ON SEMICONDUCTOR CORP - (ON)

10-K Filing Date: February 05, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

The secure processing, maintenance and transmission of sensitive data, including confidential and other proprietary information about our business and our employees, customers, suppliers and business partners, is important to our operations and business strategy. As a result, cybersecurity and data protection are key components of our long-term strategy.

We use various processes to inform our assessment, identification and management of risk from cybersecurity threats. Key areas of our cybersecurity risk management processes and strategy currently include:

28


Cross-Functional Collaboration and Coordination. Our Enterprise Cybersecurity Services (“ECS”) team, led by our Chief Information Security Officer (“CISO”), has first line responsibility for our cybersecurity risk management processes. However, the ECS team works in partnership with other internal teams to coordinate efforts, priorities and oversight. These include:
our Cybersecurity Executive Council (the “Council”), which is composed of key leaders from stakeholder groups throughout the Company, including the CISO and certain members of senior management;
our Enterprise Risk Management (“ERM”) team, which is responsible for evaluating and assessing overall enterprise risk, including cybersecurity risk, and advising senior management and the Board regarding our overall risk profile and priorities as they evolve;
our Internal Audit Department (“IAD”), which monitors certain IT systems controls that are integrated into our larger Sarbanes-Oxley control environment; and
our Cyber Incident Response Team (“CIRT”), a cross-functional team of subject matter experts from across the Company and certain third-party support providers that we have on retainer.

Ongoing Evaluation and Assessment of Systems and Processes. We update our information security management system from time to time as appropriate and we employ standards and frameworks as we deem necessary to assist us in monitoring compliance with regulatory, industry and evolving data privacy requirements. In addition to periodic in-depth evaluations of our systems and processes, we monitor our IT systems and processes on an ongoing basis with the goal of identifying and remediating real and potential threats as they arise. We adjust our systems, procedures and policies regularly as we deem necessary in response to identified threats and risks.

Security Awareness Program to Train and Test Personnel. We sponsor a multi-faceted security awareness program that includes regular, mandatory trainings for our personnel on data protection and malware detection, policy and process awareness, periodic phishing simulations and other kinds of preparedness testing.

Cyber Incident Response Plan. We maintain a cross-functional cyber incident response plan with defined roles, responsibilities and reporting protocols. This plan, which we evaluate and test on a regular basis, focuses on responding to and recovering from any significant breach as well as mitigating any impact to our business. Generally, when a breach or suspected breach is identified, the ECS team would escalate the issue to the Council for initial analysis and guidance. In the event of a significant breach, the CIRT, overseen by the Council, would typically be tasked with preparing an initial response. The Council (in consultation with, among others, the CIRT) would be responsible for determining whether a particular incident (alone or in combination with other factors) triggers any reporting or notification responsibilities.

Regular Evaluation of Initiatives, Results and Priorities. The ECS team, in consultation with the Council and other members of senior management, updates its strategy at least annually to account for changes in our business strategy, legal and regulatory developments across our geographic footprint, the results of our recent ECS initiatives, and further developments in the cybersecurity threat landscape. In addition, we periodically engage a third-party provider to conduct an external assessment of our security program. The results of this assessment, which are reported to the Audit Committee (and the Board, as appropriate), assist us in determining whether any further changes to our existing policies and practices are warranted.

We expect that our cybersecurity risk management processes and strategy will continue to evolve as the cybersecurity threat landscape evolves.

As indicated above, we engage third-party providers to assist us with our cybersecurity risk management and strategy. Some of these providers provide us with ongoing assistance (such as threat monitoring, mitigation strategies, updates on emerging trends and developments and policy guidance) while we engage others to provide targeted assistance (such as security and forensic expertise) as needed. Prior to exchanging any sensitive data or integrating with any key third-party provider, we assess their security fitness against our risk posture and request changes as we deem necessary.

As of December 31, 2023, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected the Company, our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see our Risk Factors discussion under the heading, “Trends, Risks and Uncertainties Related to Technology and Data Privacy” in this Form 10-K.

Governance

29


Consistent with our overall risk management governance structure, management is responsible for the day-to-day management of cybersecurity risk while our Board and its Audit Committee play an active, ongoing oversight role.

Board Oversight. Our Board has delegated to its Audit Committee specific, first-line responsibility for overseeing major cybersecurity risk exposures in addition to our broader ERM program. Specifically, under its charter, the Audit Committee is responsible for overseeing our cybersecurity posture, risk assessment, strategy and mitigation and for making recommendations to address and resolve any breaches or issues related to the protection or privacy of our data. Management (including our Chief Information Officer (“CIO”) and our CISO) reports at least quarterly to the Audit Committee on information security and data privacy and protection. These presentations address a wide range of topics, including trends in cyber threats and the status of initiatives intended to bolster our security systems and the cyber readiness of our personnel. The Audit Committee chair reports to the full Board on these risk discussions as appropriate. At least annually, the Board meets with members of our ERM team to review and discuss our ERM program, including areas of material risk and how these risks, which may include cybersecurity risk, are being managed and reported to the Board and its committees.

Management’s Role. Our ECS team is composed of several support teams that address and respond to cyber risk, including cyber risks related to security architecture and engineering, identity and access management and security operations. Formerly known as our Information Security and Risk (“ISR”) team, the ECS team oversees compliance with our cybersecurity framework within the organization and facilitates cybersecurity risk management activities throughout the organization. The ECS team also assists with the review and approval of policies, completes benchmarking against applicable standards, maintains a cyber risk registrar and oversees the security awareness program.

Our ECS team is led by our CISO. Our CISO reports to our CIO who, in turn, reports to our Executive Vice President and Chief Financial Officer. Our CISO has 24 years of experience in leading global security functions and strategies. Collectively, the other members of our ECS team have decades of relevant education and experience and maintain a wide range of industry certifications. We invest in regular, ongoing cybersecurity training for our ECS team.

As noted previously, our CISO is a member of the Council, which meets at least quarterly to provide operational direction to the ECS team considering the evolving risk landscape. The ECS team and the Council, through ongoing communication, monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The CISO, in consultation with the Council and other members of senior management, reports such threats and incidents to the Audit Committee, as appropriate. These reports may be included in, or in addition to, his regular quarterly reports to the Audit Committee.