XML 45 R29.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Axcelis implements an enterprise risk management (“ERM”) process in which management annually identifies and reviews the principal risks to which the Company’s business is subject, rating each risk in terms of likelihood of occurrence and severity of impact. Risks that have either a high likelihood or a high potential impact on our business are assessed quarterly with respect to the trend (an increasing or decreasing risk) and whether additional mitigation actions are needed. These quarterly risk assessments are shared with our Board of Directors, with the Audit Committee reviewing any changes in risk identification or ranking on an annual basis.

Cybersecurity risks are integrated into our overall ERM, and our Chief Information Officer assesses the trends and need for additional mitigations on a quarterly basis. Our main concerns are (i) the unauthorized exfiltration of personal information pertaining to Axcelis employees, (ii) the unauthorized exfiltration of confidential business or technical information, and (iii) an inability to use our business systems for a period of time following a cybersecurity event.

Management has adopted a Cybersecurity Incident Response plan which lays out the roles of IT personnel, senior leadership, and legal resources in responding to a cybersecurity incident. This plan is shared with our Board of Directors and reviewed annually. These risks could materially impact the business of the Company. To date, the Company has not experienced a material cybersecurity incident.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Cybersecurity risks are integrated into our overall ERM, and our Chief Information Officer assesses the trends and need for additional mitigations on a quarterly basis. Our main concerns are (i) the unauthorized exfiltration of personal information pertaining to Axcelis employees, (ii) the unauthorized exfiltration of confidential business or technical information, and (iii) an inability to use our business systems for a period of time following a cybersecurity event.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

To implement risk management and protective strategies, management implements a “Layered Security Strategy” that aligns with National Institute of Standards and Technology Cybersecurity Framework. We consider the various factors that can play a role in the occurrence of a cybersecurity incident, such as:

Unauthorized system access
User errors
Undetected system vulnerabilities
Mobile device risks
Vulnerabilities in software applications and specific hardware
Third party cybersecurity risks
Insider threats

Management has implemented specific mitigation strategies for each of these factors, such as (i) user training to avoid fraud and other scams, (ii) utilizing multi-factor authentication processes for system access, (iii) engaging in vulnerability scanning applications, (iv) upgrading software and hardware to those with the greatest security protections, and (v) ensuring third parties to whom sensitive information is provided have appropriate security. Management has also developed a vendor assessment form to evaluate potential “Software as a Service” providers, which is incorporated in the Company’s RFP processes. The Company routinely obtains and reviews SOC 2 reports from third parties who have access to the Company’s information, some of which are part of management’s internal controls over financial reporting. The

Company accesses cybersecurity consultants and legal counsel to assist in the identification of vulnerabilities and advise on appropriate mitigation and preparedness actions.

Overall, we devote resources to network security, data encryption, employee training and other measures to protect our systems and data from unauthorized access or misuse. This includes the emerging need to protect our data from the unauthorized incorporation in large language models or other artificial intelligence systems. The Audit Committee and full Board of Directors receive quarterly reports on cybersecurity risks and annual reports on management initiatives to promote cybersecurity.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Audit Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] These quarterly risk assessments are shared with our Board of Directors, with the Audit Committee reviewing any changes in risk identification or ranking on an annual basis.
Cybersecurity Risk Role of Management [Text Block]

To implement risk management and protective strategies, management implements a “Layered Security Strategy” that aligns with National Institute of Standards and Technology Cybersecurity Framework. We consider the various factors that can play a role in the occurrence of a cybersecurity incident, such as:

Unauthorized system access
User errors
Undetected system vulnerabilities
Mobile device risks
Vulnerabilities in software applications and specific hardware
Third party cybersecurity risks
Insider threats

Management has implemented specific mitigation strategies for each of these factors, such as (i) user training to avoid fraud and other scams, (ii) utilizing multi-factor authentication processes for system access, (iii) engaging in vulnerability scanning applications, (iv) upgrading software and hardware to those with the greatest security protections, and (v) ensuring third parties to whom sensitive information is provided have appropriate security. Management has also developed a vendor assessment form to evaluate potential “Software as a Service” providers, which is incorporated in the Company’s RFP processes. The Company routinely obtains and reviews SOC 2 reports from third parties who have access to the Company’s information, some of which are part of management’s internal controls over financial reporting. The

Company accesses cybersecurity consultants and legal counsel to assist in the identification of vulnerabilities and advise on appropriate mitigation and preparedness actions.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Chief Information Officer
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Company routinely obtains and reviews SOC 2 reports from third parties who have access to the Company’s information, some of which are part of management’s internal controls over financial reporting.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true