Vishay Precision Group, Inc. - (VPG)

10-K Filing Date: February 29, 2024
Item 1C. CYBERSECURITY
The Company’s Board of Directors (the “Board”) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, suppliers, business partners, employees and investors with respect to cybersecurity matters. The Board is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management (“ERM”). The Company’s cybersecurity policies, standards, processes and practices are fully integrated into the Company’s ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing, assessing, managing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Risk Management and Strategy
As one of the critical elements of the Company’s overall ERM approach, the Company’s cybersecurity program is focused on the following key areas:
Governance: As discussed in more detail under the heading “Corporate Governance and Oversight,” the Board’s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the “Audit Committee”), which regularly interacts with and receives reports from the Company’s ERM function, the Vice President of IT and Digital, the Company’s Chief Information Security Officer (“CISO”), and other members of management.
Collaborative Approach: The Company has integrated cybersecurity risk management into its broader risk management framework to promote a Company-wide culture of cybersecurity risk management. To that end, the Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans that fully address the Company’s response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis.
Third-Party Risk Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. The Company conducts security assessments of all of its electronic information-related third-party service providers before the Company engages them, and the Company maintains policies and procedures to oversee and identify cybersecurity risks associated with its use of third-party service providers.
Education and Awareness: The Company provides regular, mandatory training for personnel regarding cybersecurity threats as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices.

The Company engages in the periodic assessment and testing of the Company’s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, threat modeling, penetration and vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties, including consultants and outside monitoring agencies, to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee during management’s annual update to the Audit Committee and the Board, and the Company updates and adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.
- 24 -




Management’s Role in Managing Risk

The Vice President of IT and Digital, along with the CISO, have developed a strategy and multi-year plan for cybersecurity and regularly update it based on evolving technology trends. The Audit Committee reviews the Company’s information security program, including cybersecurity controls, annually (and/or if and when a significant event occurs as defined by its Incident Management policy). The Audit Committee updates the Board annually and upon request of the Board as detailed under the Corporate Governance and Oversight Section.

Our Vice President of IT and Digital, holds a Bachelor of Science in Computer Science and brings a wealth of experience from managing IT organizations in large, publicly traded companies, in addition to a distinguished background of service in the Israeli army, where she was responsible for managing classified information. Our CISO has an impressive 20-plus years in the field of cybersecurity, underpinned by a Bachelor's degree specializing in Knowledge and Information Management. Our CISO's extensive experience includes a period of 12 years during which he was employed by the Government of Israel, where he managed classified information systems and teams, a role that demands the highest levels of diligence and expertise in information security.

Through third party service providers and attendance at seminars, Vice President of IT and Digital and CISO are regularly informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition enhances our processes to identify, prevent, mitigate and remediate of cybersecurity threats and cybersecurity incidents.

Together, our Vice President of IT and Digital and CISO lead a dynamic, cross-functional team that includes relevant stakeholders from all Company divisions. This team plays a pivotal role in raising cybersecurity awareness throughout the Company, ensuring that every employee is informed and cautious about potential cyber threats. They are committed to keeping our Company's management and Board regularly informed on cybersecurity matters, ensuring transparency and proactive management of digital risks. Additionally, they actively collaborate with division managers, participating in divisional management meetings to identify and protect sensitive information. Their involvement at this level ensures that cybersecurity is integrated into every aspect of our operations, aligning with our broader strategic objectives.

To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition.

Corporate Governance and Oversight

The Audit Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of directors who have diverse qualifications and experiences.

Significant cybersecurity matters, and strategic risk management decisions are escalated to the Audit Committee and, as appropriate, the Board, ensuring that such bodies maintain comprehensive oversight and can provide guidance on critical cybersecurity issues.

The Audit Committee regularly reports to the Board regarding the Audit Committee’s oversight of cybersecurity matters, such as the periodic assessment and testing of the Company’s policies, standards, processes and practices and the risks identified in such assessment and testing.