POWER INTEGRATIONS INC - (POWI)

10-K Filing Date: February 12, 2024

Item 1C. Cybersecurity.

Cybersecurity Risk Assessment, Identification and Management

We are committed to protecting our information technology (“IT”) infrastructure, including computers, systems, corporate networks and sensitive data, from unauthorized access or attack. We have established global IT policies as well as IT security management control procedures designed to assess, identify, and manage material risks from cybersecurity threats by:

Creating information security awareness among our employees and business partners and defining responsibilities among them;
Implementing controls to identify IT risks and monitor the use of our systems and information resources;
Establishing key policies and processes to adequately and timely respond to security threats;
Maintaining disaster recovery and business continuity plans; and
Emphasizing compliance with applicable laws, regulations and contractual obligations regarding the management of information security.

These policies and controls procedures discussed in more detail below, are an integrated component of our enterprise risk management assessment processes. We routinely review and assess our business groups and systems to identify and prioritize areas of risk, including cybersecurity risk. The results of these assessments and progress against prioritized goals are presented to the board of directors each quarter.

We have incurred and may in the future incur significant costs in order to implement, maintain, and/or update security systems we believe are necessary to protect our IT infrastructure. We deploy technical safeguards that are designed to protect our systems from cybersecurity threats, including firewalls, intrusion prevention, and intrusion detection systems. We have established disclosure controls and procedures to address cybersecurity events, which include elements relating to comprehensive analysis of events and communication within the company, as well as addressing potential disclosure obligations arising from security breaches.

21

We have partnered with third parties to support our information security systems and processes, and to help design, build, test, implement and maintain them. Annual risk assessments are conducted by third party consultants to help ensure that risks to our IT infrastructure are minimized or eliminated.

We rely on products and services provided by third parties for portions of our IT infrastructure, including business management, operations and finance systems. These providers may also experience breaches and attacks on their products which may impact our systems. Further we may also face additional cybersecurity risk due to error or intentional misconduct by contractors and other third-party service providers related to the use of these systems as part of our IT infrastructure.

We have a third-party security policy in place to identify, manage and oversee the potential material risks from threats associated with the use of third-party service providers. We evaluate vendors and consider amongst other factors the criticality of services and sensitivity of information that is within the scope of the services to be provided and manage risk accordingly. Our internal legal department reviews all IT Service Agreements with input from the IT department to ensure that services, terms and conditions in the agreement are suitable. Our IT department performs regular monitoring of vendor services as part of its’ on-going review and monitoring of vendors. As part of our policy, we monitor termination of agreements with vendors designed to ensure that access to Company information is appropriately terminated in a timely manner. Unauthorized network intrusions or other significant information security incidents against third-party systems used by the Company internally are handled in the same manner as internal systems. However as described in Part 1. Item 1A. Risk Factors of this Annual Report on Form 10-K under “Risks Related to the Operation and Growth of Our Business”, we have limited insight into the data privacy or security of third-party service providers and our response may be limited or more difficult because we may not have direct access to their systems.

Although we believe we have adequate resources and sufficient policies, procedures, and oversight in place to identify and manage IT security risks related to our business operations, there can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K under “Risks Related to the Operation and Growth of Our Business.”

Management Oversight

Our IT infrastructure and the assessment and management of associated risks are primarily the responsibility of our Chief Information Security Officer (“CISO”). Our CISO’s additional responsibilities include hiring appropriate personnel, helping to integrate cybersecurity risks into the Company’s overall risk management strategy, and communicating updates regarding IT/Information security key priorities to relevant personnel including management and the board.

Our CISO has served in that position since 2018. Our CISO has extensive experience serving in executive and senior IT leadership positions over the past 25 years including serving at Cavium in a succession of information security roles, including Vice President of Business Systems, for eleven years, Vice President of IT Applications at ServiceNow for two years, and overseeing worldwide IT Infrastructure, IT Operations and Information Security at Pinnacle Systems for eight years.

We have in place an Incident Response Procedure policy to define our response to unauthorized network intrusions or other significant information security incidents, collectively cybersecurity incidents. The policy defines the standard operational process to determine if an event observed on a system could have caused a breach of the system or a compromise of sensitive data. This policy serves to establish a formal process to report incidents and track response activities. It also defines escalation processes within the Information Security team and to our Cybersecurity Incident Response Team. It is the responsibility of the Cybersecurity Incident Response team to determine if an incident is material. The Cybersecurity Incident Response Team consists of members from functional groups across our organization including executive management, IT, Information Security, legal, finance and operations. We may include other individuals, including third parties, as appropriate depending on the nature of the incident and system(s) involved. This cross-functional group allows us to address the operational impacts of cybersecurity incidents as and when they occur and to guide decisions related to materiality and, if applicable, disclosure. The Cybersecurity Incident Response Team is responsible for extrapolating cybersecurity incident event information into quantitative and qualitative impacts as they relate to our financial condition and operations. In addition, the Company’s Incident Response Procedure policy includes reporting to the board of directors for certain cybersecurity incidents.

22

Board Governance

Our full board of directors oversees our risk management including but not limited to IT and cybersecurity policies, procedures, and risk assessments. Our management reports to our board of directors on information security matters on a quarterly basis, or more frequently as needed.

One of the key functions of our board of directors is informed oversight of our various processes for managing risk. An overall review of risk is inherent in our board of directors ongoing consideration of our long-term strategies, transactions and other matters presented to and discussed by the board of directors. This includes a discussion of the likelihood and potential magnitude of various risks, including cybersecurity risks, and any actions management has taken to limit, monitor or control those risks.

At each quarterly board meeting, the full board receives the quarterly cybersecurity board update that is prepared by our CISO. The report provides a comprehensive cybersecurity update for the past quarter, including topics such as details on threat landscape, incident response, security metrics and performance, compliance and regulatory updates, cybersecurity investments and budget, employee security awareness and trainings, vendor risk management updates, business continuity and disaster recovery updates, and an update on cybersecurity strategy, projects and roadmap.