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats (including any previous cybersecurity incidents) that could be reasonably likely to materially affect us, please refer to our Risk Factors discussion under the heading ‘We may be subject to disruptions, breaches or cyber-attacks of our secured networks and information technology systems that could damage our reputation, harm our business, expose us to liability and materially adversely affect our results of operations’ in Item 1A of this Annual Report on Form
10-K.
Cybersecurity Governance
In line with our overall risk management governance structure, management is responsible for the
day-to-day
management of cybersecurity risks while the Company’s Board of Directors and its Risk Committee actively and continuously provide oversight.
Our Risk Committee oversees the Company’s management of key risks including those arising from cybersecurity threats. Our management team reports to the Risk Committee on a quarterly basis, presenting their assessment of key enterprise risks, including cybersecurity. The topics include trends in cyber threats and the initiatives designed to strengthen our security systems and enhance the cyber readiness of our organization. Additionally, at least annually, our management team and our Chief Information Security Officer (“CISO”) update the members of the Risk Committee and the Board of Directors on existing and new cybersecurity risks, status of risk mitigation efforts, cybersecurity incidents, if any, and the progress of key information security initiatives.
In 2020, we established the Information Security Steering Committee (the “IS Steering Committee”), a management-level and cross-functional committee, led by our Chief Executive Officer, and comprised of our Chief Compliance Officer, Chief Financial Officer, CISO, Chief Privacy Officer and relevant teams including
 
39

Information Security, HR, Compliance & Internal Audit and Legal. The IS Steering Committee holds quarterly meetings, during which they review and take action on a wide range of topics, including cybersecurity threat matters such as prevention monitoring, detection mitigation and remediation of cybersecurity incidents.
Our CISO leads a dedicated Information Security team in charge of cybersecurity matters. Collectively, the members of our Information Security team have over 35 years of relevant experience in various roles involving information technology, information security, compliance and systems. Also, our Information Security team oversees compliance with our cybersecurity framework, facilitates cybersecurity risk management activities, assists with the review and approval of policies, and oversees the security awareness program. At least annually, our Information Security team and CISO update the members of the Risk Committee and the Board of Directors on compliance and risk matters. The Information Security team also reports to the IS Steering Committee on a quarterly basis. We invest in ongoing cybersecurity training for our Information Security team.