CADENCE DESIGN SYSTEMS INC - (CDNS)
10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information, including our customers’, vendors’, partners’ and employees’ data, including personal information.
Our cybersecurity risk management program is guided by frameworks and standards promulgated by the EU, National Institute of Standards and Technology, Cloud Security Alliance (“CSA”) and International Organization for Standardization/International Electrotechnical Commission (“ISO/IEC”). While we seek to maintain ISO/IEC 27001:2013, ISO/IEC 27017 and the SOC 2 Type 1 certifications, this does not imply that we specifically or comprehensively comply with technical specification or requirements, only that we use all the above-mentioned standards and regulations as a guide to help us identify, assess and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is integrated into our overall risk oversight strategy and utilizes common reporting channels and governance processes that apply across other risk areas. We have a dedicated Chief Information Security Officer (“CISO”), who leads our Information Security team responsible for managing our cybersecurity processes, strategy and controls. Certain members of our Information Security team hold cybersecurity certifications, including the Certified Information Systems Security Professional (“CISSP”) and the Certified Information Systems Auditor (“CISA”) designations.
Our cybersecurity risk management program includes:
•a security incident response plan that includes procedures for responding to cybersecurity incidents;
•risk assessment processes designed to help identify cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
•our Information Security team, principally responsible for identifying and mitigating cybersecurity risks, and managing our security controls and our response to cybersecurity incidents;
•the use of external service providers, where appropriate, to assess, test or otherwise assist with certain aspects of our security controls and processes;
•implementation of new hire and annual data privacy and cybersecurity training of employees, including senior management, and cybersecurity governance training for our Board of Directors;
•a cybersecurity insurance policy to cover certain types of costs and losses from cybersecurity incidents; and
•a third-party risk management process, including risk assessment and risk rating, for certain service providers, suppliers, and vendors.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.
Cybersecurity Governance
Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and our Board committees assist with certain aspects of risk oversight. With respect to cybersecurity risk, our Board of Directors shares certain of the oversight responsibility and processes with the Audit Committee of the Board of Directors (“Audit Committee”).
The Audit Committee, comprised entirely of independent directors, reviews and discusses with management our guidelines, policies and practices regarding risk assessment and risk management as they relate to our financial condition, and oversees our financial risk exposures, including planning regarding business continuity and cybersecurity. In addition, the Audit Committee oversees our annual enterprise business risk assessment, which includes the review of cybersecurity risks we face and our associated risk mitigation measures, and receives semi-annual reports from management on cybersecurity matters, including areas such as threat intelligence, major cybersecurity risk areas, regulations and cybersecurity incidents. In addition, management updates the Audit Committee, as necessary, regarding significant cybersecurity incidents, as well as any incidents with lesser impact potential.
The Audit Committee reports to the Board of Directors regarding its activities related to cybersecurity. In addition, the Board of Directors also directly receives reports from management on our cybersecurity risk profile and on the performance of our data privacy and cybersecurity risk management program, semi-annually in alternating quarters with the Audit Committee.
Our management team, including our Chief Information Officer (“CIO”), CISO and the General Counsel, is responsible for assessing and managing material risks from cybersecurity threats, including supervision of our internal security incident response team and our Disclosure Committee comprised of certain of our employees (including any applicable subcommittees thereof). Our management team has relevant expertise in the following:(i) understanding of cybersecurity risks in enterprise operations, (ii) experience in overseeing risk management and understanding risks faced by enterprise operations and (iii) significant operating experience allowing them to provide insight into developing, implementing and assessing our operating plan. In addition, our CISO has over 25 years of broad cybersecurity and information technology risk management experience, is a Certified Information Security Manager (“CISM”) and holds a Master's Degree in computer science and information systems.
27
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents, and is responsible for oversight and management of our cybersecurity risk management program. Our management team receives briefings from our internal Information Security team and the Disclosure Committee whenever applicable. Such briefings include information regarding threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in our information technology environment. Our management team also provides quarterly cybersecurity risk management program updates, to the Board of Directors or to the Audit Committee, in alternating quarters.