VEECO INSTRUMENTS INC - (VECO)
10-K Filing Date: February 16, 2024
Cybersecurity represents a critical component of the Company’s overall approach to risk management. Our cybersecurity practices are integrated into the Company’s enterprise risk management (“ERM”) approach, and cybersecurity risks are among the core enterprise risks identified for oversight by our Board of Directors and the Board’s Audit Committee through our annual ERM assessment. Our cybersecurity policies and practices follow the cybersecurity framework of the National Institute of Standards and Technology and other applicable industry standards. We generally approach cybersecurity threats through a cross-functional, multi-layered approach, with the specific goals of: (i) identifying, preventing and mitigating cybersecurity threats to the Company; (ii) maintaining the confidence of our customers, clients and business partners; (iii) preserving the confidentiality of our employee’s information; and (iv) protecting the Company’s intellectual property.
Consistent with the Company’s overall ERM practices, our cybersecurity program focuses on the following areas:
28
● | Vigilance: The Company maintains a global presence, with cybersecurity threat operations operating 24/7 around the world with a specific goal of detecting, containing and responding to cybersecurity threats and incidents. |
● | Collaboration: The Company has established collaboration mechanisms with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers to identify and assess cybersecurity risks. |
● | Systems Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, access controls and ongoing vulnerability assessments. |
● | Third-Party Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, such as vendors, service providers and other users of the Company’s systems. |
● | Education: The Company provides periodic training for personnel regarding cybersecurity threats, with such training scaled to reflect the roles, responsibilities, and access of the relevant Company personnel. |
● | Incident Response Planning: The Company has established and maintains incident response plans that address the Company’s response to a cybersecurity incident, and such plans are tested on an ongoing basis. |
● | Communication and Coordination: The Company utilizes a cross-functional approach to address the risk from cybersecurity threats and has formed an Information Security Leadership Group which includes management personnel from information technology, operations, legal, internal audit and other key business functions. The Information Security Leadership Group typically meets on a monthly basis, and more frequently as necessary. |
● | Governance: Pursuant to the Company’s ERM practices, oversight of cybersecurity risk management has been assigned to the full Board and to the Board’s Audit Committee. Quarterly updates are provided by Company management, including the Company’s Chief Information Security Officer, to the Audit Committee (three times per year) and the full Board (annually), to help ensure an ongoing dialogue regarding the Company’s cybersecurity initiatives, threats and incidents. |
A key part of the Company’s strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of the Company’s processes and practices through auditing, assessments, tabletop exercises and other exercises focused on evaluating effectiveness. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness and adjusts its cybersecurity processes and practices as necessary.
The Audit Committee oversees the management of risks from cybersecurity threats, including the policies, processes and practices that the Company’s management implements to address risks from cybersecurity threats. Management’s quarterly presentations include reports on a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and vendors. The Board also receives prompt and timely information regarding any cybersecurity incident that could pose a significant risk to the Company and receives ongoing updates regarding such incident until it has been addressed. At least once each year, and more frequently as required, the Board discusses the Company’s approach to cybersecurity risk management with the Company’s Chief Information Security Officer.
The Company’s Chief Information Security Officer is the member of the Company’s management that is principally responsible for overseeing the Company’s cybersecurity risk management program, in partnership with other members of the Information Security Leadership Group. Our Chief Information Security Officer has served in various roles in information technology and information security for over twenty years. Our Chief Information Security Officer holds graduate degrees in cybersecurity and business administration and has attained multiple professional certifications including CISSP, CISA and CISM.
29
The Company’s Chief Information Security Officer, in coordination with the Information Security Leadership Group, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. To facilitate the success of this program, multi-disciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the Company’s incident response plan. Through ongoing communications with these teams, the Chief Information Security Officer and the Information Security Leadership Group monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and report such incidents to the Board when appropriate, as addressed above.
While we and our third-party providers have in the past experienced cybersecurity incidents, we are not aware of any current incidents or new types of threats which have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.