Ouster, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Ouster, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:13:48 EDT.

Filings

10-K filed on 2024-03-28

Ouster, Inc. filed an 10-K at 2024-03-28 16:13:48 EDT
Accession Number: 0001628280-24-013619

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our cybersecurity program seeks to ensure the confidentiality, integrity, and availability of the Company s information assets, including its critical systems. The Company s cybersecurity program is based on an ISO 27001 compliant Information Security Management System (ISMS). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use ISO 27001 as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity program is integrated into our overall risk management program, and is used to assess cybersecurity risks as part of the Company s enterprise risk assessment. Our cybersecurity program focuses on (i) raising security awareness of our employees and product development teams, and (ii) implementing and maintaining security operations that are designed to protect identities, networks, systems and data and provide for detection, response and recovery, including a cyber incident response plan. Our cyber incident response plan outlines a process for detecting and responding to cybersecurity incidents. We engage external parties to enhance our cybersecurity program and to operate a variety of operational functions. In accordance with the third-party s criticality to our operations and respective risk profile, we assess and engage consultants, advisors and vendors who are recognized for their cybersecurity expertise or products to supplement, augment and/or test specific elements of our security program, such as identity management, email security, network security, system/endpoint protection and managed detection and response. We also engage third-party specialists to conduct security assessments and independent audits of the security of the Company s systems and networks. The results of these assessments are used to help us improve our cybersecurity program. In February 2023, the Company adopted a third-party management policy to formalize the baseline of security controls that it expects its partners and other third-party companies to meet, in accordance with their criticality to our operations and respective risk profile, when directly interacting with the Company s data. To mitigate risks that may arise from the 45 Table of C ontents Company s interactions with service providers, suppliers, and vendors, we strive to ensure that our systems/services are integrated with trustworthy vendors. Although to date we have not experienced a material cybersecurity incident resulting in an interruption of our operations, the scope or impact of any future incident cannot be predicted with complete certainty. For additional information on our cybersecurity risks, see We are subject to cybersecurity risks to operational systems, security systems, infrastructure, firmware in our lidar and customer data processed by us or third-party vendors or suppliers and any material failure, weakness, interruption, cyber event, incident or breach of security could harm our reputation and adversely affect our ability to conduct our business and we may incur significant liabilities. in Part 1, Item 1A for more information. Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of the Company s cybersecurity program and other information technology risks. The Audit Committee receives regular cybersecurity updates and reports from members of the Company s executive team and the Director of Information, Cyber-Security and Compliance. The Company s executive team monitors the activities of the breach response team ( BRT ) and where appropriate participates in and supports the BRT in the evaluation and remediation of actual or perceived cyber incidents in accordance with the Company s incident response plan.

Company Information