TERADYNE, INC - (TER)

10-K Filing Date: February 22, 2024
Item 1C: Cybersecurity

We believe cybersecurity is critical to supporting our vision and enabling our strategy. As a producer of leading-edge electronic testing products and maker of advanced robotics, we face a multitude of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced, persistent, and highly organized adversaries, including nation state actors, that may target us for our role in critical infrastructure sectors. Our customers, suppliers, and partners face similar cybersecurity threats and, while we have not been materially affected to date, a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance, and results of operations. These cybersecurity threats and related risks make it imperative that we maintain a strong focus on cybersecurity.

21


 

Governance

The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Chief Information Security Officer ("CISO"), regularly brief the Audit Committee of the Board of Directors on our cybersecurity and information security posture.

The corporate information security organization, under the CISO, has implemented a governance structure and processes to assess, identify, manage, and report cybersecurity risks. The CISO chairs management’s Cybersecurity Steering Committee, in which current cyber threats, program performance, and ongoing risk mitigations are regularly reviewed. Cybersecurity related risks are also integrated into our overall enterprise risk management ("ERM") process. These risks are included in the risk universe that the ERM function evaluates to assess top enterprise risks on an annual basis and is reviewed and evaluated by the Board of Directors. The Board of Directors is also apprised of cybersecurity issues or incidents deemed to have a moderate or higher business impact as they arise, even if considered immaterial.

In the event of a significant incident, we intend to follow our detailed incident response playbooks, which outline the steps to be followed from incident detection through mitigation, recovery and notification, including escalation to functional areas (e.g., legal), and escalation to senior leadership via the Cybersecurity Steering Committee. Upon escalation, the Cybersecurity Steering Committee will review all inputs, assess the materiality of the incident, and then brief the Board of Directors on the determination and on how management intends to respond.

Risk management and strategy

Our global information security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. Our CISO is an experienced cybersecurity senior executive with more than 25 years of experience building and leading cybersecurity, risk management and information technology teams. The information security organization manages and continually enhances a robust enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing system resilience and deploying highly proficient detection and response capabilities in an effort to minimize the business impact should an incident occur.

Central to this organization is our global cyber operations team, which is responsible for the protection, detection, and response capabilities used in the defense of critical data and enterprise computing services. We also have a corporate-wide insider threat detection program to proactively identify external and internal threats and mitigate those threats in a timely manner. Our broader Teradyne employee community also has a key role in our cybersecurity defenses and is immersed in a comprehensive training and awareness curriculum to build and promote a corporate culture supportive of security.

Third parties also play a role in our cybersecurity. We engage third-party services to provide 24x7x365 monitoring, escalation, and response to cyber events. In addition to consulting on best practices, we leverage third parties for independent evaluations of our security controls through penetration testing and independent audits. These evaluations include testing both the design and operational effectiveness of security controls. We also share and receive threat intelligence with our industry peers, cybersecurity associations, and our cyber controls vendors.

We rely on contract manufacturing organizations and distributors to deliver our products to our customers, and a cybersecurity incident at one of these organizations or a key supplier could materially adversely impact us. We assess third party and supply chain cybersecurity controls through risk monitoring services tailored to align with our risk policy. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us, either directly within our managed environment or indirectly via a third-party partner or supply chain vendor. Periodically we have a recognized independent security expert firm to assess our cyber security maturity along with risks and provide feedback on where we should continue to improve to mitigate exposures. We share this review with our Board and develop a security roadmap which incorporates this feedback.

Additionally, for our business that supports the defense and aerospace sector, we must comply with extensive regulations, including requirements imposed by the Defense Federal Acquisition Regulation Supplement ("DFARS") related to adequately safeguarding controlled unclassified information ("CUI") and reporting cybersecurity incidents to the DoD. We have implemented cybersecurity policies and frameworks based on industry and governmental standards to align closely with DoD requirements, instructions, and guidance. Moreover, we are pursuing the necessary controls to support the Cybersecurity Maturity Model Certification ("CMMC") program, DoD’s program to ensure members of the defense industrial base meet cybersecurity requirements for handling CUI and federal contract information. We believe we are well positioned to meet the requirements of the CMMC and are preparing for certification once the requirements are effective.

22