Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Mar. 31, 2026 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Risk Management and Strategy We define cyber risk governance as a program of measures designed to protect our IT assets and information from unauthorized access, attacks or service disruptions. Our risk governance processes are designed and managed by our IT Shared Services (ITSS) team, led by our Chief Information Security Officer (CISO). Cybersecurity and data protection remain critical components of our long-term business strategy given the importance of securely processing, maintaining, and transmitting sensitive data relating to our business, employees, customers, suppliers, and partners. We use a risk-based approach to assess, identify, and manage cybersecurity threats, including those arising from evolving technologies such as artificial intelligence (AI), expanding cloud infrastructure, and increasingly complex threat actor capabilities. Key areas of our cybersecurity risk management processes and strategy include: Processes and Coordination We manage cybersecurity and assess associated risks in these ways: •ITSS, led by our CISO, has primary responsibility for cybersecurity risk management, and coordinates efforts, priorities and oversight of cybersecurity risk across the Company; •ITSS works with cross-functional groups, such as manufacturing, business operations, engineering, human resources, legal, and finance to evaluate enterprise-wide cybersecurity risk, and to advise senior management and the Audit Committee regarding our cybersecurity risk profile and priorities as they evolve; •We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes; and •Our Internal Audit group monitors key IT systems controls that are integrated into our larger Sarbanes-Oxley control environment and compliance framework. Ongoing Evaluation and Assessment of Systems and Processes We take steps to monitor evolving regulatory, industry and legal requirements and best practices relating to cyber risk mitigation, and we employ standards and frameworks that we deem appropriate to address identified risks. In addition to periodic in-depth evaluations of our applicable systems and processes, we monitor our IT systems and processes on an ongoing basis with the goal of identifying and remediating real and potential threats as they arise. We adjust our systems, procedures, and policies as we deem necessary and in response to identified threats and risks. For example, our cybersecurity program includes: •Continuous monitoring of IT systems and threat activity, including 24x7 security operations center (SOC) support and third-party threat detection capabilities. •Endpoint detection, response and isolation, vulnerability scanning, patch management, and network segmentation. •Increasing frequency of vulnerability management and of patching cycles for critical systems. •Identity-based access controls to restrict system access and require user multifactor authentication. Security Awareness Program to Train and Test Personnel We sponsor a multi-faceted security awareness program that includes regular, mandatory trainings for our personnel on best practices for cyber-hygiene including: proper use of multifactor authentication and single sign-on use for cloud applications; ways to identify social engineering techniques, policy and process awareness, periodic phishing simulations and other preparedness testing; and an increased focus on emerging threats, such as AI-enabled social engineering and credential misuse. Cyber Incident Response Plan We maintain a cross-functional cyber incident response plan that defines escalation protocols, roles and responsibilities. Our plan focuses on responding to, identifying the severity levels of, and recovering from a breach as well as mitigating any impact to our business. Generally, when a suspected breach is identified, the ITSS team will escalate the issue to the personnel identified in the plan for initial analysis and guidance. In the event of an actual breach, the CISO will prepare an initial assessment and consult with our general counsel (GC) and our Chief Financial Officer (CFO). Together, our GC, CFO and CISO will consult with other executives, including our Chief Executive Officer and our Chief Operating Officer, to determine the incident’s impact to our business. This management group (in consultation with outside experts) will be responsible for determining whether a particular incident (alone or in combination with other factors) triggers any public or regulatory reporting, or third-party notification requirements. Regular Evaluation of Initiatives, Results and Priorities The ITSS team, in consultation with members of senior management, updates its strategy at least annually to account for changes in our business strategy, legal and regulatory developments across our geographic footprint, results of recent ITSS initiatives, and developments in the cybersecurity threat landscape. On an annual basis the CISO updates the Audit Committee (generally with all other Board members in attendance) on the performance of cyber risk key performance indicators (KPIs), cyber risks, staffing and key ITSS initiatives. On a quarterly basis the CISO updates the Audit Committee (generally with all other Board members in attendance) on the KPIs and any changes to our cyber risk mitigation efforts, and any cyber breaches that may have occurred. Feedback from the Audit Committee and senior management assists us in determining whether any further changes to our existing policies and practices are warranted. We expect that our cybersecurity risk management processes and strategy will continue to adapt as the cybersecurity threat landscape evolves. We engage third parties to assist us with our cybersecurity risk management and strategy. Some of these third parties provide us with ongoing assistance (such as threat monitoring, penetration testing, mitigation strategies, updates on emerging trends and developments and policy guidance) while others provide targeted assistance (such as security and forensic expertise) as needed. Review of Third Parties There are cybersecurity risks associated with using third party platforms, sharing information with third parties, and with allowing third parties to access our systems. For example, prior to integrating third-party platforms into our systems (e.g., cloud providers, AI-enabled tools), we have processes in place to assess their security maturity against our standards, assess business risks associated with integration and request changes as we deem necessary.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We use a risk-based approach to assess, identify, and manage cybersecurity threats, including those arising from evolving technologies such as artificial intelligence (AI), expanding cloud infrastructure, and increasingly complex threat actor capabilities. Key areas of our cybersecurity risk management processes and strategy include: Processes and Coordination We manage cybersecurity and assess associated risks in these ways: •ITSS, led by our CISO, has primary responsibility for cybersecurity risk management, and coordinates efforts, priorities and oversight of cybersecurity risk across the Company; •ITSS works with cross-functional groups, such as manufacturing, business operations, engineering, human resources, legal, and finance to evaluate enterprise-wide cybersecurity risk, and to advise senior management and the Audit Committee regarding our cybersecurity risk profile and priorities as they evolve; •We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes; and •Our Internal Audit group monitors key IT systems controls that are integrated into our larger Sarbanes-Oxley control environment and compliance framework.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Governance Our overall risk management governance structure, management is responsible for the day-to-day management of cybersecurity risk while our Board and its Audit Committee play an active, ongoing oversight role. Continuous Improvement and Strategic Priorities We regularly update our cybersecurity strategy based on evolving threats, regulatory requirements, and business needs. Current priorities include: •Enhancing our cybersecurity governance framework by developing and implementing an Information Security Management System (ISMS) in a phased manner that aligns with ISO 27001 standards. •Upgrading legacy environments to promote effective security controls. •Enhancing information protection practices and cultural awareness around data sensitivity. •Strengthening security of public-facing systems and reducing external attack surface. •Expanding AI-driven defensive capabilities for the day-to-day threat detection and response automation. Board Oversight Our Board has delegated to its Audit Committee specific, first-line responsibility for overseeing major cybersecurity risk exposures in addition to our broader enterprise risk management program. Specifically, under its charter, the Audit Committee is responsible for overseeing and monitoring enterprise risk management, privacy, cybersecurity and data security matters, including the potential impact of those exposures on Microchip’s business, financial results, operations and reputation, and the steps management has taken to monitor and mitigate such exposures. The CISO reports at least quarterly to the Audit Committee on information security and data privacy and protection. These presentations address a wide range of topics, including trends in cyber threats and the status of initiatives designed to bolster our security systems. Our full Board is typically in attendance at these presentations made to the Audit Committee. At least annually, the Board meets with members of our senior management team to review and discuss our enterprise risk management program, including areas of material risk and how these risks, which may include cybersecurity risk, are being managed and reported to the Board and its committees. Management’s Role Our ITSS team is led by our CISO, who reports to our Executive Vice President and Chief Financial Officer. Our CISO is a former CPA that has 36 years of experience in leading global accounting and business information systems groups including strategy, applications, infrastructure, information security, support, and execution. Digital security at Microchip is the primary responsibility of our ITSS team. Our ITSS team is responsible for infrastructure services and business continuity as it relates to digital information. The ITSS team oversees compliance with our cybersecurity framework within our Company and facilitates cybersecurity risk management activities. The ITSS team also assists with the review and approval of policies, completes benchmarking against applicable standards and oversees the security awareness training program. ITSS works to address and respond to cyber risk, including cyber risks related to security architecture and engineering, identity and access management and security operations. Collectively, ITSS has decades of relevant education and experience and maintain a wide range of industry certifications. We invest in regular, ongoing cybersecurity and architecture training for our team members.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | overall risk management governance structure, management is responsible for the day-to-day management of cybersecurity risk while our Board and its Audit Committee play an active, ongoing oversight role.Continuous Improvement and Strategic Priorities |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Cyber Incident Response Plan We maintain a cross-functional cyber incident response plan that defines escalation protocols, roles and responsibilities. Our plan focuses on responding to, identifying the severity levels of, and recovering from a breach as well as mitigating any impact to our business. Generally, when a suspected breach is identified, the ITSS team will escalate the issue to the personnel identified in the plan for initial analysis and guidance. In the event of an actual breach, the CISO will prepare an initial assessment and consult with our general counsel (GC) and our Chief Financial Officer (CFO). Together, our GC, CFO and CISO will consult with other executives, including our Chief Executive Officer and our Chief Operating Officer, to determine the incident’s impact to our business. This management group (in consultation with outside experts) will be responsible for determining whether a particular incident (alone or in combination with other factors) triggers any public or regulatory reporting, or third-party notification requirements. Regular Evaluation of Initiatives, Results and Priorities The ITSS team, in consultation with members of senior management, updates its strategy at least annually to account for changes in our business strategy, legal and regulatory developments across our geographic footprint, results of recent ITSS initiatives, and developments in the cybersecurity threat landscape. On an annual basis the CISO updates the Audit Committee (generally with all other Board members in attendance) on the performance of cyber risk key performance indicators (KPIs), cyber risks, staffing and key ITSS initiatives. On a quarterly basis the CISO updates the Audit Committee (generally with all other Board members in attendance) on the KPIs and any changes to our cyber risk mitigation efforts, and any cyber breaches that may have occurred. Feedback from the Audit Committee and senior management assists us in determining whether any further changes to our existing policies and practices are warranted. We expect that our cybersecurity risk management processes and strategy will continue to adapt as the cybersecurity threat landscape evolves. We engage third parties to assist us with our cybersecurity risk management and strategy. Some of these third parties provide us with ongoing assistance (such as threat monitoring, penetration testing, mitigation strategies, updates on emerging trends and developments and policy guidance) while others provide targeted assistance (such as security and forensic expertise) as needed.
|
| Cybersecurity Risk Role of Management [Text Block] | Our ITSS team is led by our CISO, who reports to our Executive Vice President and Chief Financial Officer. Our CISO is a former CPA that has 36 years of experience in leading global accounting and business information systems groups including strategy, applications, infrastructure, information security, support, and execution. Digital security at Microchip is the primary responsibility of our ITSS team. Our ITSS team is responsible for infrastructure services and business continuity as it relates to digital information. The ITSS team oversees compliance with our cybersecurity framework within our Company and facilitates cybersecurity risk management activities. The ITSS team also assists with the review and approval of policies, completes benchmarking against applicable standards and oversees the security awareness training program. ITSS works to address and respond to cyber risk, including cyber risks related to security architecture and engineering, identity and access management and security operations. Collectively, ITSS has decades of relevant education and experience and maintain a wide range of industry certifications. We invest in regular, ongoing cybersecurity and architecture training for our team members.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our ITSS team is led by our CISO, who reports to our Executive Vice President and Chief Financial Officer. Our CISO is a former CPA that has 36 years of experience in leading global accounting and business information systems groups including strategy, applications, infrastructure, information security, support, and execution. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CISO is a former CPA that has 36 years of experience in leading global accounting and business information systems groups including strategy, applications, infrastructure, information security, support, and execution. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Cyber Incident Response Plan We maintain a cross-functional cyber incident response plan that defines escalation protocols, roles and responsibilities. Our plan focuses on responding to, identifying the severity levels of, and recovering from a breach as well as mitigating any impact to our business. Generally, when a suspected breach is identified, the ITSS team will escalate the issue to the personnel identified in the plan for initial analysis and guidance. In the event of an actual breach, the CISO will prepare an initial assessment and consult with our general counsel (GC) and our Chief Financial Officer (CFO). Together, our GC, CFO and CISO will consult with other executives, including our Chief Executive Officer and our Chief Operating Officer, to determine the incident’s impact to our business. This management group (in consultation with outside experts) will be responsible for determining whether a particular incident (alone or in combination with other factors) triggers any public or regulatory reporting, or third-party notification requirements. Regular Evaluation of Initiatives, Results and Priorities The ITSS team, in consultation with members of senior management, updates its strategy at least annually to account for changes in our business strategy, legal and regulatory developments across our geographic footprint, results of recent ITSS initiatives, and developments in the cybersecurity threat landscape. On an annual basis the CISO updates the Audit Committee (generally with all other Board members in attendance) on the performance of cyber risk key performance indicators (KPIs), cyber risks, staffing and key ITSS initiatives. On a quarterly basis the CISO updates the Audit Committee (generally with all other Board members in attendance) on the KPIs and any changes to our cyber risk mitigation efforts, and any cyber breaches that may have occurred. Feedback from the Audit Committee and senior management assists us in determining whether any further changes to our existing policies and practices are warranted. We expect that our cybersecurity risk management processes and strategy will continue to adapt as the cybersecurity threat landscape evolves. We engage third parties to assist us with our cybersecurity risk management and strategy. Some of these third parties provide us with ongoing assistance (such as threat monitoring, penetration testing, mitigation strategies, updates on emerging trends and developments and policy guidance) while others provide targeted assistance (such as security and forensic expertise) as needed.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |