JFrog Ltd 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

JFrog Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 16:08:38 EST.

Filings

10-K filed on 2024-02-15

JFrog Ltd filed an 10-K at 2024-02-15 16:08:38 EST
Accession Number: 0000950170-24-015873

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our information security program is managed by our Chief Security Officer and VP of Security Engineering ( CSO ), whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, technologies, and processes. Our CSO s primary responsibility includes assessing, monitoring, and managing our cybersecurity risks. With over 24 years of experience in the field of cybersecurity, our CSO brings a wealth of experience to her role. Her background includes extensive experience as an enterprise CSO, and she is well recognized within the industry. Her in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. In partnership with our Chief Information Officer ( CIO ) who leads our Governance Risk and Compliance ( GRC ) function, our CSO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee security training program. The CSO works to stay informed about relevant developments in cybersecurity, including potential threats and innovative risk management techniques. The CSO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and advanced compliance systems to identify potential vulnerabilities and mitigate them. The CSO collaborates closely with various key departments within the company including the office of our Chief Technology Officer ( CTO ), Engineering, IT, DevOps, Support, and Production to implement our Vulnerability Management Remediation Plan. This collaboration is aligned with industry standards of the Software Development Life Cycle, underscoring our commitment to maintaining robust security protocols across all phases of our operations. We have developed and maintain a robust cybersecurity incident response plan, led by the CSO. JFrog s cybersecurity incident response team has a comprehensive strategy and policies in place for managing security incidents. Along with swift threat classification, containment, and eradication, the strategy includes notification procedures to promptly inform and support stakeholders in accordance with applicable data breach notification laws. Incident analysis is carried out to understand root causes and drive continuous improvement. Our information security controls and practices are certified against globally recognized standards: ISO 27001, ISO 27701, ISO 27017, SOC 2 Type II. We are also aligned to cybersecurity practices and controls recommended by the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce. Our third-party vendor risk management program addresses third party vendors with access to our systems or data, or processing data on our behalf, and includes a risk-based approach and security assessments throughout the third-party life-cycle, from onboarding to termination, as well as through contractual controls and technological controls to monitor the vendors posture. This program is designed to oversee and identify risks from cybersecurity threats associated with its use of any third-party service providers. Training and Awareness Our employees undertake cybersecurity and data privacy training during onboarding and the majority of our employees complete annual refresher modules. JFrog also maintains a secure-code training program for developers and quarterly phishing simulation to improve our employees’ awareness and resilience. Employees who do not meet our performance expectations in such simulations are required to undergo additional training. Engagement with Third-Parties on Risk Management Given the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, helping our cybersecurity strategies and processes remain consistent with applicable generally adopted industry best practices. Our collaboration with these third parties includes regular audits, threat assessments and penetration testing; consultation on security enhancements; bug bounty program for identifying security weaknesses in our products and services; designing partnership with third party vendors; using our inhouse security tools as customers; and global incident response experts for potential critical cybersecurity events. As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. For more detailed information about the cybersecurity risks we face, please see Item 1A, Risk Factors, in this annual report on Form 10-K, including Risks Related to Privacy, Data Protection and Cybersecurity: A breach of our security measures or unauthorized 52 Table of Contents access to proprietary and confidential data, or a perception that any security breach or other incident has occurred, may result in our platform or products being perceived as not secure, lower customer use or stoppage of use of our products, and significant liabilities. Governance Our Board of Directors has established robust oversight mechanisms to support effective governance in managing risks associated with cybersecurity threats. All of our Board members have experience in the tech industry. Data protection under their guidance and oversight remains a strategic priority at the highest levels of our organization. The Audit Committee is responsible for oversight of our information security program and is consulted with at least twice a year by management. Our VP of Internal Audit leads an annual internal audit plan, and its status and internal audit findings are reported to the Audit Committee on a quarterly basis. Our cybersecurity strategies and initiatives are refined by the continuous dialogue and the rich insight of our Board members. Our CTO who is also a Board member, has established the CSO Office at JFrog. Our CTO and CSO have extensive experience assessing and managing cybersecurity programs and cybersecurity risks, and they work closely to define the initiatives of our cybersecurity program, the CSO organization structure and cyber business continuity plan planning. Our CTO is updated regularly on the status of our cybersecurity program. This allows us to address emerging threats and make informed decisions in real-time and to protect our systems on a timely basis. Over the past two decades, our CIO has held various positions in information technology and information security, including as CIO in two public companies, managing and controlling cybersecurity long-term programs and risks. Governance, Risks and Compliance (GRC) is managed by the CIO team, while cross-GRC activities are managed by the team, in alignment with the CSO. Risk assessments are periodically conducted by our VP of Internal Audit. Internal audits are conducted and reported to the Audit Committee on a quarterly basis.

Company Information