ADVANCED ENERGY INDUSTRIES INC - (AEIS)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Assessment
Advanced Energy understands the importance of managing risks from cybersecurity threats and maintains a comprehensive cybersecurity program developed with reference to the National Institute of Standards and Technology (“NIST”) cybersecurity framework. Our cybersecurity program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of our data. We devote significant resources to network, operations, and product security, data encryption, business continuity/disaster recovery, vulnerability management, event monitoring and incident response, and other measures to protect our systems and data from unauthorized external access or internal misuse, including, but not limited to, the following:
● | Operational Security. Access to our systems is restricted to those who require access in accordance with the principle of least privilege. We also conduct background checks for our employees where permitted by local law, require signed confidentiality agreements and acceptable use agreements, and follow termination/access removal processes. |
● | Employee Training. We provide all employees with annual training on information security, data protection, and relevant company policies so that they are empowered to identify cybersecurity risks and take action. To further enhance awareness and responsiveness to potential threats, we also conduct regular phishing simulations and email communications on cybersecurity trends awareness throughout the year. |
● | Third Party Assessment. We engage independent third party consultants to review the effectiveness and maturity of our cybersecurity program. |
● | Incident Response Plan. We maintain an incident response plan to respond to and mitigate the effects of an information security incident. The plan provides for the formation of a multi-functional incident response team led by the Chief Information Officer (“CIO”) and comprised of IT, legal, corporate communications, internal audit, and operational personnel. |
● | Global Recovery. We have developed global cyber and disaster recovery processes for our information technology systems and critical information assets to preserve business continuity in the event of a cybersecurity incident. |
● | Third Parties. We have an assessment and audit process for third party vendors. Prior to granting vendor access to our systems or data, we conduct pre-engagement diligence to ensure that each of our third party vendors involved in processing sensitive data have reasonable cybersecurity processes and procedures in place. We also have contractual provisions with key vendors for prompt notification of material cybersecurity incidents. |
25
● | Insurance. We maintain cyber insurance coverage to mitigate the risk of losses from a cybersecurity incident. |
● | Risk Monitoring. Management and our Board monitor cybersecurity and data protection developments, including new or forthcoming changes to the legislative and regulatory landscape as well as Advanced Energy’s cybersecurity processes, investments, and actions as described below. |
Cybersecurity risk is a component of Advanced Energy’s broader risk management program and managed at the highest levels of the company, starting with Advanced Energy’s CIO, who meets with the Chief Executive Officer and other members of executive management regularly to discuss issues, assess risks, and coordinate company-wide cybersecurity initiatives. Our CIO leads a dedicated cybersecurity technical team that manages, monitors, and enforces compliance with the cybersecurity program.
Although we have experienced non-material information security incidents from time to time in the past, in the last three years, we have not experienced any material cybersecurity incidents, nor has any incident had a material impact on our operations or financial condition. For a discussion of how risks from cybersecurity threats are reasonably likely to affect us, including our business strategy, results of operations, or financial condition, please see “If our information security measures are breached or fail and a customer’s or our data is improperly obtained or unauthorized access to our information technology systems occurs, we may incur significant legal and financial exposure and liabilities.” under the heading Part I, Item 1A “Risk Factors”.
Cybersecurity Governance
Pursuant to its charter, the Audit and Finance Committee of our Board of Directors is principally responsible for oversight of managements’ actions to monitor and control cybersecurity risk exposure. The CIO routinely reports to the Audit and Finance Committee on enterprise cybersecurity matters, including, as appropriate, information security strategy, policies, and procedures, status of cybersecurity initiatives, results of third party assessments, emerging cybersecurity threats and risks, steps taken to mitigate such threats and risks, and cybersecurity developments and trends. The Audit and Finance Committee reports to the full Board and, if warranted, coordinates with the Board to address material risks. In addition, the full Board receives a cybersecurity briefing from the CIO annually.
As discussed above, our cybersecurity risk management and strategy are led by our CIO, who has extensive leadership experience with enterprise information technology in the manufacturing and telecom industries, where he has held various executive roles in which he developed and executed IT strategy, including cybersecurity programs, helped achieve and maintain Sarbanes-Oxley compliance, and brought companies into compliance with ISO 27001, among other things.