WESTERN DIGITAL CORP - (WDC)

10-K Filing Date: August 19, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

At Western Digital, our management team is charged with managing risk and bringing to our Board of Directors’ attention all material risk exposures to our company. Our enterprise risk management (“ERM”) process is designed to facilitate the identification, assessment, management, reporting and monitoring of material risks our company may face over the short-term and long-term and assure regular communication with our Board of Directors and its committees regarding these risks. Through our ERM process, we have determined that the compromise, damage or interruption of our technology infrastructure, information systems or products by cybersecurity incidents is a key risk to our company that may have a material negative impact on our business. To help mitigate the potential impact of cybersecurity incidents on our business and protect against cybersecurity threats, we have established organizational structures, procedural measures and response plans that define roles and responsibilities related to cybersecurity risk management.

Western Digital’s Information Security organization addresses cybersecurity risks with a broad spectrum of technologies, controls, and processes that focus on mitigating these risks. Our cybersecurity strategy is designed to be dynamic and adaptive to combat the rapidly-evolving cybersecurity threat landscape and is influenced by commonly leveraged frameworks such as the NIST-CSF (National Institute of Standard and Technologies – CyberSecurity Framework). Our program includes, but is not limited to, advanced systems and network security protocols, electronic communications protections, vulnerability management programs, least-privilege access controls, third-party risk management procedures, workforce education and training exercises, and compliance programs.

Our dedicated 24x7 Security Operations Center incorporates specialized systems and processes for handling security incidents into its regular work and operates a robust, modern security infrastructure with appropriate security sensors and event monitoring capabilities. Upon detection of a cybersecurity incident, the Security Operations Center determines the severity of the incident in accordance with a pre-established incident severity matrix, initiates the appropriate notification and escalation protocols and begins triage. Predefined severity tiers serve as a guide to match our response to each incident’s determined severity or risk level.

Additionally, we have established a Cyber Incident Response Plan that follows the structure of the Incident Handling Guide published by the U.S. National Institute of Standards and Technology (SP 800-61r2) and that serves as an operational guide for handling cybersecurity incidents at Western Digital. Our Cyber Incident Response Plan provides procedural and strategic guidance that is designed to be flexible enough to apply to a variety of different incidents, but also specific enough to provide guidelines for incident prevention, detection, analysis, escalation and notification, and containment, eradication and recovery.

As part of our ongoing information security program, Western Digital utilizes periodic independent third-party experts to conduct assessments of our program’s effectiveness. These experts are also leveraged to design and orchestrate tabletop exercises where multiple business functions and leadership levels must navigate complex incident scenarios to help determine our level of preparedness for various cybersecurity incidents.

As part of our business operations, Western Digital engages with a number of third parties, including but not limited to, online software service providers, vendors, consultants, and partners. Each of these third-parties must be cleared through a formal cybersecurity risk assessment process before being allowed to integrate with Western Digital’s information systems, access confidential data, or provide electronic services to members of our workforce. Additionally, further scrutiny is applied during the post-assessment onboarding process in order to fine-tune access rights to limit privileges to those necessary to enable the related service, resulting in a least-privilege level of access.

27


Western Digital has in the past experienced cybersecurity incidents of varying degrees involving our technology infrastructure and information systems, including incidents in which unauthorized parties have obtained access to our information systems and networks. While these incidents have at times resulted in some disruptions to our business operations, as of the date of this Annual Report on Form 10-K, we do not believe that known risks from cybersecurity threats, including as a result of any previous cybersecurity incident, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we can give no assurance that we have detected or protected against all such cybersecurity incidents or threats or that we will not experience such an incident in the future. Further details about the cybersecurity risks we face are described under “The compromise, damage or interruption of our technology infrastructure, information systems or products by cybersecurity incidents, data security breaches, other security problems, design defects, information system failures or other events could have a material negative impact on our business” in Part I, Item 1A, Risk Factors, of this Annual Report on Form 10-K.

Governance

Western Digital has implemented a governance framework related to cybersecurity that includes operational risk-mitigation practices and Board-level cybersecurity risk oversight.

Our management team is charged with managing cybersecurity risk and identifying material cybersecurity risk exposures to our company and carries out this function primarily through our Information Security organization, which is led by our Chief Information Security Officer who has a master’s degree in computer science, over a decade of information security leadership, and thirty years of combined IT leadership experience. Additionally, our Cyber Incident Response Plan discussed above calls for the establishment of a management Impact Assessment Committee, which consists of key leadership representatives from the organization and is convened on an ad hoc basis to assess the detailed business impact of a cybersecurity incident. The Impact Assessment Committee is led by our Chief Information Security Officer and includes key representatives from the Company’s functional groups, including human resources, ethics and compliance, labor, privacy, internal audit, finance, communications, legal, risk and accounting. The Impact Assessment Committee receives updates and communications from the Security Operations Center on a fixed cadence determined by incident severity and follows our pre-established escalation framework to communicate with and include executive leadership, outside counsel and the Board of Directors, as appropriate. The Impact Assessment Committee works with the Company’s internal and external legal counsel to determine and facilitate appropriate communications with the Board of Directors.

Our Board of Directors is responsible for overseeing the cybersecurity risk management process and exercises this risk oversight through both our full Board of Directors and its Audit Committee. Our Board of Directors has delegated to the Audit Committee the responsibility to oversee risks related to cybersecurity threats, and our Audit Committee Charter requires the Audit Committee to review and discuss with management the Company’s policies with respect to risk assessment and enterprise risk management and to review the risk exposure of the Company related to the Committee’s areas of responsibility, including with respect to cybersecurity. In carrying out this role, the Audit Committee meets with our Chief Information Security Officer regularly and receives at least quarterly reports on cybersecurity matters.

Additionally, at least annually, our Chief Audit Executive, who manages the day-to-day activities of our ERM program, reports to our Board of Directors on enterprise risk assessment under our ERM program, providing updates on key risks, status of mitigation efforts and residual risk trends, including an analysis of cybersecurity risks. Also at least annually, our Chief Information Security Officer reports to the full Board of Directors on cybersecurity matters related to or impacting our company and our business.
28