Olo Inc. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

Olo Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:31:00 EST.

Filings

10-K filed on 2024-02-21

Olo Inc. filed an 10-K at 2024-02-21 16:31:00 EST
Accession Number: 0001431695-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management Cybersecurity risk management is a significant part of our overall risk management process. Our cybersecurity risk management program is informed by security frameworks and standards, such as PCI DSS, ISO 27001, and CIS Controls. We have designed and implemented various information security processes that are intended to protect the confidentiality, integrity, security, and availability of our critical systems and information and provide a cross-functional framework for identifying, preventing, and mitigating cybersecurity threats and incidents, including threats and incidents associated with the use of applications developed and services provided by third-party service providers. Our cybersecurity risk management program includes: an internal security team, led by our Chief Information Security Officer, or CISO, which is responsible for, among other matters, monitoring our platform through penetration testing and vulnerability scanning, managing our cybersecurity risk assessment processes, and implementing our security controls; an annual risk assessment performed by our internal security team designed to identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment; a cybersecurity incident response plan, or IRP, that establishes an organizational framework and guidelines to assist us in identifying, responding to, and recovering from cybersecurity incidents; the use of external service providers, where appropriate, to assess, test, or otherwise assist with other services, such as performing third-party penetration testing, assisting with incident response, and facilitating adversary simulations; annual cybersecurity awareness training for our employees and additional training for engineers, technical team members, members of the cybersecurity incident response team, or CSIRT, and our Board of Directors; a third-party risk management process for service providers and vendors, which includes review by the internal security team at onboarding and, for certain significant vendors, an annual security review; and an insurance policy to help mitigate, in certain circumstances, potential liabilities resulting from cybersecurity incidents and other cyber issues. To date, risks from cybersecurity threats have not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents. For more information about these risks, please refer to the section entitled Risk Factors in this Annual Report on Form 10-K. Cybersecurity Governance Our Board of Directors exercises oversight over our risk management process directly, as well as through its various standing committees that address risks inherent in their respective areas of oversight. In particular, our Board of Directors delegates cybersecurity risk management oversight to the audit committee of the Board of Directors. The audit committee oversees our cybersecurity processes and policies on risk identification, management, and assessment. The audit committee also reviews the adequacy and effectiveness of such policies, as well as the steps taken by management to mitigate or otherwise control these cybersecurity exposures and to identify future risks. The audit committee receives periodic reports from our CISO and General Counsel, or GC, on material cybersecurity risks, developments in cybersecurity, ongoing priorities and work of the governance, risk, and compliance committee, or the GRC Committee, updated risk assessments of our cybersecurity program, and mitigation strategies. The GC is also tasked with reporting on material cybersecurity incidents, if any, to the audit committee. 45 Table Of Contents Our cybersecurity risk management processes are implemented, assessed, and managed by certain members of Olo management, including our CISO and GC. Our CISO has 25 years of experience in information technology and risk management at various companies, such as Yum Brands, Inc. and Domino s Pizza, Inc. He is also an ISC2 Certified Information Systems Security Professional. Our GC received a cybersecurity oversight certification from the National Cybersecurity Center. Both act as chairs of our GRC Committee. The GRC Committee provides direction, oversight, and management of our cybersecurity and privacy programs with a focus on business objectives, the protection of customer and employee data, safeguarding our systems, and complying with applicable laws, regulations, and contractual obligations. Cross-functional leaders within Olo, including members from our information technology, data science, finance, legal, and people & culture teams, are part of the committee. Our GRC Committee meets periodically to align cybersecurity and privacy strategy with business needs and risk appetite, monitor the execution of key cybersecurity initiatives, and serve as an escalation point for any related issues. Olo s IRP is also designed to escalate certain cybersecurity incidents to members of management, depending on the circumstances. Our internal security team, among others, works with our CSIRT to help assess, mitigate, and remediate cybersecurity incidents of which they are notified. Our GC, as the CSIRT leader, directs and coordinates CSIRT s activities, in consultation with the CISO and other members of management. In addition, the IRP includes processes for reporting to the audit committee and our Board of Directors certain cybersecurity incidents.

Company Information