ON24 INC. 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

ON24 INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 17:35:00 EDT.

Filings

10-K filed on 2024-03-13

ON24 INC. filed an 10-K at 2024-03-13 17:35:00 EDT
Accession Number: 0001110611-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity is an important component of our overall risk management program. Our cybersecurity policies and practices are integrated into our risk management program and are based on recognized frameworks. ON24 is certified under ISO 27001:2013 and 27701:2019, which sets forth a strict framework for managing security and privacy risks, including the necessary internal process and policies to deal with cybersecurity risks and incidents. Risk Management and Strategy Our cybersecurity program focuses on the following key areas: Governance: Our Chief Information Officer ( CIO ) leads our cybersecurity risk management program, with oversight from our board of directors. Our CIO closely collaborates with Information Security and Legal/Privacy leaders with the support of other members of management and teams comprised of personnel with a broad range of experience in the technology industry. Collaboration: We have implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents. Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention, data leak prevention and detection systems, anti-malware functionality and access controls. Incident Response and Recovery Planning: We have established and maintain comprehensive cybersecurity incident response and recovery plans, including legal obligations to report incidents, which we test and evaluate from time to time. Third-Party Risk Management : We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors and customers, that could adversely impact our business in the event of a cybersecurity incident affecting third-party systems. Education: We provide regular, mandatory training for staff regarding cybersecurity and privacy awareness. We periodically assess and test our cybersecurity policies and practices. These efforts include tabletop exercises, vulnerability and penetration tests, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We also engage third parties to assess our cybersecurity measures. Governance Our board of directors oversees cybersecurity as part of its risk oversight function. Our board of directors receives regular presentations and reports on cybersecurity risks, prompt and timely information regarding cybersecurity incidents that meet specified thresholds, and updates on such incidents until they have been addressed. Our CIO and other leaders work collaboratively across our organization to protect our information systems from cybersecurity threats and to promptly respond to incidents in accordance with our incident response plan, including the necessary steps to ensure remediation. Through ongoing communications, these teams monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to our board of directors when appropriate. 40 Table of Contents Our CIO has over 20 years of professional experience specializing in business transformation, change management, executive leadership, and IT strategy, and has worked with technology security, banking and media companies. Our head of Information Security also brings over 20 years of security, privacy, and compliance experience from public and private sector roles of which he spent the last ten years specifically leading security programs at late-stage SaaS companies.

Company Information