DIODES INC /DEL/ - (DIOD)

10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity

Governance

Cybersecurity risk oversight continues to remain a top priority for the Board of Directors. The Board of Directors is responsible for oversight of the Company’s information security program, including risks of cybersecurity threats. The Risk Oversight Committee and Audit Committee, which support the Board of Directors in the oversight of the Company's information security program are focused on risks from cybersecurity threats, including incident response planning, timely identification and assessment of incidents, incident recovery and business continuity considerations. The Risk Oversight Committee members have varied expertise and experience including risk management, technology and finance, equipping them to oversee cybersecurity risks effectively. The Risk Oversight Committee has delegated day-to-day oversight of our information security program to our executive officers, including the Vice President of Information Technology ("VP of IT") along with our Global Cybersecurity Director ("Director"). Our VP of IT is a 24-year information technology industry veteran having served in key information technology roles at a Fortune 500 company with over 15 years of direct influence over cybersecurity roadmaps and operations. The Director is a 30-year veteran of the information technology industry having served in the military and with a Fortune 500 company with over 20 years of cybersecurity experience including leading incident responses, policy development, and building security architectures. The VP of IT and the Director regularly meet with our President and Chief Financial Officer to inform them of matters related to cybersecurity risks and incidents. These meetings are designed to ensure that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, significant known cybersecurity matters, and strategic risk management decisions are escalated to the Board of Directors, ensuring that the Board of Directors has oversight and can provide guidance on critical cybersecurity issues. We believe our information security team is well positioned to identify risks from cybersecurity threats based on numerous job qualifications and on-going training.

Our incident response team, headed by the Director and VP of IT, reports material cybersecurity incidents to our executive officers and to our Board of Directors. The Company has an information security advisory board comprised of senior leaders within the Company. These senior leaders include representation from functions including product line, sales and marketing, manufacturing, legal,

25


 

finance, human resources, supply chain, information technology and regional representation. Responsibilities of the advisory board include:

advise on creation and implementation of information security policy;
advise on information security strategic roadmap and investments;
review, advise, and promote security education, training and awareness;
review and advise on ongoing legal, regulatory, compliance, threat landscape, risks, industry news, and trends concerning cyber security; and
review and advise on the mitigation of cybersecurity risks and potential incidents.

The Company has internal disclosure committees made up of members of management to assist in fulfilling its obligations to maintain disclosure controls and procedures and to coordinate and oversee the process of preparing our periodic securities filings with the SEC. The disclosure committees are composed of members of management and is chaired by our Vice President and Corporate Controller. The disclosure committees meet on a quarterly basis and more often if necessary. The Company has policies and procedures in place to ensure that our disclosure committees are appropriately informed of any matters that should be considered in advance of applicable public filings, including cybersecurity and data privacy matters, and to address the proper handling and escalation of information to management and the Board of Directors, the Risk Oversight Committee and/or the Audit Committee.

Management provides cybersecurity-related legal, regulatory, compliance, risk, and relevant industry and internal threat updates to the Board of Directors on a quarterly basis; or more frequently as needed. The reports provide information regarding the state of the Company’s information security program, the nature, timing and extent of cybersecurity incidents, if any, and the Company’s resolution to such matters.

The VP of IT has a monthly meeting with the Company's President to provide an update of cybersecurity incidents and risks, irrespective of materiality. The Company's Board of Directors is provided a quarterly update on cybersecurity roadmaps and progress.

Risk Management and Strategy

The Company has a robust cybersecurity program that has direct involvement from the Board of Directors and senior management. Our business operations and relationships with customers and suppliers are heavily reliant on technology, and any failure or disruption in our technological systems could have significant negative impacts on our business.

Protecting information, including information of our customers, is a top priority. To assess, identify, and manage the risks of cybersecurity threats to our information systems and the associated costs, we maintain a cybersecurity program that:

defines cybersecurity risks that threaten the security of customer and employee data or the function of our products and services;
identify security vulnerabilities across software and hardware environments;
determine threat likelihood and potential severity of each risk;
catalog information assets to include hardware, software, and types of data the Company collects, stores, and transmits, as well as the locations where the data is stored;
assess the risk to business operations and information protection;
analyze the risk and prioritize based on financial, operational, strategic, reputational impact, and probability of occurrence;
establish security controls to eliminate or mitigate identified risks;
monitor and periodically review security controls; and
collaborate with HR for employee awareness and training.

Specifically, our information security program, which is led by our Director, establishes and maintains our corporate-wide cybersecurity program and provides guidance and direction for information security activities and controls at Diodes. Through our cybersecurity program, we monitor the environment for incidents, classify the activity, and escalate incidents according to Company procedures. Incidents classified to a level that may significantly impact the Company are escalated to management for monitoring and action if necessary. The Company also maintains an appropriate system of hygiene for internal and external systems through accepted information technology practices such as patching, security monitoring, capacity management, availability monitoring, and third-party vulnerability scanning.

Our Director and VP of IT oversee and manage the Company’s cybersecurity risk monitoring and mitigation processes and regularly collaborate with other departments, including business units and the information technology department, as necessary, to facilitate the risk monitoring and mitigation processes and to ensure the policies and procedures for our information security program are integrated into our overall risk management assessment. The information security team performs a bi-annual third-party assessment

26


 

using industry standard frameworks of our information security program. Results are shared with the Company's management and with the Board of Directors.

We have defined policies and procedures for cybersecurity incident detection, containment, response and remediation and have adopted physical, technological and administrative cybersecurity and data privacy controls. In particular the Company has established a cybersecurity incident response plan includes classification of cybersecurity incidents, to whom to escalate an incident, and when to escalate a cybersecurity incident, including direct communication to the VP of IT, Director and President. The Company regularly conducts vulnerability assessments and tracks remediation to completion. Critical systems are periodically audited against industry standards.

To minimize our risk and exposure to material cybersecurity incidents, we also conduct company-wide annual and ongoing cybersecurity awareness training and education of our employees. This includes but not limited to topics such password hygiene, phishing, and other cybersecurity-related information.

In addition to performing an annual risk assessment and developing a detection and mitigation plan, along with a comprehensive review and update of our cybersecurity and data privacy policies and procedures, we continuously evaluate new and emerging risks and ever-changing legal and compliance requirements. Our comprehensive information security program includes agreements with third-party cybersecurity partners for continuous monitoring, alerting, and response. To supplement our cybersecurity and data privacy risk assessment, identification, management and mitigation efforts, we regularly consult with third-party experts, which include the following services:

conduct annual cybersecurity and data privacy risk assessments;
conduct external and internal penetration tests;
monitor critical infrastructure for abnormal behavior; and
provide validation of the Company’s cybersecurity and operations processes against the National Institute of Standards and Technology cybersecurity framework.

Impact of cybersecurity risks on business strategy, results of operations or financial condition

Cybersecurity threats, such as threats of attacks from computer hackers, cyber criminals, nation-State actors and other malicious internet-based activity, continue to increase. Cybersecurity threats may also include threats of attacks involving social engineering and cyber extortion to induce customers, contractors, business partners, third-party service providers, employees and other third parties to disclose information, transfer funds or unwittingly provide access to systems or data.

We believe that our current preventative actions and response activities provide adequate measures of protection against security breaches and generally reduce our cybersecurity risks. However, cybersecurity threats are constantly evolving, are becoming more frequent and more sophisticated and are being made by groups of individuals with a wide range of expertise and motives, which increases the difficulty of detecting and successfully defending against them. While we have implemented measures to safeguard our operational and technology systems and have established a culture of continuous learning, monitoring and improvement, the evolving nature of cybersecurity attacks and vulnerabilities means that these protections may not always be effective. However, to date, management has determined that none of the cybersecurity attacks the Company experienced have resulted in a material impact to its financial condition, results of operations or business strategy. In the ordinary course of our business, we have experienced and expect to continue to experience cyber-based attacks and other attempts to compromise our information systems, although none, to our knowledge, has had a material adverse effect on our business, financial condition or results of operations. While we do not believe cybersecurity threats are reasonably likely to affect us, our business strategy, our results of operations or our financial conditions, like all technology companies, we face a risks of such threats, the consequences of which could be material. See Item 1A – Risk Factors – “System security risks, data protection breaches, cyber-attacks and other related cybersecurity issues could disrupt our internal operations, and any such disruption could reduce our expected net sales, increase our expenses, damage our reputation and adversely affect our stock price,” above. In addition, given the constant and evolving threat of cyber-based attacks, we incur significant costs in an effort to detect and prevent security breaches and incidents, and these costs may increase in the future.