Ultra Clean Holdings, Inc. - (UCTT)

10-K Filing Date: March 06, 2024
Item 1C. Cybersecurity

At UCT, cybersecurity risk management forms a critical component of UCT’s overall enterprise risk management program. Led by our Chief Information Security Officer (“CISO”), and under the oversight of our Board of Directors, we have implemented processes to assess, identify, manage and report cybersecurity risks, which, together with our broader business continuity plans, aim to not only address immediate response to cybersecurity incidents but also ensure swift restoration of critical systems and the maintenance of core business functions in the face of digital threats. Our senior management and information technology (“IT”) security teams devote considerable time and resources to conducting regular evaluations of our systems and implementing necessary enhancements to our security infrastructure to better guard against evolving cybersecurity threats.

Our CISO, reporting directly to our Chief Information Officer (“CIO”), is responsible for designing, developing and implementing our overall information security program that sets forth a governance structure and processes to ensure regular risks assessments and timely reports regarding cybersecurity risks. We actively scan across our information infrastructure for security vulnerabilities inherent in our business as we rely extensively on information and technology systems for managing transactions, tracking financial performance, and storing sensitive data. We also continuously monitor and assess risks associated with the interconnected nature of many of our information and technology systems, such as ERP platforms, supply chain management systems, and electronic payment gateways. In the normal course of our monitoring process, upon identifying certain vulnerabilities within our business and information systems during a recent security assessment, our information security team, in close collaboration with a third-party expert, promptly began to remediate these vulnerabilities to prevent any potential compromise of our systems or data.

Using threat models and intelligence, we regularly assess a range of cyber threats, including hacking attempts, malware attacks, phishing schemes, infrastructure intrusions, and insider threats. In conjunction with our ongoing threat and vulnerability assessments, we evaluate the various ways, and the extent to which, cyberattacks may materially impact our business, including financial loss, regulatory penalties, reputation damage, and litigation risks. In this rapidly evolving cybersecurity environment, we recognize staying informed about emerging cybersecurity threats and industry best practices is an indispensable part of assessing and identifying cybersecurity risks, particularly within the manufacturing sector. Our involvement includes active participation in industry associations, sharing threat intelligence, and collaborating with regulatory bodies and law enforcement. This collaboration strengthens our defenses against potential threats to our financial and information systems.

As part of our ongoing commitment to maintain a robust cybersecurity program to protect all stakeholders, including our customers, investors, employees, and vendors, we have allocated significant resources to improve our IT security. We have deployed various protocols as part of a larger preventive framework against cyber threats, including advanced security technologies and services, firewalls outfitted with cutting-edge capabilities, layers of encryption protocols, Identity and Access Management (“IAM”) controls, and muti-factor authentication. Our employees are required to complete cybersecurity best practice training on a regular basis (no less than once a year), the results of which are collected and reported to the senior management for further evaluation. We regularly engage third-party experts to assess the effectiveness of our security protocols and infrastructure, to detect potential threats and assist with remediation efforts, and to generally monitor and adapt our cybersecurity protocols to constantly evolving cybersecurity threats. In addition, we have deployed a Third-Party Risk Management (“TPRM”) tool that sends questionnaires to our vendors designed to assess their cybersecurity vulnerabilities. These and other cybersecurity risk management protocols at UCT are being governed by our comprehensive cybersecurity policies, plans and incident response playbooks, to manage both our preventive efforts against cyber threats and quick and effective response protocols in the event of cybersecurity breaches. In the event of an incident, we are prepared to follow the steps outlined in these playbooks, from initial detection to mitigation, as well as notification to all appropriate functions, including the senior management and the Board.

Our Board of Directors has the overall oversight responsibility for our risk management, and delegates the cybersecurity and other risks relating to our information controls and security to our Audit Committee. Both the Audit Committee and the full Board regularly receive updates from our management on cybersecurity matters and our ongoing risk management efforts, and actively participate in ongoing discussions. In addition, the Board and the Compensation Committee review and approve the key performance indicators applicable to all management personnel responsible for effectively managing cybersecurity risk management programs at UCT, and engage in regular review of the Company’s performance against those indicators.

27


 

We continue to face cybersecurity risks related to our business. While these risks have yet to materially affect us, we cannot guarantee that our ongoing and increasingly robust approach towards cybersecurity will be able to prevent cybersecurity incidents that could have a material adverse effect on us. For additional information about cybersecurity risks we face, see the risk factor item “Our business may be adversely affected by IT disruptions, including by impairing our ability to effectively deliver our products or services, which could cause us to lose customers” in Item 1A-Risk Factors.