INTEVAC INC - (IVAC)

10-K Filing Date: February 15, 2024
Item 1C.

Cybersecurity

Risk Management and Strategy

We have established processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. To prevent, detect and respond to information security threats, we maintain a cyber risk management program that employs a combination of Zero Trust security model and Cyber Security Framework (“CSF”) in accordance with the National Institute of Standards and Technology (“NIST”) security framework. Zero Trust is a security framework requiring all users to be authenticated, authorized, and continuously validated for security configuration before being granted access to applications and data. CSF is a set of voluntary guidelines that help organizations assess and improve their cybersecurity posture by implementing processes for identifying and mitigating risk, and detecting, responding to and recovering from cyberattacks.

We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards.

We engage a third-party outsourced security operations center in connection with our risk assessment processes. This service provider performs daily monitoring and testing of our safeguards for intrusion and vulnerabilities. We require this third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect Intevac.

Our Security Awareness Program includes training that reinforces our information technology risk and security management policies, standards and practices, as well as the expectation that employees comply with these policies. The Security Awareness Program engages personnel through training on how to identify potential cybersecurity risks and protect the Company’s resources and information. This training is mandatory for all employees globally on a periodic basis, and it is supplemented by Company-wide testing initiatives, including periodic phishing tests. The Company provides specialized security training for certain employee roles such as application developers. Training includes information about confidentiality and security, as well as responding to unauthorized access to or use of information.

 

17


Governance

One of the key functions of our Board of Directors is informed oversight of our risk management processes, including risks from cybersecurity threats. Our Board of Directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board of Directors administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee of the Board of Directors (the “Audit Committee”). The Audit Committee has primary responsibility for oversight of information security risks, including fraud, vendor, data protection and privacy, business continuity and resilience, and cybersecurity risks, and provides regular updates to the Board of Directors on such matters. The Audit Committee receives regular reports from our Director of Information Technology on, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. Information security risk is a significant oversight focus area for the Audit Committee, as well as the entire Board of Directors. Over the course of fiscal year 2023, the Audit Committee received four separate cybersecurity briefings from our Director of Information Technology.

Our Director of Information Technology and our management committee on cybersecurity, which includes our CEO, interim CFO, and VP of Operations, are primarily responsible for assessing and managing our material risks from cybersecurity threats. Our Director of Information Technology, who leads a team responsible for enterprise-wide cybersecurity strategy, policy, standards, architecture and processes, has extensive experience and background in information technology, platform software, cloud computing, cybersecurity, enterprise strategy, risk management, and large complex system development, delivery, and deployment. Additionally, our Director of Information Technology chairs our Cybersecurity Incident Response Team, which is responsible for prevention, identification, containment, eradication and remediation of cybersecurity incidents. While we have not experienced a material information security (cybersecurity) incident, we maintain an information security (cybersecurity) risk insurance policy as a matter of good practice.

 

© 2024 Material-Incidents. All rights reserved.