VISHAY INTERTECHNOLOGY INC - (VSH)

10-K Filing Date: February 16, 2024
Item 1C. CYBERSECURITY

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws.

We are committed to maintaining robust governance and oversight of these risks and to implementing mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks. While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. Such incidents, whether or not successful, could result in us incurring significant costs related to, for example, rebuilding our internal systems, writing down inventory value, implementing additional threat protection measures, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. Based on media reports and other surveys, we believe there is a general increase in cyberattack volume, frequency, and sophistication. We have experienced the same in our own business. We seek to detect and investigate unauthorized attempts and attacks against our network and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools; however, we remain potentially vulnerable to known or unknown threats. In some instances, we, our suppliers, and our customers can be unaware of a threat or incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. See "Risk Factors" for more information on our cybersecurity risks.

We aim to incorporate industry best practices throughout our cybersecurity program. Identifying and assessing cybersecurity risk is integrated into our overall risk management program. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks. Our cybersecurity program is designed to be aligned with applicable industry standards and is tested annually by independent third-party consultants. We have processes in place to assess, identify, manage, and address material cybersecurity threats and incidents. These include, among other things: annual and ongoing security awareness training for employees; mechanisms to detect and monitor unusual network activity; and containment and incident response tools. We monitor issues that are internally discovered or externally reported that may affect us, and have processes to assess those issues for potential cybersecurity impact or risk.

Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates on at least an annual basis from senior management, including leaders from our Information Technology, Internal Audit, and Legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.

Our cybersecurity risk management and strategy processes are overseen by leaders from our Information Technology, Internal Audit, and Legal teams. Such individuals have an average of over 20 years of prior work experience in various roles involving information technology, security, auditing, legal, compliance, systems and programming. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items.

24