AMPHENOL CORP /DE/ - (APH)
10-K Filing Date: February 07, 2024
Cybersecurity Risk Management and Strategy
We have developed and implemented an information security and cybersecurity risk management program (“Program”) intended to protect and preserve the confidentiality, integrity and availability of our data and information technology systems. Our Program is integrated into our overall enterprise risk management program. We use the National Institute of Standards and Technology Cybersecurity Framework (the “NIST CSF”) as a benchmark to ensure that our Program is maintained in line with industry best practices. This does not imply that we meet any particular technical standards, specifications or requirements, but it does mean that we use the NIST CSF as a guide to help us identify, assess and manage cybersecurity risks relevant to our business.
The Company maintains a decentralized information technology infrastructure, where each of our business units utilizes a separate and distinct information technology system. This means that if any business unit’s systems are compromised, there is significantly less risk that another business unit will be impacted by that event. This decentralized structure also allows our information security professionals embedded within an individual business unit to make quick, efficient decisions when changes or actions are needed and provides an additional safeguard for our data and systems.
Our Program includes:
● | risk assessments and penetration tests integrated within our overall risk management processes that are designed to identify cybersecurity and technology risks, as well as to formulate management actions to respond to, mitigate and remediate material issues (if any); |
● | annual management reporting to the Board of Directors (the “Board”); |
● | reporting of the scope, objectives and results of internal audits on the procedures performed on the control environment related to our information security systems and security controls to the Audit Committee at least two times a year; |
● | annual cybersecurity awareness training to instruct employees how to better identify cybersecurity concerns and to avoid actions that might inadvertently allow outsiders to access our systems; |
● | installation of end point protection software on our Company-managed systems and workstations in an effort to detect and prevent malicious code from impacting our systems; |
● | a cross-functional team principally responsible for managing our cybersecurity risk assessment processes and our response to cybersecurity incidents; |
● | the use of external service providers, where appropriate, to assess, monitor, test or otherwise assist with aspects of our security controls and response to cybersecurity incidents; and |
● | a documented framework and supporting processes for handling security incidents that facilitates coordination across multiple parts of the Company. |
We have not identified risks from known cybersecurity threats, including as a result of any prior security breach, that have materially affected or are reasonably likely to materially affect us, including our business strategy, financial condition and results of operations. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. For a discussion of certain risks related to cybersecurity, refer to the risk factor titled “Cybersecurity incidents affecting our information technology systems could disrupt business operations or cause the release of highly sensitive confidential or personal information, resulting in adverse impacts to our reputation and operating results and potentially leading to litigation and/or governmental investigations, fines and other penalties” in Part I, Item 1A. Risk Factors herein.
Cybersecurity Governance
Our Board maintains oversight responsibility relating to our Program, with assistance from the Audit Committee. At least annually, our management team (including the leaders of our Information Technology and Internal Audit teams) provides an update regarding our Program to the Board. This update provides an overall assessment of the effectiveness of our Program and a review of areas of focus for the upcoming year. The Board also receives periodic reports from our Vice President, Internal Audit, on the audit focus areas and control testing related to our information security systems
22
and security controls, and our management team updates the Board, as necessary, regarding any material cybersecurity incidents.
Our management team, including our Senior Vice President and Chief Financial Officer, Senior Vice President and General Counsel, Vice President, Information Technology, and Vice President, Internal Audit, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our Program and our Vice President, Information Technology, supervises both our internal information security personnel and our retained external cybersecurity consultants. Our management team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which may include briefings from internal information technology personnel and external consultants engaged by us, as well as alerts and reports produced by security tools deployed in our information technology environment.
Our management team’s experience includes knowledge related to information technology, cybersecurity and incidence response, risk management, control analysis and corporate governance. For additional details about our management team and their experience, refer to the Executive Leadership page on the Company’s website at https://www.amphenol.com/governance/leadership.