TTM TECHNOLOGIES INC - (TTMI)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY

We depend on information systems and technology in substantially all aspects of our business, including communications among our employees and with suppliers and customers. Such uses of information systems and technology give rise to cybersecurity risks, including system disruption, security breach, ransomware, theft, espionage and inadvertent release of information. Our business involves the storage and transmission of numerous classes of sensitive and/or confidential information and intellectual property, including customers’ and suppliers’ information, private information about employees, and financial and strategic information about the company and its business partners. Further, as we pursue new initiatives that improve our operations and cost structure, we are also expanding and improving our information technologies, resulting in a larger technological presence and increased exposure to cybersecurity risk. If we fail to properly assess and identify cybersecurity risks, we may become increasingly vulnerable to such risks.

Cybersecurity risk management and strategy

We assess and identify security risk to the organization by:

conducting assessments of risk including likelihood and magnitude from unauthorized access, use, disclosure, disruption, modification or destruction of information systems and the related information processes, stored, or transmitted;
performing risk assessments and producing security assessment reports that document the results of the assessment for use and review by information technology (IT) senior leadership, including the Company’s Senior Vice President of Information Technology (SVP-IT);
ensuring security controls are assessed for effectiveness, are implemented correctly, operating as intended, and producing the desired outcome; and
periodically scanning for vulnerabilities and remedying all vulnerabilities in accordance with the associated risk.

We have established a continuous monitoring strategy and program, which includes:

a set of defined security metrics to be monitored;
performance of security control assessments on an ongoing basis;
addressing results of analysis and reporting security status to the executive team; and
monitoring information systems to detect attacks and indicators of potential attacks.

Other processes in place to further manage any additional security risk to the organization include:

identifying, reporting and correcting information system flaws, security alerts and advisories;
monitoring inbound and outbound communications for unusual or unauthorized activity;
designing and implementing application systems to include sound backup and recoverability principles, such as periodic data backups in the case of a disaster;
mechanisms designed for the physical protection of IT resources; and
use of all third party and cloud computing services are reviewed and evaluated for material risks of cybersecurity threats by the IT security department before being formally authorized for use. Use of services must comply with all laws and regulations governing the handling of personally identifiable information, corporate financial data, controlled unclassified information, or any other data owned or collected by the company.

Our cybersecurity incident management plan includes the following, among other things:

The SVP-IT leads the team in the development, documentation, review and testing of security procedures and incident response procedures. Beyond initial creation, procedures are continually re-assessed, augmented, updated, and tested on an ongoing basis;
The SVP-IT works with the Executive Team on the identification, assessment, verification and classification of incidents to determine affected stakeholders and appropriate parties for contact;
The SVP-IT is responsible for launching the Cybersecurity Incident Response Team (CIRT) if necessary, and for notification to the Chief Executive Officer, who in turn will contact the Board of Directors and Government Security Committee in order to validate the response is being addressed appropriately.
The CIRT team, in consultation with outside experts if needed, is responsible for the following:
o
Initial containment;

35

 

o
Analysis to establish root cause of incidents, identification and evidence collection;
o
Incident containment by further analyzing additional information and further identifying any additional compromised machines or resources not previously identified;
o
Implementing solutions designed to solve underlying problems and prevent re-occurrence;
o
Recovery and restoring normal business functionality;
o
Review after closure of each incident and conducting a post-mortem analysis to improve prevention and help to make incident response processes more efficient and effective. Also, the CIRT evaluates competency and any additional training requirements needed.

While we have experienced cybersecurity incidents in the past, to date none have materially affected us or our business strategy, results of operations, financial condition and/or cash flows. Moreover, we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, financial condition and/or cash flows. See Item 1A, Risk Factors above for more information. While we continually work to safeguard the information systems we use, and the proprietary, confidential and personal information residing therein, and mitigate potential risks, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to such systems, networks and data or those of our third party providers.

Governance

We have invested in robust data security and privacy protections. We follow industry-standard recommendations for data security such as those outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 and evolving Cybersecurity Maturity Model Certification (CMMC) frameworks. We have developed cybersecurity policies and procedures, including a data classification system to ensure the protection of critical data. In addition to periodic internal review, we also employ external auditors as needed, and cybersecurity testing firms to review our cybersecurity posture.

We maintain a CIRT, whose responsibilities are described above. We conduct periodic tests with this team to maintain readiness and resiliency while regularly reviewing its policies in the interest of protecting data security. External companies or agencies may be called upon to provide consulting, guidance, assistance, or some other form of support in response to a cybersecurity incident. The regular training of employees, at least annually, on the ever-present threat of cybersecurity helps maintain data security.

Our Board of Directors receives an update from our SVP-IT twice per year. In addition, our Government Security Committee of the Board of Directors is responsible for reviewing Cybersecurity Posture and overall resilience of the aerospace and defense portion of the network. The Government Security Committee reviews global cybersecurity risk with the SVP-IT at least four times a year. These reviews included standard cybersecurity-related metrics as well as other detailed reviews of sensitive systems. Our SVP-IT has over 25 years of experience in IT, which include various leadership roles at other large corporations and holds an Executive Master in Cybersecurity degree from Brown University.

36

 

Back SEC Filing