SITIME Corp - (SITM)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing material risks from cybersecurity threats. These policies and processes are intended to protect the confidentiality, integrity, and availability of our critical information systems and our critical data, including intellectual property and confidential information that is proprietary, strategic, or competitive in nature (“Information Systems and Data”).
Our IT management team, with oversight by our board of directors (“Board”) and audit committee of the Board (“Audit Committee”), helps identify, assess, and manage risks from cybersecurity threats by monitoring and evaluating threats through our cybersecurity risk management program, which leverages the National Institute of Standards and Technology Cybersecurity Framework.
Our cybersecurity risk management program incorporates a variety of methods to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including:
•risk assessments designed to help identify cybersecurity risks to our Information Systems and Data;
•a team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
•annual training of our employees at all levels and in all departments regarding cybersecurity awareness and protection of confidential information; and
•a cybersecurity incident response plan that includes procedures for detecting and responding to cybersecurity incidents.
39
Additionally, our cybersecurity risk management program incorporates a variety of tools and services to assess, identify, and manage material risks from cybersecurity threats, including regular network and endpoint monitoring, vulnerability assessments, and penetration testing.
Our cybersecurity risk management program is integrated in our overall enterprise risk management program. For example, our IT team works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact on our business.
Our cybersecurity risk management program also seeks to manage cybersecurity risks associated with our use of third-party service providers through risk assessments and imposition of contractual obligations.
For a description of risks from cybersecurity threats that may materially affect the Company and how they may do so, see Item 1A “Risk Factors” in this annual report on form 10-K, including the risk factors entitled “Security breaches, cyberattacks, and other disruptions to information technology systems owned or maintained by us or third parties, such as vendors or suppliers, could disrupt our operations, compromise the confidentiality of private customer data or our intellectual property, and adversely affect our business, reputation, operations, and financial results” and “Our business may be impacted by information technology system failures or network disruptions, and lack of redundancy.”
Cybersecurity Governance
Our Board considers cybersecurity risk as part of its overall risk oversight function and has delegated to the Audit Committee oversight of cybersecurity matters and other policies and internal controls regarding information security risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program.
The Audit Committee receives quarterly reports from management on our cybersecurity risks. In addition, management will update the Audit Committee, as necessary, regarding any significant cybersecurity incidents. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives a briefing from management on our cyber risk management program at least annually.
Our management team, including our IT management team, are responsible for day-to-day implementation, assessment, and management of our cybersecurity risk assessment and management processes. The IT management team has primary responsibility for our overall cybersecurity risk management program, including monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents, and works in partnership with our other business leaders, including our Chief Legal Officer. Our IT management team supervises both our internal cybersecurity personnel and any retained external cybersecurity consultants. Our Senior Director of IT has served in various roles in information technology and information security for over 25 years.
Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to a team of business leaders, including, but not limited to, our Chief Legal Officer, Executive Vice President and Chief Financial Officer, Executive Vice President of Engineering and Technology, and Executive Vice President of Operations. This team of business leaders works with our incident response team to help determine the severity of the impact of a cybersecurity incident, as well as to help mitigate and remediate cybersecurity incidents of which they are notified.