APPLIED OPTOELECTRONICS, INC. - (AAOI)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity

 

Cyber criminals are becoming more sophisticated and effective every day. All companies utilizing technology are subject to threats of breaches of their cybersecurity programs. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management and make securing the data customers and other stakeholders entrust to us a top priority. Our board of directors (the "Board") and our management are actively involved in the oversight of risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Our Risk Factors include further detail about the material cybersecurity risks we face and have faced in the past. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.

 

Risk Management and Strategy

 

Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management. Our cybersecurity program in particular focuses on the following key areas:

 

Collaboration

 

Our cybersecurity risks are identified and addressed through a cross-functional approach. Key security, risk, and compliance stakeholders meet to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner.

 

Risk Assessment

 

At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board and members of management.

 

Technical Safeguards

 

We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience.

 

Incident Response and Recovery Planning

 

We have established comprehensive incident response and recovery plans and continue to evaluate the effectiveness of those plans. Our incident response and recovery plans address — and guide our employees, management and the Board on — our response to a cybersecurity incident.

 

Education and Awareness

 

Our policies require our employees to contribute to our data security efforts. We provide awareness training to our employees to help identify, avoid and mitigate cybersecurity threats. Our employees participate annually in required training, including spear phishing and other awareness training.

 

Governance

 

Board and Management Oversight

 

Our Board oversees our management of cybersecurity risk. They receive regular reports from management about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities.

 

Our general manager and MIS director have primary responsibility for assessing and managing material cybersecurity risks. They meet to review security performance metrics, identify security risks, and assess the status of approved security enhancements. They also consider and make recommendations on security policies and procedures, security service requirements, and risk mitigation strategies.

 

Our MIS director has served in various roles in information technology and information security for over 20 years. Our general manager has over 20 years of experience managing risks, including risks arising from cybersecurity threats.

 

 

 

© 2024 Material-Incidents. All rights reserved.