WOLFSPEED, INC. - (WOLF)
10-K Filing Date: August 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We maintain a cyber risk management program designed to identify, assess, manage, mitigate and respond to cybersecurity threats. The program aligns with Wolfspeed's Enterprise Risk Management (ERM) program and addresses information technology and business environments. Our cyber risk management program is designed based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and we aim to incorporate industry best practices throughout.
Our Information Security (InfoSec) Governance, Risk and Compliance (GRC) organization leverages multiple methods and overlapping capabilities to protect the confidentiality, integrity and availability of our data, information and intellectual property. Assessments of Wolfspeed's cyber program are conducted by internal audit and third-party information and cyber experts to monitor the effectiveness and maturity level of Wolfspeed's cybersecurity program.
Cybersecurity tabletop exercises and event simulations are conducted with management, incorporating external resources and advisors, to test our ability and preparedness to respond to cyber threats and identify any areas of weakness. The program, standard operating procedures and supporting tools for determining thresholds for materiality are incorporated as a key component to the incident response program and related activities.
All employees are required to complete cybersecurity training semiannually, with additional on-demand training and phishing campaigns offered throughout the year. InfoSec GRC’s approach to cybersecurity is structured to align with Wolfspeed’s business goals, objectives and regulatory requirements and covers all company locations, globally.
Engagement of Third Parties
Given the complex and quickly evolving nature of cybersecurity threats, we engage third-party advisors to assist our team in developing and maintaining effective cybersecurity risk management. Partnering with external entities allows us to leverage specialized knowledge and insights, better ensuring our cybersecurity strategies and processes are well-designed and effective. For example, in 2023 we engaged a global cybersecurity leader to conduct an external assessment of our Information Security program, which included consideration of the cybersecurity framework, organizational structure and collective capabilities.
Oversight of Third-party Risk
As part of our risk management process, we conduct application security assessments, vulnerability management, penetration testing, security audits and ongoing risk assessments. Our cybersecurity risk management extends to risks associated with our use of third-party service providers. For example, we conduct security risk assessments of third-party providers that request or require access to our digital and information assets.
As of the date of this Annual Report, we have not identified a material cyber incident that would have a material impact on our business, results of operations, or financial condition; however, the occurrence or scope of such events is not always immediately apparent and there can be no assurance that we will not suffer a material cyber incident in the future. Refer to Item 1A "Risk Factors" of this Annual Report for further discussion on cybersecurity risks.
Governance
The board of directors, as a whole, has oversight responsibility for our strategic and operational risks. The audit committee assists the board of directors with this responsibility by reviewing and discussing our risk program and practices, including cybersecurity risks, with members of senior leadership and management. In turn, the audit committee periodically reports on its review to the full board of directors.
25
Our Chief Information Officer (CIO) meets at a regular cadence with a member of the board of directors who is the board’s cybersecurity designee. The CIO also briefs the audit committee on the effectiveness of Wolfspeed's cyber risk management program quarterly or in accordance with significant events. In addition, the board of directors is advised by our CIO on Wolfspeed's cybersecurity risk exposures and steps taken to monitor and mitigate cybersecurity risks.
Wolfspeed’s Senior Director of Information Security leads our InfoSec GRC organization and is responsible for the implementation, operation, and monitoring of our cybersecurity risk management program. Our Senior Director of Information Security reports to the CIO, who reports to the Executive Vice President, Chief Financial Officer. The Senior Director of Information Security has over 16 years of experience in the cybersecurity space and has completed advanced training in the fields of cybersecurity and technology.
Responsible for assessing and managing our cyber risk management program, the InfoSec GRC organization is comprised of multiple teams that address and respond to cyber risk related to identification and access management, data protection, security architecture and engineering, security operations, insider threat, and cyber defense. The InfoSec GRC oversees compliance with our cybersecurity framework, including benchmarking, within the organization and facilitates cybersecurity risk management activities. The InfoSec GRC teams also oversee the review and approval process of policies and the security awareness program. Each team reports directly to the Senior Director of Information Security who is responsible for informing the CIO, information technology leadership and senior leadership teams on the prevention, detection, mitigation, and remediation of the program, including cybersecurity incidents.
26