ENTEGRIS INC - (ENTG)

10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity

Risk management and strategy
As a key supplier to in the semiconductor ecosystem, security and risk management of our technology systems and processes is critical to ensuring our ability to serve our customers without interruption.
Management of Cybersecurity Risks
Our management of cybersecurity risks is integrated into our company-wide enterprise risk management program. As part of this process, our risk management team works closely with our IT department to identify and evaluate potential cybersecurity risks to the Company and to develop controls to mitigate and protect against those risks.

Each quarter, our Chief Information Security Officer (“CISO”) presents an overview of the Company’s cybersecurity risk landscape to our Enterprise Risk Management Committee, which includes our Executive Leadership Team and Vice President, Internal Audit. In addition, our CISO Council, which includes our CISO and our Chief Information and Digital Officer, holds meetings with our Executive Leadership Team on a quarterly basis to review these cybersecurity risks and mitigation measures in further detail.

Our cybersecurity risk management program is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We identify key assets that are critical to our business and assess potential cyber threats and vulnerabilities associated with those assets and the operations they enable. Following that assessment, we implement strategies and design controls to manage those risks. For example, we use single sign-on to limit access to our networks and multi-factor authentication to verify users’ identities. We also continuously monitor our systems and networks to protect against internal and external threat actors. We have policies and procedures in place, such as our Privileged Access Management process, to limit and control access to our confidential information by our vendors and other third parties. We also conduct due diligence and reviews of cybersecurity policies of third parties that access our systems or data. Additionally, we are focused on segregating our manufacturing processes from the Company’s other networks to minimize the risk of interruptions to our manufacturing operations resulting from cyber breaches. To increase our employees’ vigilance of cybersecurity risks and educate them on best practices relating to those risks, we conduct cybersecurity trainings and awareness campaigns, such as quarterly phishing campaigns.

Engagement of Third Parties
Given the complex and evolving nature of cybersecurity threats, the Company engages third parties to assist us in developing and maintaining effective cybersecurity risk management. Partnering with third parties enables us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes are well-designed and effective. For example, in 2023, we engaged a global law firm to conduct an external assessment of our cybersecurity governance framework and processes and provide recommendations to improve our cybersecurity readiness and posture. We also work with third party specialists who perform threat and vulnerability assessments, audits and develop strategies to mitigate cybersecurity-related risks.
Oversight of Third-party Risk
We are aware of the cybersecurity risks associated with engaging third-party service providers. To mitigate such risks, we conduct security assessments of high-risk third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The monitoring includes annual assessments by our CISO and ongoing assessments by our security engineers. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-parties.
Risks from Cybersecurity Threats

The Company’s information and operational technology systems and its third-party providers’ systems have been, and will likely continue to be, subject to cybersecurity threats, such as computer viruses or other malicious codes, ransomware,
29

unauthorized access attempts, business email compromise, cyber extortion, denial of service attacks, phishing, social engineering, hacking and other cyberattacks attempting to exploit vulnerabilities.

To date, the Company is not aware that its business or operations have been materially impacted by these cyberattacks. However, the Company’s security efforts and the efforts of its third-party providers may not prevent or timely detect attacks and resulting breaches or breakdowns of the Company’s, or its third-party service providers’, databases or systems.
Governance
Board of Directors’ Oversight
The Audit and Finance Committee (the “Audit and Finance Committee”) of our Board of Directors is responsible for reviewing and monitoring general information technology and cybersecurity matters, including related risks and reporting to the Board its determinations, actions and recommendations related thereto. Our Audit and Finance Committee is composed of independent directors with extensive executive leadership and risk management experience. Our CISO, together with our Chief Information and Digital Officer (“CIDO”), provide quarterly updates to our Audit and Finance Committee regarding the cybersecurity risk landscape, specific risks affecting the Company and solutions to mitigate those risks, and legal and regulatory requirements relating to cybersecurity. These updates assist the Board in performing its oversight and risk management function. In addition, the full Board receives an annual report on cybersecurity directly from the CISO.
Management’s Role Managing Risk
Our CISO is responsible for the implementation, operation and monitoring of our cybersecurity risk management program. Our current CISO, who reports to our CIDO, has over 20 years of experience managing the information technology and cybersecurity operations within large, global organizations. His extensive experience assessing and mitigating cybersecurity risk, implementing governance structures and developing employee training programs is critical in developing and executing our cybersecurity strategies.

Monitoring of Cybersecurity Incidents
Our Cybersecurity Incident Response Plan establishes how we monitor and respond to cybersecurity incidents impacting our environment. The CISO works closely with members of our Executive Leadership Team and his cybersecurity team to monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. We engage a third-party managed security services provider (MSSP) to provide 24/7 continuous monitoring of the Company’s IT and operational technology environments for potential cybersecurity incidents. In the event such an incident is identified by our MSSP or any of our employees, the incident is assigned a severity classification (minor, moderate or major) by our cybersecurity team and escalated accordingly. Depending on the severity of the incident, certain key personnel are notified and work together to further investigate the incident and take actions to respond, which may include engaging with external specialists, regulatory authorities and our cybersecurity insurance carrier. The CISO receives daily and weekly updates on all incidents and incident responses, which the CISO shares with our Executive Leadership Team on a weekly basis. Our cybersecurity team conducts a post-incident review of all major cybersecurity incidents, which review includes identification of vulnerabilities, assessment of the incident’s impact on the Company and recommendations to help prevent similar incidents in the future.

30