AEHR TEST SYSTEMS - (AEHR)

10-K Filing Date: July 30, 2024
ITEM 1C. Cybersecurity

 

Cybersecurity Risk Management and Strategy

 

We have established processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. To prevent, detect and respond to information security threats, we maintain a cyber risk management program that employs Cyber Security Framework (“CSF”) in accordance with the National Institute of Standards and Technology (“NIST”) security framework. CSF is a set of voluntary guidelines that help organizations assess and improve their cybersecurity posture by implementing processes for identifying and mitigating risk, and detecting, responding to and recovering from cyberattacks.

 

 
18

 

 

We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards.

 

Our Security Awareness Program includes training that reinforces our information technology risk and security management policies, standards and practices, as well as the expectation that employees comply with these policies. The Security Awareness Program engages personnel through training on how to identify potential cybersecurity risks and protect the Company’s resources and information. This training is mandatory for all employees on a periodic basis, and it is supplemented by Company-wide testing initiatives.

 

Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including our suppliers or who have access to our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence.

 

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors – We are exposed to cybersecurity threats or incidents.”

 

Cybersecurity Governance

 

One of the key functions of our Board of Directors is informed oversight of our risk management processes, including risks from cybersecurity threats. Our Board of Directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board of Directors administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee of the Board of Directors (the “Audit Committee”). The Audit Committee has primary responsibility for oversight of information security risks, including fraud, vendor, data protection and privacy, business continuity and resilience, and cybersecurity risks, and provides regular updates to the Board of Directors on such matters. The Audit Committee receives regular reports from our Chief Operating Officer on, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. Information security risk is a significant oversight focus area for the Audit Committee, as well as the entire Board of Directors. Over the course of fiscal year 2024, the Audit Committee received four separate cybersecurity briefings from our Chief Operating Officer.

 

Our Chief Operating Officer is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our Chief Operating Officer, who leads a team responsible for enterprise-wide cybersecurity strategy, policy, standards, architecture and processes, has extensive experience and background in information technology, cybersecurity, enterprise strategy, risk management. Additionally, our Chief Operating Officer chairs our Cybersecurity Incident Response Team, which is responsible for prevention, identification, containment, eradication and remediation of cybersecurity incidents.