InterDigital, Inc. - (IDCC)

10-K Filing Date: February 15, 2024
Item 1C.  CYBERSECURITY.
We take a defense-in-depth approach, leveraging multiple, layered security measures, to protect our data, our customers’ data, our infrastructure, and our employees. We embed data protection throughout our operations and information technology programs, relying on multiple and various controls to prevent and detect threats, with the goal of safeguarding our assets, data and personnel.
InterDigital evaluates cybersecurity risks as part of our overall enterprise risk management. A steering committee of senior executives meets quarterly to evaluate any changes to the Company’s exposure to cybersecurity risks, discuss potential mitigation plans and provide updates on mitigation efforts already underway. Our cybersecurity team keeps up to date on the latest threats and risks through multiple channels and is also involved in evaluating risks associated with any new proposed service providers. The Company employs a Director of Cybersecurity & Networks, reporting directly to our CIO, who manages our cybersecurity team that is comprised entirely of security professionals with industry recognized top tier certifications. The cybersecurity team within IS is responsible for assessing and managing risks and informing/gaining feedback from the cybersecurity steering committee.
Additionally, InterDigital's team of dedicated cybersecurity experts/professionals maintain a comprehensive set of cybersecurity policies and standards, including a security incident response framework. The framework is a set of coordinated procedures and tasks that the InterDigital incident response team executes to ensure timely and accurate reporting and resolution of computer security incidents. The framework details who, how and when appropriate persons or committees, including the Audit Committee are kept informed on the status of potential cybersecurity incidents. A summary of recent incidents is also presented by the Chief Information Officer (“CIO”) at each regular Audit Committee meeting. Our policies and standards were developed in collaboration with a wide range of disciplines, such as information technology, cybersecurity, legal, compliance and business. Our cybersecurity strategy and policies are continually reassessed to ensure they attempt to identify and proactively address the constant changes in the global threatscape, including through the use of tabletop exercises. Decision makers such as the CIO, executive team, and Audit Committee are regularly kept up to date on cybersecurity trends. Ongoing collaboration with stakeholders throughout the business also helps to build continued awareness and visibility of future needs.
We engage external vendors to assess the cybersecurity program as needed. An independent third party, never used consecutively, performs annual multi-stage penetration testing of our IT environment.
Our cybersecurity program is governed by the Audit Committee of our Board. The Audit Committee of the Board and the full Board each receive quarterly updates on cybersecurity risks identified through the enterprise risk management processes described above.
Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. We identify nation state-sponsored threat actors and the rise in sophistication and proliferation of ransomware campaigns as top reasonable material risks to the business. The theft, unauthorized use or publication of our intellectual property and/or confidential business or personal information (whether through a breach of our own systems or the breach of a system of a third party that provides services to us) could harm our competitive or negotiating positions, reduce the value of our investment in research and development and other strategic initiatives, compromise our patent enforcement strategies or outlook, damage our reputation or otherwise adversely affect our business. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.
26