NETGEAR, INC. - (NTGR)
10-K Filing Date: February 16, 2024
Risk management and strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”).
Our cybersecurity functions include representatives from information technology, information security, legal, impacted business units or products and other departments as applicable (together, the “Cybersecurity Team”) helps identify, assess and manage the Company’s cybersecurity threats and risks. The Cybersecurity Team identifies, assesses and manages cybersecurity risks by monitoring and evaluating our threat environment using various methods including, for example manual and automated tools such as vulnerability scans, penetration tests and a public bug bounty program; subscribing to reports and services that identify cybersecurity threats; conducting risk assessments and internal and external audits; using external intelligence feeds; and conducting tabletop incident response exercises.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: (1) having an information security incident response plan for incident detection and response; (2) maintaining a disaster recovery plan, business continuity program, vulnerability management process and vendor risk management process; (3) conducting periodic risk assessments and employee training on cybersecurity; (4) maintaining security controls intended to address the National Institute of Standards and Technology and Cybersecurity Framework; (5) encrypting and segregating data, having network security controls, access controls and physical security, monitoring systems, managing assets (tracking and disposal) and conducting penetration testing; and (6) maintaining cybersecurity insurance.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of the Company’s enterprise risk management program; (2) our Cybersecurity Team works with our management team (comprised of our Chief Legal Officer, Chief Financial Officer and Chief Risk Officer) to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business; (3) our Cybersecurity Team and management team evaluates material risks from cybersecurity threats against our overall business objectives and reports to the cybersecurity committee chairperson of the board of directors who may then notify the cybersecurity committee and board of directors (as appropriate), to further evaluate our overall enterprise risk.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example using professional services firms, threat intelligence service providers, managed cybersecurity service providers, penetration testing firms and forensic investigators. We also have a public bug bounty program.
We use third-party service providers to perform a variety of functions throughout our business, such as using application providers for core applications (including finance, HR, CRM, email services, collaboration tools etc.), hosting companies for our websites, contract manufacturing organizations, distributors and supply chain resources for software, hardware, manufacturing and distribution of our products. We have a vendor management process for managing cybersecurity risks associated with our use of these providers. This process includes risk assessments, security questionnaires, review of vendor security programs, review of available security assessments, reports, and audits. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the type of provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including
43
“Product security vulnerabilities, system security risks, data protection breaches, cyber-attacks and improper use of artificial intelligence tools, could disrupt our products, services, internal operations or information technology systems, and any such disruption could increase our expenses, damage our reputation, harm our business and adversely affect our stock price”.
Governance
Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ cybersecurity committee is responsible for overseeing the Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Information Officer, our VP of Corporate Cybersecurity and our Chief Technology Officer of Software, each of whom have over 20 years of industry expertise, including past roles at other public companies and as consultants.
Our Chief Information Officer and Chief Technology Officer of Software are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our Chief Information Officer and Chief Technology Officer of Software are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our information security incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including the incident response leadership team. The incident response leadership team works with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s information security incident response plan includes reporting to the cybersecurity committee chairperson of the board of directors for certain cybersecurity incidents and, if appropriate, the cybersecurity committee and the board of directors.
The cybersecurity committee receives periodic notices (written and verbal) from the Cybersecurity Team concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented that are intended to address them. The cybersecurity committee also receives quarterly reports, summaries or presentations related to cybersecurity threats, risk and mitigation.