FORMFACTOR INC - (FORM)

10-K Filing Date: February 23, 2024
Item 1C: Cybersecurity

Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to our employees or customers; violation of applicable privacy or security laws and other litigation and legal risk; and reputational risks.

Manage Material Risks & Integrated Overall Risks
We maintain an incident response plan to coordinate the activities we take to protect against, detect, respond to, mitigate the impact of, and remediate cybersecurity incidents, as well as to comply with applicable legal obligations and mitigate reputational damage.

We have strategically integrated cybersecurity risk management into our broader risk management framework to promote company-wide awareness of the importance of cybersecurity risk management. This integration ensures that cybersecurity considerations are incorporated in our strategic and operational decision-making processes. Our management team works closely with our Information Technology (“IT”) team to continuously evaluate and address cybersecurity risks to ensure these efforts are in alignment with our business objectives and operational needs. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage material risks, as well as to test and improve our incident response plan. Our approach includes, among other things:

21


conducting regular network and endpoint monitoring, vulnerability assessments, and penetration testing to improve our information systems;
regular cybersecurity training for employees, including management, and conducting regular cybersecurity management and incident training for employees involved in execution of our incident response plan;
comparing our processes to standards set by the National Institute of Standards and Technology (“NIST”);
leveraging the NIST incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident;
operating threat intelligence processes designed to model and research our adversaries;
monitoring emerging data protection laws and implementing changes to our processes designed to comply;
conducting regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats;
through policy, practice and contract (as applicable) requiring employees, as well as third-parties who provide services on our behalf, to treat customer information and data with care;
carrying information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident; and
leveraging third-party score cards within our supply chain to regularly evaluate and report on our cybersecurity environment, including by integrating certain metrics into our corporate goal setting processes.

These approaches vary in maturity across the business, and we work continually to improve them.

Engage Third Parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our cybersecurity environment. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes are responsive to our identified risks. Our collaboration with these third parties include regular audits, threat assessments, and consultation on security enhancements.

Oversee Third-party Risk
We are aware of and have processes in place to manage and mitigate the risks associated with third-party service providers. As needed in connection with certain third-party providers, we conduct risk-based diligence and assessment before engagement, implement contractual security provisions and maintain ongoing monitoring to ensure compliance with applicable cybersecurity standards or requirements.

Risks from Cybersecurity Threats
We have not experienced any material cybersecurity incidents, and the expenses we have incurred from cybersecurity incidents were immaterial.

Governance

The Board is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because we recognize the potential significance of these threats to our operational integrity and financial condition.

Board of Directors' Oversight
The Governance and Nominating Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Governance and Nominating Committee and the Board are composed of Board members with diverse expertise including, risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.

Management’s Role Managing Risk
The management team provides comprehensive briefings to the Governance and Nominating Committee of our Board on a regular basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics as discussed in Reporting to Board of Directors below.

In addition, the IT team maintains an ongoing dialog with our management team regarding emerging or potential cybersecurity risks. The management team receives updates on any significant developments in the cybersecurity domain, ensuring oversight is proactive and responsive. This involvement ensures that cybersecurity considerations are integrated into our broader strategic objectives.

22


Risk Management Personnel
Our Chief Information Officer is primarily responsible for the overall assessment, monitoring, and management of our cybersecurity risks. Our Chief Information Officer has over 20 years of experience in information technology and holds a B.S. in accounting and management information systems. Our management team members are responsible for the management of cybersecurity risks within their respective functions. Our management team includes the Chief Financial Officer, Chief Executive Officer, and leaders of our business units and functions. Collectively their backgrounds include a wealth of expertise relevant to their roles.

Monitor Cybersecurity Incidents
The Chief Information Officer and executive management team are informed about the latest developments in cybersecurity, including risk management techniques, as well as significant potential threats, through their ongoing management of and participation in the cybersecurity risk management processes described above. This ongoing knowledge is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The Chief Information Officer implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of security measures and system audits to identify potential vulnerabilities.

Reporting to the Board of Directors
The Chief Information Officer regularly informs the Chief Financial Officer and Chief Executive Officer of critical aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the Company’s cybersecurity posture and potential risks. The Governance and Nominating Committee receives regular updates from management on cybersecurity risk, including:

current cybersecurity landscape and emerging threats;
status of ongoing cybersecurity initiatives and strategies;
incident reporting and learnings from any cybersecurity events;
information regarding the effectiveness of the Company’s cybersecurity awareness program; and
compliance with regulatory requirements and industry standards.

In such updates, the Governance and Nominating Committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging cybersecurity threat risks and describing our ability to mitigate those risks, and discusses such matters with our Chief Information Officer.

Significant cybersecurity matters, and strategic risk management decisions are escalated to the Board, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity matters.