COHU INC - (COHU)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity.

 

We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our intellectual property and data. We maintain policies and procedures designed to allow management to assess, identify, and manage material risks from cybersecurity threats. We integrate our cybersecurity policies and procedures into our overall enterprise risk management program, which is implemented by management and overseen by the Board of Directors through its Audit Committee.

 

28

 

We utilize the Center for Internet Security (“CIS”) Critical Security Controls as a framework for managing our cybersecurity program. The CIS framework outlines 18 critical control areas relating to organizational security and provides effective methodologies, guidelines, and industry standard best practices to develop and manage a comprehensive cybersecurity program. Additionally, we align our controls to various international security certifications and standards and have adopted best practices from industry leading frameworks. Our cybersecurity program includes policies and procedures relating to encryption, data loss prevention technology, authentication technology, access control, anti-malware software, third-party risk monitoring, insider risk management and identity management. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also regularly obtain system and organization control (“SOC”) reports from our service providers (“SOC 2”). Members of our corporate information security organization receive information exchanges from their professional networks and attend training, webinars, and conferences to stay up to date on both trends and system-specific updates. In addition, all Cohu employees are required to complete regular security awareness training including testing, each of which are designed to promote a company-wide culture of cybersecurity risk awareness and management.

 

As part of the Board of Directors’ role in overseeing our enterprise risk management program, which includes our cybersecurity risk management, the Board is responsible for exercising oversight of management’s identification and management of, and planning for, material cybersecurity risks that may reasonably be expected to have an adverse effect on us. While the full Board has overall responsibility for risk oversight, the Board has delegated oversight responsibility related to risks from cybersecurity threats to the Audit Committee. The Audit Committee conducts reviews of the effectiveness of our risk management strategies. This review helps in identifying areas for improvement and in aligning cybersecurity efforts with the overall risk management framework and promotion of our business objective and operational needs. In addition to our scheduled meetings, the Audit Committee maintains an ongoing dialogue with management, including emerging or potential cybersecurity risks.

 

Our corporate information security organization, led by our Chief Information Security Officer (“CISO”), is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. Our CISO has over 35 years of experience in various roles in information technology and information security, including serving as SVP and CIO or VP and CIO at various defense, aerospace and semiconductor supplier companies. He holds a bachelor’s degree in Computer Science, an MBA, and holds several relevant certifications, including ITIL Certification. The corporate information security organization manages and regularly enhances our enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. Central to this organization is our cybersecurity incident response team (“CIRT”), which is responsible for the protection, detection and response capabilities used in the defense of Cohu’s data and enterprise computing networks. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, mitigation or eradication, recovery and notification, including notifying key functional areas, as well as the CEO, Chairperson and Chairperson of the Audit Committee and other members of the Board, as appropriate.

 

In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from security incidents were immaterial. As a result, we do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected us, our results of operations or financial condition. Notwithstanding the measures we take to assess, identify, and manage cybersecurity risks, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For a discussion of how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, may materially affect or are reasonably likely to materially affect us, see the risk factor entitled “Our business and operations could suffer in the event of cybersecurity breaches within our operational systems or products”.

 

29