PDF SOLUTIONS INC - (PDFS)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy or security laws and other litigation and legal risk, and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks.

34

Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process appropriate disclosure personnel will collaborate with subject matter specialists, at least annually and more frequently as necessary due to business changes or external changes, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations.

We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks. As part of this process, and our processes to provide for the availability of critical data and systems, maintain regulatory compliance, identify and manage our risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we undertake the below listed activities, among others:

maintain a risk register and risk assessment process based on The National Institute of Standards and Technology (“NIST”) Cybersecurity Framework;
use various third-party software testing products and services designed to test and assess the security of our software;
closely monitor emerging data protection laws and implement changes to our processes designed to comply with such laws;
undertake an annual review of our policies and statements related to cybersecurity;
proactively inform our customers of substantive changes related to customer data handling through disclosures in our SOC 2 Type 2 report or other contractually mandated disclosures;
conduct annual cybersecurity training for employees and contractors with access to PDF systems and sensitive data;
conduct incident management training and practice for individuals with responsibilities responding to a cyber incident;
conduct regular phishing email simulations for employees and contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats;
use findings and root cause analysis of cybersecurity incidents to improve our cybersecurity processes and technologies;
maintain technologies designed to provide network and endpoint monitoring, regular vulnerability assessments, and annual penetration testing to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K;
carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident;
maintain an employee handbook, Code of Conduct, and Acceptable Use policy that makes clear the importance of cybersecurity and protection of PDF and customer intellectual property; and
our incident response policy and plan specify the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal and reporting obligations and mitigate brand and reputational damage. We regularly exercise and update the plan after actual incident responses or simulated incident response scenarios.

35

We subscribe to several external independent monitoring services to score and assess our externally facing network and information services and we engage a third-party security firm at least annually to conduct external and web penetration testing exercises on our corporate network and our commercial SaaS service platform.

Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or to our systems. Third-party risks are included within our broader overall risk assessment and management process, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers during vendor onboarding and during periodic reviews. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and regularly monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits or independent information security assessments or certifications. Additionally, we have processes designed to monitor public and federal government database and other sources for evidence of known and/or exploited vulnerabilities in third-party services including those provided as SaaS and we take action to remediate or establish compensating controls if those systems are determined to be critical to our cybersecurity. We also maintain disaster recovery plans in place for all mission critical parts of the business, although we do not have a business continuity plan developed to account for all continuity risks.

We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the headings “We are exposed to risks related to information technology infrastructure, information management and protection, cybersecurity threats, and cyber incidents.” and “Our business is subject to evolving corporate governance and public disclosure regulations and expectations, including with respect to environmental, social and governance matters that could expose us to numerous risks.” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.

For more than 5 years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none.

Cybersecurity Governance

Information technology and data security, particularly cybersecurity, is a top area of focus for our Board of Directors, who views our focus in these areas as essential for the success of our company and the broader technology industry in which we operate.

As described in the Audit Committee Charter of the Board of Directors, the Audit Committee is tasked with oversight of certain risk issues, including cybersecurity. The Audit Committee is comprised entirely of independent directors, two of whom have significant work experience related to information security issues or oversight. Management reports high severity security incidents to the Audit Committee after they are discovered. Additionally, management provides a summary four times per year of all security incidents to the Audit Committee. The full Board of Directors is also provided an annual assessment of our security program, our internal response preparedness, and assessments led by outside assessors and auditors.

Our Audit Committee is regularly involved in reviewing cybersecurity risk management. At least quarterly, the Vice President of Operations presents and reviews key security metrics with the Audit Committee including a review of cyber-security events, cybersecurity initiatives and new or developing cybersecurity risks relevant to the business. The Audit Committee, which comprises at least two individuals with experience in cybersecurity and related matters, meets with these members of senior management to review our information technology and data security policies and practices, and to assess current and projected threats, cybersecurity incidents, and related risks. Our Vice President of Operations reports directly to our executive management team and advises the company on cybersecurity risks and assesses the effectiveness of information technology and data security processes and business policies impacting our overall cybersecurity risk.

36

Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Vice President of Operations and a cross section of subject matter experts from Information Technology, Exensio Cloud Operations and Corporate Legal and team. Such individuals have collectively over 30 years of prior work experience in various roles involving managing information security, data privacy risks and regulatory frameworks, developing cybersecurity strategy, implementing effective information and cybersecurity programs and experience in security controls testing and the planning and executing of independent cybersecurity assessments.

Our Incident Response Policy is reviewed annually and documents the controls and procedures for timely and accurate reporting of material cybersecurity incidents to the relevant parties, including the Audit Committee when applicable. Our Incident Response Team leads the response to any reported cybersecurity event and comprises experts from Engineering, Information Technology, Legal, Cloud Operations, and Data Security.

The Vice President of Operations and Executive Vice President of Products and Solutions are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above including the incident response.