AMBARELLA INC - (AMBA)

10-K Filing Date: March 29, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We have established policies and processes for assessing, identifying, and managing material risks from cybersecurity threats. We have designed and implemented an Incident Response Plan for cybersecurity and related processes that are overseen by our IT and management team. Our information security management system is ISO 27001 certified. In addition, our cybersecurity program leverages industry frameworks, including certain of those established by the National Institute of Standards and Technology (NIST).

48


 

We regularly assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect our information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing procedures, systems, and safeguards in place to manage such risks. Our cybersecurity risk management program is integrated into our overall risk management scheme by seeking to identify and mitigate those cybersecurity threats that are more likely to lead to a material impact on our business.

 

Our cybersecurity risk management program also seeks to manage cybersecurity risks associated with our use of third-party service providers through risk assessments and contractual obligations on such service providers.

Our IT management team, with oversight from our Board of Directors and Nominating and Corporate Governance Committee as well as members of our management team, including our Chief Operating Officer, Chief Financial Officer and General Counsel, are primarily responsible for assessing and managing our material risks from cybersecurity threats.

We also engage consultants or other third parties in connection with our risk assessment processes. These service providers assist us in designing and implementing our cybersecurity policies and procedures, as well as in monitoring and testing our safeguards.

 

Governance

 

Our Board considers cybersecurity risk as part of its overall risk oversight function and has delegated to the Nominating and Corporate Governance Committee oversight of cybersecurity matters and other policies and internal controls regarding information security risks. The Nominating and Corporate Governance Committee oversees management’s implementation of our cybersecurity risk management program.

The Board of Directors and the Nominating and Corporate Governance Committee receive presentations and reports on cybersecurity, which address a range of topics including recent developments, evolving standards, the threat environment, cybersecurity systems testing and vulnerability assessments, and the Company’s practices and policies to manage risks. Management reports to the Nominating and Corporate Governance Committee on cybersecurity matters and materials risks, if any, from cybersecurity threats. Our Nominating and Corporate Governance Committee provides updates to the Board of Directors on such reports. The Nominating and Corporate Governance Committee also receives notice of any significant cybersecurity incidents, as well as ongoing updates regarding any such incident until it has been addressed.

 

Our management team, including our IT management team, are responsible for day-to-day implementation, assessment, and management of our cybersecurity risk assessment and management processes. The IT management team has primary responsibility for our overall cybersecurity risk management program, including monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents, and works in partnership with our other business leaders, including our Chief Operating Officer, Chief Financial Officer and General Counsel. Our IT management team supervises both our internal cybersecurity personnel and any retained external cybersecurity consultants. Our Senior Director of IT has served in various roles in information technology and information security for over 25 years.

 

Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to a team of business leaders, including, but not limited to, our Chief Operating Officer, Chief Financial Officer and General Counsel. This team of business leaders works with our incident response team to help determine the severity of the impact of a cybersecurity incident, as well as to help mitigate and remediate cybersecurity incidents of which they are notified.

As part of our overall risk management system, we provide periodic mandatory training for personnel regarding cybersecurity threats as a means to equip our employees with information and tools to address cybersecurity threats, and to communicate our information security policies, processes and practices. We also perform periodic email phishing tests to evaluate and maintain cybersecurity awareness among our employees.

As of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Company, its business strategy, results of operations or financial condition. As cybersecurity threats become more sophisticated, it is reasonably likely that we will be required to expend greater resources to continue to modify and enhance our protective measures. For additional information concerning risks related to cybersecurity, see Item 1A of this report, “Risk Factors – Risks Related to Our Business and Our Industry – A breach of our security systems may have a material adverse effect on our business.”

49