AXCELIS TECHNOLOGIES INC - (ACLS)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity.

Axcelis implements an enterprise risk management (“ERM”) process in which management annually identifies and reviews the principal risks to which the Company’s business is subject, rating each risk in terms of likelihood of occurrence and severity of impact. Risks that have either a high likelihood or a high potential impact on our business are assessed quarterly with respect to the trend (an increasing or decreasing risk) and whether additional mitigation actions are needed. These quarterly risk assessments are shared with our Board of Directors, with the Audit Committee reviewing any changes in risk identification or ranking on an annual basis.

Cybersecurity risks are integrated into our overall ERM, and our Chief Information Officer assesses the trends and need for additional mitigations on a quarterly basis. Our main concerns are (i) the unauthorized exfiltration of personal

18

information pertaining to Axcelis employees, (ii) the unauthorized exfiltration of confidential business or technical information, and (iii) an inability to use our business systems for a period of time following a cybersecurity event.

Management has adopted a Cybersecurity Incident Response plan which lays out the roles of IT personnel, senior leadership, and legal resources in responding to a cybersecurity incident. This plan is shared with our Board of Directors and reviewed annually. These risks could materially impact the business of the Company. To date, the Company has not experienced a material cybersecurity incident.

To implement risk management and protective strategies, management implements a “Layered Security Strategy” that aligns with National Institute of Standards and Technology Cybersecurity Framework. We consider the various factors that can play a role in the occurrence of a cybersecurity incident, such as:

Unauthorized system access
User errors
Undetected system vulnerabilities
Mobile device risks
Vulnerabilities in software applications and specific hardware
Third party cybersecurity risks
Insider threats

Management has implemented specific mitigation strategies for each of these factors, such as (i) user training to avoid fraud and other scams, (ii) utilizing multi-factor authentication processes for system access, (iii) engaging in vulnerability scanning applications, (iv) upgrading software and hardware to those with the greatest security protections, and (v) ensuring third parties to whom sensitive information is provided have appropriate security. Management has also developed a vendor assessment form to evaluate potential “Software as a Service” providers, which is incorporated in the Company’s RFP processes. The Company routinely obtains and reviews SOC 2 reports from third parties who have access to the Company’s information, some of which are part of management’s internal controls over financial reporting. The Company accesses cybersecurity consultants and legal counsel to assist in the identification of vulnerabilities and advise on appropriate mitigation and preparedness actions.

Overall, we devote significant resources to network security, data encryption, employee training and other measures to protect our systems and data from unauthorized access or misuse. The Audit Committee and full Board of Directors receive quarterly reports on cybersecurity risks and annual reports on management initiatives to promote cybersecurity.