OneStream, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on July 27, 2025

OneStream, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:09:42 EST.

Filings

10-K filed on 2025-02-27

OneStream, Inc. filed a 10-K at 2025-02-27 16:09:42 EST
Accession Number: 0000950170-25-029037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy As part of our overall approach to integrated risk management, we have established an information security program that includes policies, processes, and organizations to assess, identify and manage risk from information security threats, including cybersecurity threats, and including risks related to third parties, such as partners, vendors, and suppliers. The program also includes an incident response plan that is designed to provide controls and procedures for responding to cybersecurity or other security incidents. We have established an Information Security team that is responsible for overseeing the program across the Company, including with respect to information, personnel, and facilities. The Information Security team is led by our Chief Information Security Officer, or CISO, who coordinates with other departments in areas such as facilities, physical security, operations, data protection, information technology, product development, finance, legal and compliance. Regular assessments and reviews, through both internal and external experts, are conducted on OneStream information assets and networks, including systems, devices, applications, solutions and related computing resources, to evaluate potential risks and vulnerabilities, identify actions to be taken, and evaluate the effectiveness of our cybersecurity program. Risk management exercises occur regularly and in response to changes in Company 61 operations, risk landscape, and threat actor activities, using tabletop exercises, threat modeling, risk forecasting, and other techniques to monitor and evaluate the sufficiency of our policies, processes and controls. Internal assessments occur based on results from risk management exercises, changes in infrastructure, cybersecurity risks, threat actor activity, and in response to other internal or external events. External assessments are conducted by third-party assessors, consultants or auditors, as relevant, and occur regularly in order to maintain our certifications and accreditations with certain compliance regimes (for example, FedRAMP). Additionally, the Company utilizes third-party software, services and providers in our cybersecurity program in furtherance of our security processes such as endpoint security, threat intelligence, cloud security, and authentication services. We also provide employees with policies and training in areas such as ethics, information security, social engineering, data protection, and compliance, and with regular updates on the cybersecurity program and potential threats. We are aware of the risks associated with engaging third-party service providers and other third parties. We have implemented risk-based processes to oversee and manage these risks, including, where appropriate, contractual requirements to implement technical, administrative, cybersecurity, and physical measures to protect the security and confidentiality of OneStream information (including customer information), and to notify the Company promptly of relevant security incidents. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. We face a number of cybersecurity risks in connection with our business. To date, our business, operating results and financial condition have not been materially affected by cybersecurity incidents. For additional information, please refer to Item 1A. “Risk Factors” in this Annual Report on Form 10-K, including the risk factors under the section titled “Risk Factors-Risks Related to our Technology and Intellectual Property.” Governance Management is responsible for the day-to-day management of risks we face, including risks related to cybersecurity. Primary responsibility for our cybersecurity program is assigned to our CISO, who joined OneStream in May 2017 and has served as our CISO since December 2020. He has over 28 years of cybersecurity experience in the commercial and government sectors and works directly with the Information Security team to oversee and implement our cybersecurity program, including the policies and processes described in “Risk Management and Strategy” above. Our CISO reports directly to our Chief Risk Officer, or CRO. The CISO and the CRO both participate in regular meetings of our Operations and Risk Committee, a management committee which monitors risks across the Company, including cybersecurity and other information security risks. Our board of directors, which has overall responsibility for enterprise risk management, has delegated to our audit committee primary oversight of cybersecurity risks and the processes to manage them. The audit committee regularly reviews and discusses with our CISO, CRO, and other senior management our policies and processes designed to identify, monitor and address enterprise risks, including risks from cybersecurity threats and incidents. Material cybersecurity threat risks are also considered during board of directors and audit committee meeting discussions of matters like enterprise risk management, operational budgeting, business continuity planning, and other relevant matters. In addition, at least annually, our board of directors discusses our programs and policies related to cybersecurity and considers them from a risk management perspective and as part of OneStream’s business strategy. As our Information Security team monitors the security and effectiveness of our policies and processes, they also work to keep the CISO, CRO and other members of leadership informed of critical incidents, process updates, or other material details, in accordance with our internal reporting structure. Depending on the nature and severity of an incident, this reporting structure provides for escalating notification to our CEO and the board of directors. 62

Company Information