ALPHA & OMEGA SEMICONDUCTOR Ltd - (AOSL)

10-K Filing Date: August 23, 2024
Item 1C Cybersecurity
Risk Management and Strategy

We recognize the importance of managing cybersecurity threats and risks related to our business, and we have adopted a multi-faceted and proactive strategy to identify, evaluate, address, respond and neutralize cybersecurity threats and attacks. We employ a combination of technical solutions, security policies and procedures, employee training programs, and regular security audits to enhance and fortify our defenses. We utilize advanced monitoring tools and anomaly detection systems to swiftly identify any suspicious activities or deviations from normal operation. Our security infrastructure includes firewalls, intrusion detection systems, encryption protocols, and access controls to protect our systems and data from unauthorized access or malicious attacks. In the event of a security incident, we have established incident response procedures to contain the threat, minimize the impact, and restore normal operations as quickly as possible. We also conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect our information systems that are vulnerable to such cybersecurity threats.

Our cybersecurity team plays a critical role in managing our cybersecurity risk. They oversee security controls and orchestrate our response to incidents on a day-to-day basis, including threats arising internally or from our vendors, suppliers or other third parties that we conduct business with. In addition, we have developed and implemented information security policies, standards, procedures and security guidelines that are based on industry standards, particularly the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Furthermore, we have implemented and maintained employee policies design to reduce risk of cyber-attacks and educate employees on protocol in the event of a potential cybersecurity incident.

We use third-party service providers in various functions throughout our business. We have implemented stringent processes to oversee and manage cybersecurity risk with these third parties, which includes risk assessment activities, enforcement of policies to ensure compliance with current cybersecurity standards and monitoring activities, and periodic review of potential cyber breaches announcements made by the third-party service providers.

Currently we are not aware of any risks from cybersecurity threats that have materially affected our business strategy, results of operations or financial condition or are reasonably likely to have a material effect. However, cyber-attacks are increasing in frequency, sophistication and intensity, and despite our ongoing efforts we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. Please refer to “Risk Factors” in Part I, Item 1A of this Form 10-K for more information on the risks posed to us by cybersecurity threats.

Governance

Our management team, including our cybersecurity team, are responsible for day-to-day implementation, assessment, and management of our cybersecurity risk management processes. Our cybersecurity team includes Vice President of Information Technology and Information Security Officer with a team of eight full-time information technology professionals and several outside security vendors to manage our information security program. Our Vice President of Information Technology and Information Security Officer have served in various roles in information technology and information security, and together they have over 55 years of experience in this field. The cybersecurity management team has primary responsibility for our overall cybersecurity risk management program, including monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents, and works in partnership with our other business leaders, including our Chief Executive Officer and Chief Financial Officer, as well as our Board of Directors.

Our Board of Directors (the “Board”) plays an active role in overseeing and managing the Company’s cybersecurity risks. The Audit Committee of the Board has established a Cybersecurity Subcommittee for the purpose of assessing, analyzing and managing the Company’s key cybersecurity and information technology risks, and to ensure that our systems are adequate to protect against security breach and effectively safeguard the Company’s IT infrastructure, assets, intellectual property, and data. The roles and responsibilities of the Cybersecurity Subcommittee are determined, from time to time, by the Audit Committee. The Cybersecurity Subcommittee meets quarterly with our management team to discuss various matters relating to IT and cybersecurity risks, and our senior management team communicates and coordinates directly with the Cybersecurity Subcommittee in the event of any cybersecurity incident. The Cybersecurity Subcommittee is given the following responsibilities:

Oversight of policies, procedures, plans, and execution intended to provide security, confidentiality, availability, and integrity of the information.
Oversight of the quality and effectiveness of the Company’s policies and procedures with respect to its IT systems;
Review and oversight on policies and procedures of the Company in preparation for responding to cybersecurity incidents.
Oversight of risks related to IT systems and processes, including privacy, network security and data security, and any internal audits of such systems and processes.
37


Review and oversight of preparation of the Company’s public disclosures, including SEC filings, relating to the Company’s IT systems, including privacy, network security, and data security, and
Report to the Audit Committee and the Board of significant and material cybersecurity incidents.


38