LITTELFUSE INC /DE - (LFUS)
10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY.
The cybersecurity and data protection program at Littelfuse is based on foundational principles outlined in applicable industry and internationally accepted-cybersecurity frameworks. The Company has experienced and will continue to experience cyber-attacks, attempts to breach its systems, and other similar incidents, however we do not believe that the prior cyber incidents have materially affected or currently are reasonably likely to materially affect the Company. Littelfuse faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows, or reputation. Like all cybersecurity programs, there is no guarantee that every attack method and technique has been fully addressed, as these change constantly, but Littelfuse is diligent in its attempts to protect data of the Company and its stakeholders.
Littelfuse strives to assess and update its cybersecurity program on a regular basis using an Information Security Management System (ISMS) comprised of three main elements – 1) independent internationally recognized vendors and technologies for assessments and monitoring, 2) strong internal controls based on industry standards, and 3) Board and Senior Leadership governance and support.
From an external assessment and monitoring perspective, Littelfuse engages third parties to monitor and report on known exploitable vulnerabilities, within and external to Littelfuse’s information technology (IT) ecosystems. These third parties provide assessment and vulnerability scanning tools to detect exploitable unauthorized access into the Littelfuse environments.
The Audit Committee of the Board of Directors is tasked with reviewing the Company’s policies and procedures related to cybersecurity risks and incidents. The Company’s Chief Information Officer (“CIO”) oversees its cybersecurity program, and regularly provides updates to Littelfuse Senior Leadership and the Audit Committee, as well as the full Board, which include information regarding our cybersecurity program initiatives, insurance coverage, acquisition integration processes, program performance as well as the maturity of the Littelfuse cybersecurity program. These cybersecurity maturity updates are based on cybersecurity maturity reporting and analysis by the Littelfuse internal IT team, as well as reporting provided by independent third parties. The updates help Senior Leadership, the Audit Committee, and the Board to understand the risks the organization faces based on changing cybersecurity threats and on changes to the Littelfuse environment due to factors such as acquisitions
19
and new technology upgrades and improvements. Representatives from Littelfuse’s technology team and other business functions receive regular cybersecurity risk reports and use this information for its decision making in operational improvements as well as budget and resource allocations. The CIO has managed and evolved the cyber security function at Littelfuse for the past five years and is supported by a cyber security leader with over 20 years of Littelfuse experience in IT infrastructure, IT operations, and cybersecurity.
The ISMS within Littelfuse consists of internationally recognized program elements that reduce the risk of an operational or cybersecurity incident from significantly impacting Littelfuse and its customers, vendors, and employees. These ISMS elements include but are not limited to:
Security Awareness and Training – Littelfuse has an IT security awareness program consisting of training on the fundamentals of information security protection. These training courses are provided annually.
Network Protection – Network protection, detection, and monitoring technologies have been deployed on all external and internal network connections to segment different sections of the business from each other to strengthen key protection capabilities.
Identity and Access Management (IAM) – Littelfuse has implemented user authentication controls on its systems, devices, data, and applications. In addition, multi-factor authentication is implemented for all personnel who remotely access or have privileged account access to Littelfuse systems and networks.
Data Classification and Protection – Littelfuse has implemented data loss prevention and classification labels and encryption on its internal unstructured data to prevent unauthorized data loss and data sharing. Structured data in ERP systems and core business systems are encrypted and protected by industry cybersecurity standards and procedures.
Endpoint Protection – Littelfuse has implemented anti-virus, malware, and endpoint protection management detection and monitoring solutions on end-user devices and servers. Logs and alerts from these monitoring solutions are routed to independent third-party monitoring vendors that provide 24/7 monitoring, around the world.
Threat and Vulnerability Management – Littelfuse uses an internationally recognized managed security services provider (MSSP) and technologies to collect security alert and audit logs on a 24/7 basis, monitor and assess latest threat intelligence, provide analysis on new identified potential vulnerabilities, and provide response and support services to rapidly reduce any identified vulnerabilities.
Security Incident Management – Security incident response plans and procedures have been developed in collaboration with our MSSP. They allow us to assess potential threats, first and second level notification and response protocols, and supporting notification protocols – both internally and externally. These plans, procedures, and protocols are tested and updated on a regular basis.
Resiliency and Contingency Planning – Risk assessments are performed on a regular basis to assess the IT risk of single points of failure, security maturity, and security vulnerabilities. The results of these assessments are used to define various resiliency and contingency mitigation strategies, corrective action plans, on-site and remote data back-up strategies and technologies and allocation of IT resources.