Micron security committee

Charter of the Security Committee of the Board of Directors of Micron Technology, Inc


1. Purpose

The purpose of the Security Committee (the “Committee”) of the Board of Directors (the “Board”) of Micron Technology, Inc. (the “Company”) is to assist the Board with fulfilling its oversight responsibility with respect to the Company’s security of personnel, facilities, information infrastructure and all company information, including, but not limited to, data governance, privacy, compliance, cybersecurity, and oversight of associated risks and other tasks related to the Company’s security functions as the Board may delegate to the Committee from time to time.


2. Membership, Qualifications, and Compensation

2.01. Appointment. Committee members shall be appointed by and serve at the discretion of the Board. The Committee shall consist of at least two members of the Board. Members of the Committee shall meet the criteria of this Section 2.

2.02. Independence. At least a majority of Committee members shall be “independent” as defined in the listing standards of NASDAQ, as in effect from time to time.

2.03. Qualification. Each member shall have experience in the judgment of the Board that would be useful in addressing matters delegated to the Committee.

2.04. Committee Compensation. The fees and other compensation, if any, paid to members of the Committee shall be determined by the Board in its sole discretion.


3. Committee Chair

Unless the Board elects the Committee Chair, the members of the Committee shall designate a Chair by the majority vote of the full Committee membership.


4. Duties and Responsibilities

In order to carry out the purpose described above, the Committee shall undertake those specific duties and responsibilities listed below and such other duties as the Board may from time to time prescribe, unless otherwise noted below.

4.01. Duties regarding Certain Security Matters. Management of the Company has responsibility to manage the Company’s security practices, procedures and controls. The Committee has an oversight role, and in fulfilling that role, may rely on reviews and reports provided by management and the Committee’s advisors. In performing its oversight responsibilities, the Committee shall:

4.01.01.  Risk Oversight. Review and discuss with management (i) the Company’s policies, plans, metrics, and programs relating to the physical security of the Company’s facilities and employees as well as enterprise cybersecurity and data protection risks associated with the Company’s security-related infrastructure and related operations and (ii) the effectiveness of the Company’s programs and practices for identifying, assessing, prioritizing and mitigating such risks across the Company’s business operations;

4.01.02.  Preparedness. Review and discuss with management the Company’s cyber crisis preparedness, security breach and incident response plans, escalation protocols and communication plans, and disaster recovery and business continuity capabilities with respect to the foregoing;

4.01.03.  Oversight of Safeguards and Incidents. Review and discuss with management the safeguards used to protect the confidentiality, integrity, availability, safety, and resiliency of the Company’s employees, facilities, intellectual property, confidential information, and business operations, and review and discuss with management any significant security incidents, including reports to or from regulators, the effectiveness of safeguards, and steps taken to mitigate against reoccurrence;

4.01.04.  Compliance Oversight. Receive reports from management on the Company’s compliance with applicable information security and data protection laws and industry standards, new or updated legal implications of security, data privacy, and/or other regulatory or compliance risks to the Company or the Company’s employees, facilities, and business operations, significant relevant legislative and regulatory developments, and the threat landscape facing the Company and the Company’s business operations;

4.01.05.  Strategic Oversight. Review and advise on the Company’s physical and cybersecurity strategy, crisis or incident management, and security-related information technology planning processes, and review the strategy for investing in the Company’s security systems with the Company’s Chief Information Officer and Chief Security Officer;

4.01.06.  Public Disclosure. Review and discuss with management the Company’s public disclosures, including in its reports filed with the Securities and Exchange Commission, relating to the Company’s security of its employees, facilities, and information technology systems, including privacy, network security, and data security;

4.01.07.  Outside Partners. Review and discuss with management the cybersecurity risks associated with the Company’s outside partners and other third-party service providers that have access to Company data (such as vendors, suppliers, operations partners, etc.), as well as policies and procedures to identify and mitigate such risks; and

4.01.08.  Other Relevant Matters. Review, discuss with management and advise, as appropriate, on other matters as the Committee Chair or other members of the Committee determine relevant to the Committee’s oversight of the Company’s security of employees, facilities, and information technology protection, including management’s programs regarding risk identification, assessment, prioritization, mitigation and management.

4.02. Recommendations to Board. Submit for approval recommendations to the Board with respect to any activities within the scope of the Committee’s duties set forth in this Charter that require approval of the Board.

4.03. Other Duties. Carry out such other activities within the scope of the Committee’s purpose or as the Board may from time to time delegate to it.

4.04. Delegation of Board Authority to Committee. The Board may periodically authorize the Committee to have a level of approval authority for all or certain activities within the scope of the Committee’s duties set forth in this Charter and with respect to such activities the Committee shall have the same powers and rights as the Board to authorize and approve such activities up to such level of approval authority. With respect to activities exceeding any such level of approval authority of the Committee, the Committee shall submit for approval recommendations to the Board.

4.05. Access. The Committee shall enjoy full access t the Company’s officers, employees, books, records and facilities as may be appropriate or necessary to carry out its responsibilities, subject to reasonable advance notice to the Company and reasonable efforts to avoid disruption to the Company’s management, business and operations. To avoid disruption, such requests for access shall be coordinated through the Committee Chair.

4.06. Consultants and Advisors. The Committee shall have authority to obtain advice and assistance from internal or external legal, accounting, cybersecurity, forensics, technology and such other consultants or advisors, as deemed appropriate by the Committee, for the purpose of completing its duties hereunder. The Committee will review the Company’s third-party audit plan and results of reviews conducted by management on an annual basis.

4.07. Investigations. The Committee shall have authority to conduct or authorize investigations into any matter within the scope of the duties and responsibilities delegated to the Committee as it deems appropriate.

4.08. Reports. The Committee shall report regularly to the Board the Committee’s activities, evaluations and recommendations, as may be appropriate and as are consistent with this Charter.

4.09. Authority to Delegate to Subcommittee. The Committee shall have authority to delegate any of its responsibilities to a subcommittee or subcommittees as it may deem appropriate in its judgment. The subcommittee(s) shall be subject to this Charter.


5. Meetings

5.01. Meeting Attendance and Invitees. All non-management directors that are not members of the Committee may attend meetings of the Committee but may not vote. Additionally, the Committee may invite to its meetings any director, officer of the Company and such other persons as it deems appropriate in order to carry out its responsibilities. The Committee may also exclude from its meetings any persons, other than Committee members, it deems appropriate in order to carry out its responsibilities.

5.02. Meetings. The Committee shall meet with such frequency and at such intervals as it shall determine necessary to carry out its duties and responsibilities, but in any case not less than four times per year (generally once each quarter). The Committee may establish its own schedule, which it will provide annually to the Board in advance. The Committee Chair or a majority of the Committee members may call meetings of the Committee. Meetings of the Committee may be held telephonically and/or by videoconference. Meetings will be held in a manner to allow all persons participating in the meeting to hear each other.


6. Minutes

The Committee shall maintain written minutes of its meetings, which minutes shall be filed with the minutes of the meetings of the Board.


7. Voting

Each member of the Committee shall have one vote on any matter requiring action by the Committee. One-third of the members, but no fewer than two members, shall constitute a quorum. The Committee shall be authorized to take any permitted action only by the affirmative vote of a majority of the Committee members present at any duly-called meeting at which a quorum is present, or by the unanimous written consent of all of the Committee members. The Committee Chair shall be entitled to cast an additional vote to resolve any ties.


8. Performance Evaluation

At least annually, the Committee shall conduct a performance evaluation of the Committee, including a review of this Charter.


As amended and restated effective October 13, 2022.