MKS INSTRUMENTS INC - (MKSI)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats

We primarily assess, identify and manage material risks from cybersecurity threats through our enterprise information security program, which is maintained by our Chief Information Security Officer (“CISO”) and overseen by our Executive Vice President and Chief Information Officer (“CIO”).

Our enterprise information security program, which is designed to ensure that our information systems are adequately protected, is based on frameworks established by the National Institute of Standards and Technology and other applicable industry standards. Following the ransomware incident we identified in February 2023, we made certain enhancements to our enterprise information security program, including with respect to privileged access management, security monitoring and response, and application backup and recovery. We consider our enterprise information security program to be a key component of our overall risk management system.

As part of our enterprise information security program, we regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. In addition, we maintain incident response and recovery plans, the effectiveness of which is tested and evaluated on a regular basis. We also provide privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats.

We regularly engage assessors, consultants, auditors and other third parties to support our enterprise information security program. These assessments include a variety of activities, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness.

The information provided by these assessments is used to improve our enterprise information security program, including cybersecurity policies, standards, processes and practices. In addition, the results of significant assessments are reported to management and the Audit Committee of our Board of Directors (the “Board”).

We also have processes in place to oversee and identify risks from cybersecurity threats associated with the use of third-party service providers. Third-party service providers are subject to security risk assessments at the time of on-boarding, contract renewal, and upon detection of an increase in risk profile. We have similar processes in place to oversee and identify cybersecurity-related risks posed by our suppliers.

Risks from Cybersecurity Threats

As discussed above, in February 2023, we identified that we had become subject to a ransomware incident. Based on our investigation, we concluded ransomware actors encrypted certain of our systems by deploying malware. This incident required us to temporarily suspend operations at certain of our facilities and had a material impact during the three months ended March 31, 2023 on our ability to process orders, ship products and provide service to our VSD and PSD customers.

In addition, based on our investigation of the incident, we became aware that ransomware actors may have exfiltrated personal information from our systems. We provided notifications to individuals and to regulators in accordance with applicable laws, and we may be required to provide additional notifications in the future.

We and our third-party administrators, vendors and partners are also subject to ongoing cybersecurity threats. While we cannot guarantee that these threats will not have an adverse impact on us, we do not believe such threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.

Governance

Board of Directors’ Oversight of Risks from Cybersecurity Threats

The Audit Committee is primarily responsible for oversight of risks from cybersecurity threats. As provided for in the Amended & Restated Audit Committee Charter, the Audit Committee oversees the steps management has taken to monitor and control our data privacy and cybersecurity risk exposure. The Board delegated this responsibility to the Audit Committee in part because it includes members with significant experience and/or expertise in cybersecurity and other technology matters.

The Audit Committee is informed of risks from cybersecurity threats through regular reports from our CIO and CISO. The Audit Committee actively engages with our CIO and CISO regarding these risks. Depending on the materiality of a risk, the Audit Committee, CIO or CISO may report on such risk to the full Board.

37


 

In addition, from time to time, the Board may constitute a special committee to focus on a particular cybersecurity matter or risk. As discussed above, in February 2023, we identified that we had become subject to a ransomware incident. Our Board of Directors responded quickly and constituted a special committee of the Board for cybersecurity, which included Gerald G. Colella, the Chair of our Board, Elizabeth A. Mora, the Chair of our Audit Committee, and Peter J. Cannone III and Joseph B. Donahue, each a member of our Audit Committee, to oversee the investigation, recovery, and restoration phases following the incident (the “Special Committee”). The Special Committee held 21 meetings during the first three months following the identification of the incident. At these meetings, our Chief Executive Officer, our Chief Financial Officer, our General Counsel, our Executive Vice President of Operations and Corporate Marketing, and our then-Chief Information Officer reported to the Special Committee on various aspects of the incident, including the information technology forensic investigation, business restoration and recovery activities, and the impact of the incident on our annual audit and assessment of internal controls as well as the filing of our Annual Report on Form 10-K for the year ended December 31, 2022.

Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats

Management is integral to assessing and managing our material risks from cybersecurity threats. While all members of management are involved in the review of these risks, our CIO has primary oversight of our cybersecurity program. Our CIO is a seasoned technology leader and change agent who has served as the top technology executive for multi-billion-dollar global organizations spanning diverse industries. With over 25 years of experience, our CIO has led business and information technology transformation, implemented global digital strategies, and optimized and integrated governance, risk, and compliance frameworks, processes and technologies in complex regulatory and industry environments. We believe our CIO’s knowledge, skills and experience provide significant value to our Company.

Our CIO and CISO provide regular reports to management regarding risks from cybersecurity threats and the prevention, detection, mitigation and remediation of cybersecurity incidents. Within our information technology organization, our CISO and other key members of our information security team provide regular reports to our CIO.

As discussed above, our CIO and CISO also provide regular reports regarding risks from cybersecurity threats to our Audit Committee and, depending on the materiality of a risk, the full Board. In addition, from time to time, members of management may provide reports to a special committee of the Board for cybersecurity. For example, as discussed above, management provided regular reports to the Special Committee on various aspects of the ransomware incident we identified in February 2023.

38