|
Cyber Security
|12 Months Ended
Dec. 28, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
We rely heavily on information technology (IT) systems in all aspects of our operations, and data security plays an important role in the protection of our proprietary information and that of our customers and suppliers. For these reasons, we take a number of steps to protect Onto Innovation’s IT systems from internal and external cybersecurity threats.
Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, and privacy and compliance issues are identified and addressed through a multi-faceted approach including third-party assessments, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive cybersecurity reviews of systems and applications, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, utilize an expert third party to continuously monitor and respond to possible threats, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes. We regularly collaborate with leading security providers, industry groups, and industry peers to exchange information on trends and best practices to address new and evolving cybersecurity risks.
We have implemented incident response processes which have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and review of an incident, 3) containment and remediation, and 4) post-incident review and analysis. Cybersecurity incident responses are managed by our Corporate Incident Response Team and overseen by our Vice President of IT.
Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact.
We also conduct tabletop exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborates with technical and business stakeholders across our business units to further analyze the risk to the Company, and form detection, mitigation and remediation strategies.
As part of the above processes, we regularly engage external auditors and subject matter experts to assess our internal cybersecurity programs and compliance with applicable practices and standards. Since 2021, our Information Security Management System has been certified to conform to the requirements of ISO/IEC 27001:2013.
Our cybersecurity program also includes third-party assessments to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential risks when handling and/or processing our employee, business or customer data. In addition to new vendor onboarding, we perform risk assessments during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents.
Our individual employees also play an important role in our information security systems. All employees are required to familiarize themselves with the Company’s information security policies and, at least annually, employees are required to participate in an information security training program, which is designed to help employees identify potentially threats and train them on how to respond. Throughout the year, the IT department conducts phishing campaigns and other simulated hacking attacks with employees as a way of reminding them of their security obligations and ensuing that our SETA (security education and training awareness) has been effective.
As of the date of this Form 10-K, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.
For more information on the cybersecurity risks we face that could adversely impact us, please see “Part I, Item IA - Risk Factors - If our network security measures are breached and unauthorized access is obtained to a customer’s data, to our data, or to our information technology systems, we may incur significant legal and financial exposure and liabilities and may experience disruptions in our operations”.
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, and privacy and compliance issues are identified and addressed through a multi-faceted approach including third-party assessments, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive cybersecurity reviews of systems and applications, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, utilize an expert third party to continuously monitor and respond to possible threats, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes. We regularly collaborate with leading security providers, industry groups, and industry peers to exchange information on trends and best practices to address new and evolving cybersecurity risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance
The Company’s Board of Directors has oversight of information security matters at the Company, including reviewing the Company’s cybersecurity practices. At least annually, the Vice President of IT presents the Company’s information security policies and programs to the Board. Our Audit Committee is tasked with overseeing risks from cybersecurity threats. Members of the Audit Committee receive updates on cybersecurity matters on a quarterly basis from one or more representatives from the Company’s Cyber Security Council (“CSC”), which is composed of our business unit general managers, other members of senior management, our Vice President of IT and our IT Security Manager. These updates include a discussion of existing and new cybersecurity risks (if any), updates on how management is addressing and/or mitigating those risks, and the status of information security initiatives. Other Board members also engage in conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs outside of the scheduled meetings.
The CSC is also responsible for the executive level supervision of the Company’s cybersecurity risk, information security, and technology risk, as well as the IT department’s actions to identify, assess, mitigate, and remediate cyber related issues. The CSC receives regular quarterly reports from the Vice President of IT on the Company’s cybersecurity risk profile and enterprise cybersecurity program.
We have also established a process whereby potentially material cybersecurity incidents are escalated to a Cybersecurity Disclosure Committee (“CDC”) consisting of our CEO, CFO, Vice President and General Counsel, Vice President of IT and Corporate Controller. The CDC is tasked with evaluating whether such incidents have material impact on the Company, and thus require disclosure, as well as any other actions that may be appropriate in response to the incident. The CDC promptly notifies the Audit Committee if it determines that an incident is likely to have a material impact on the Company and updates the Audit Committee on a quarterly basis of any incidents that it has evaluated and determined were not material.
The Vice President of IT acts as our head of information security in leading our information security organization. Our Vice President of IT has over 25 years of industry experience leading large technology organizations, including, most recently, as the leader of the IT organization at a large privately held company. Team members who support our information security program have relevant educational and industry experience, including holding similar positions at other technology companies.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s Board of Directors has oversight of information security matters at the Company, including reviewing the Company’s cybersecurity practices. At least annually, the Vice President of IT presents the Company’s information security policies and programs to the Board. Our Audit Committee is tasked with overseeing risks from cybersecurity threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|At least annually, the Vice President of IT presents the Company’s information security policies and programs to the Board
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Vice President of IT acts as our head of information security in leading our information security organization. Our Vice President of IT has over 25 years of industry experience leading large technology organizations, including, most recently, as the leader of the IT organization at a large privately held company. Team members who support our information security program have relevant educational and industry experience, including holding similar positions at other technology companies.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef