VIAVI SOLUTIONS INC. - (VIAV)

10-K Filing Date: August 15, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks to our Company associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader enterprise risk management program process, covering other Company risks. As part of this process our enterprise risk professionals consult with Company subject matter experts to gather information necessary to identify cybersecurity risks, and evaluate their nature and severity, as well as identify mitigations and assess the impact of those mitigations on residual risk.

We have implemented a variety of cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess and manage such risks. Our approach includes: (1) an enterprise risk management program, which includes cybersecurity risks and is periodically refreshed; (2) security and privacy reviews designed to identify risks from many new features, software, and vendors; (3) a variety of privacy, cybersecurity, and incident response trainings and simulations, including regular phishing email simulations for all employees and contractors with access to corporate email systems; (4) tools designed to monitor our networks, systems and data for suspicious activity; (5) the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; and (6) a third-party risk management process for cybersecurity threat risks associated with our use of third-party service providers, including service providers, suppliers, and vendors. We leverage industry standard security frameworks, including from the National Institute of Standards and Technology and the International Organization for Standardization, to evaluate our security controls and manage risk. We also carry insurance that provides protection against the potential losses arising from a cybersecurity incident.

Our Incident Response Plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. The incident response team assesses the severity and priority of incidents on a rolling basis. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response processes define the steps to disclose such a material cybersecurity incident. Further, we conduct tabletop exercises to test and fortify the controls of our cybersecurity incident response program.

We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Please see the risk factor “Our business and operations could be adversely impacted in the event of a failure of information technology infrastructure.” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, which disclosure is incorporated by reference herein.

In the last three fiscal years, we have not experienced any material information security breach incidents and the expenses we have incurred from information security breach incidents were immaterial. This includes penalties and settlements, of which there were none.

28



Governance

Our Board of Directors (the Board) considers risks from cybersecurity threats as part of its risk oversight function and has delegated to the Audit Committee of the Board oversight of cybersecurity and other information technology risks. As set forth in its charter, our Audit Committee, comprised fully of independent directors, is responsible for oversight of risk, including cybersecurity and information security risk. Our Audit Committee has established a Cybersecurity Steering Committee consisting of three independent directors, Laura Black (who serves as Chair of the Cybersecurity Steering Committee), Douglas Gilstrap and Joanne Solomon, as well as our Chief Information Officer (CIO), our Chief Information Security Officer (CISO) and other members of our management representing a variety of teams and functions including legal, finance, and internal audit. Members of our Cybersecurity Steering Committee have work experience managing cybersecurity and information security risks, an understanding of the cybersecurity threat landscape and/or knowledge of emerging privacy risks.

The purpose of the Cybersecurity Steering Committee is to oversee our compliance with reasonable and appropriate organizational, physical, administrative and technical measures designed to protect the confidentiality, integrity, availability, security and operations of our information technology systems, transactions, and data owned by us, by providing guidance and oversight of our information technology and cybersecurity program.

The Cybersecurity Steering Committee generally meets on a quarterly basis and receives reports from the CISO and CIO of our cybersecurity and information security risk management and strategies, covering topics such as data security posture, results from third-party assessments, progress towards key initiatives, our incident response plan, and cybersecurity threat risks, incidents and developments. The Cybersecurity Steering Committee generally delivers reports and updates to the Audit Committee once a quarter.

The Audit Committee or, at the Audit Committee’s instruction, the Cybersecurity Steering Committee regularly briefs the full Board on these matters, and the Board receives regular updates on the status of the information security program, including but not limited to relevant cyber threats, roadmap and key initiative updates, and the identification and management of information security risks. Our full Board reviews cybersecurity related opportunities as they relate to our business strategy, and cybersecurity-related matters are also factored into business continuity planning. We have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported to the Audit Committee.

Our CISO, in coordination with our CIO and our Information Security team, is responsible for assessing and managing our material risks from cybersecurity threats and has primary responsibility for our overall cybersecurity risk management program and supervising both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our CISO has more than 9 years of experience in cybersecurity and information technology risk managing, including at another large public company. He also has a degree in computer science. Our CIO has over 15 years of information technology experience, which includes managing information security systems, developing cybersecurity strategy and implementing effective information and cybersecurity programs.

Our CISO and CIO supervise efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, and alerts and reports produced by security tools deployed in the IT environment, such as vulnerability assessments, penetration testing, and tabletop exercises.