BENCHMARK ELECTRONICS INC - (BHE)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

Global cybersecurity vulnerabilities and threats continue to evolve and are increasingly more sophisticated. The Company is aware of the dynamic nature of the cybersecurity threats we face and has a security program led by our Chief Information Security Officer (CISO) that strives to monitor and mitigate risks from cybersecurity threats. The CISO reports to the Chief Information Officer (CIO), provides periodic reports to the Chief Executive Officer (CEO) and Chief Financial Officer (CFO), and reports quarterly to the Audit Committee of the Board of Directors, which oversees risks from cybersecurity threats, regarding the Company’s cybersecurity risk profile and mitigation activities. The Company’s CISO has over 35 years of security and cybersecurity experience between the military and corporate sectors. Prior to joining Benchmark, he oversaw cybersecurity for Masco Corporation, a Fortune 500 company and La-Z-Boy Incorporated, both of which are global manufacturing organizations with similar complexities as the Company. The CISO also served as a member of the Department of Defense as a civilian in charge of cybersecurity for an Army acquisition command, overseeing the cybersecurity for approximately 320 programs of record.

The Company's CIO has been responsible for Global IT, including overseeing cybersecurity since joining the Company in 2017. In addition, he was responsible for cybersecurity in previous roles prior to joining the Company, including during his time at DigitalGlobe, a satellite imagery provider to the U.S. Government, as well as other global high tech manufacturing companies.

28


 

The Company has an Enterprise Risk Management (ERM) process, with an annual risk assessment performed. A universe of key risks is updated annually, with key risks rated by and discussed with corporate and site-level executives, as well as our Board of Directors, which oversees the Company's ERM process. As a result of the annual risk assessment, the enterprise’s top risks are identified, with action plans developed to address each risk. Results of the annual enterprise risk assessment are presented to and discussed with the Board of Directors at least annually. One of the key risks evaluated annually is cybersecurity. Our cybersecurity risk evaluation assesses whether, or to what extent, information assets (hardware, software, systems, laptops, data, intellectual property) might be compromised in an attack by a malicious actor, resulting in potential data leakage, data destruction, malware infiltration, or a ransomware attack. With the increasing sophistication of cyber-criminals and constantly evolving threat vectors, the Company continues to identify cybersecurity as a top risk, prompting numerous actions and measures across the Company that endeavor to mitigate and, where possible, minimize such risks.

The Company increasingly leverages and relies upon digital technologies and services to conduct our business and support our customers. These technologies and services are a blend of organic and third-party supplied solutions that encompass data storage, processing and transmissions. Our digital technologies support business processes for financial management, human capital management, customer engagement, and manufacturing services. Examples of such technologies include Enterprise Resource Planning (ERP) systems, shop floor controls, test equipment, general business applications, and our global infrastructure and networks, as well as external systems, analytics, automation and cloud services. Such digital technologies and services are subject to numerous risks including, but not limited to, ransomware or cyber-extortion, denial of service to systems, malicious code introduced through third party software products or software updates or theft of company, customer, vendor and employee data. As discussed further below, our operations have been, and may in the future be, subject to ransomware or cyber-extortion attacks, which could significantly disrupt our operations. Generally, such attacks involve restricting access to electronic and computer systems or the restriction or theft of vital data including customer supplied data.

The Company has a security program that strives to implement best practices for protecting our systems with the understanding that adversaries have varying skills and competencies and may be able to exploit or evade our current protective technologies. We actively monitor our systems for cyber threats and have processes in place to detect and remediate vulnerabilities. Our approach relies on both internal and external monitoring, vulnerability assessments as well as penetration testing by third parties. We also use leading end-point detection response tools to continuously monitor our security environment. We regularly conduct a review of our data management practices to ensure the proper retention, protection and storage of data, and to apply new technology-based tools to better manage the protection of customer data. Our information security policies and practices, including our Information Technology Disaster Recovery Plan, are designed to comply with several regulatory requirements including DFARS/NIST 800-171 controls, and for our defense customers, we are undergoing certification to the U.S. Cybersecurity Maturity Model Certification (CMMC) program and performed a CMMC self-assessment with the assistance of a qualified third-party inspector. To ensure security awareness throughout the Company, we conduct employee training on multiple topics, and also conduct simulated phishing campaign tests. Regular communications remind all employees of how to be vigilant against cyberattacks. We have also recently implemented a third-party cybersecurity risk management program that continuously monitors key suppliers and customers' cybersecurity scores.

The Company’s protective technologies include firewall and email protection against malware and phishing campaigns, and information system access management solutions such as multifactor authentication (MFA). We augment these protective technologies with security monitoring and detection capabilities to limit the impact of cybersecurity incidents. The security monitoring and detection tools we utilize leverage Endpoint Detection and Response (EDR) and Security Incident and Event Management (SIEM) augmented with threat intelligence information from multiple sources. We have further enhanced the security posture of the Company by implementing data security technologies and measures to reduce the impact of attempts to steal data. These technologies are tested regularly by both internal resources and external experts that evaluate the technology and identify vulnerabilities for mitigation and/or remediation. Our security program leverages Company and third-party security professionals and services to achieve an appropriate level of security and resilience that is reviewed periodically by an information technology (IT) steering committee that includes senior officers such as the CEO, CFO, Chief Legal Officer, CIO, Chief Operating Officer and Chief Technology Officer, and the efficacy of these programs is also reviewed quarterly with the Audit Committee of the Company’s Board of Directors. We have also recently implemented a third-party cybersecurity risk management program that continuously monitors cybersecurity scores of key suppliers and customers.

Despite the systems and processes we have in place to monitor, detect, mitigate and remediate potential vulnerabilities, in the past, we have experienced cyberattacks, and attempted breaches, including phishing emails and other targeted attacks. In the fourth quarter of fiscal year 2019, a ransomware incident encrypted information on our systems and disrupted customer and employee access to our systems and services, which resulted in the Company incurring costs relating to this event, including costs to retain third party consultants and forensic experts to assist with the restoration and remediation of systems and, with the assistance of law enforcement, to investigate the attack. As a result of this cybersecurity incident, we experienced increased expenditures for our IT infrastructure, systems and network. This ransomware incident also adversely affected our operations and the Company’s fourth quarter 2019 revenue. See Note 18 to the consolidated financial statements in Part II, Item 8 of this Report for additional information.

29