JFrog Ltd 10-K Cybersecurity GRC - 2026-02-13

Page last updated on February 13, 2026

JFrog Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-13 16:10:58 EST.

Filings

10-K filed on 2026-02-13

JFrog Ltd filed a 10-K at 2026-02-13 16:10:58 EST
Accession Number: 0001193125-26-051382

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our products involve the collection, storage and processing of customer data (including, in some cases, personal data), and may provide business critical software and analytics necessary for our customers' operations. JFrog develops, implements, and maintains cybersecurity measures designed to safeguard our products and protect the confidentiality, integrity, and availability of our customer data and our confidential information. Risk Management and Strategy We have developed an information security program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our information security program is managed by our Chief Security Officer ("CSO") who reports to the Chief Information Officer ("CIO"), whose team (the "CIO Office") leads, amongst other things, enterprise-wide cybersecurity strategy, policy, standards, architecture, technologies, and processes. Currently, the CIO is acting as interim CSO, until a new CSO is hired. Our CIO's responsibilities include assessing, monitoring, and managing our cybersecurity risks. His background includes extensive experience as an enterprise CIO, with over 20 years of experience in the field of cybersecurity. Further, the CIO Office oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee security training program. The CIO Office implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of security measures and compliance systems to identify and mitigate potential vulnerabilities. The CIO Office collaborates closely with key departments within the Company, including the office of our Chief Technology Officer ("CTO"), Engineering, IT, DevOps, Support, and Production, to implement our Vulnerability Management Remediation Plan. This collaboration is aligned with industry standards of the Software Development Life Cycle, underscoring our commitment to maintaining security protocols across all phases of our operations. We have developed and maintained a cybersecurity incident response plan. JFrog's cybersecurity incident response team has a strategy and policies in place for managing security incidents. Along with threat classification, containment, and eradication, the strategy includes notification procedures to promptly inform and support stakeholders in accordance with applicable data breach notification laws. Incident analysis is carried out in furtherance of determining root causes and drive continuous improvement. Our information security controls and practices are certified to globally recognized standards, including, without limitation, ISO 27001, ISO 27701, ISO 27017, SOC 2 Type II, CSA start level 1, TISAX and KY3P by S&P Global. Our risk management strategies are informed by the Cybersecurity Framework published by the National Institute of Standards and Technology ("NIST"), part of the U.S. Department of Commerce. Our third-party vendor risk management program addresses third party vendors with access to our systems or data, or who process data on our behalf. This program includes a risk-based approach and security assessments throughout the third-party life-cycle, from onboarding to termination, as well as through contractual controls and technological controls to monitor the vendors' posture. Further, this program is designed to oversee and identify risks from cybersecurity threats associated with its use of third-party service providers. Training and Awareness Our employees undertake cybersecurity and data privacy training during onboarding. The majority of our employees complete annual refresher modules. JFrog also maintains a secure-code training program for developers and quarterly phishing simulation to improve our employees' awareness. Any employee who does not meet our performance expectations in such simulations is required to undergo additional training. Engagement with Third-Parties on Risk Management Given the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, and assist our cybersecurity strategies and processes in remaining consistent with applicable generally adopted industry practices. Our collaborations with these third parties include: - regular audits, threat assessments and penetration testing; - consultation on security enhancements; - bug bounty program for identifying security weaknesses in our products and services; - designing partnership with third party vendors; - using our in-house security tools as customers; and - global incident response experts for potential critical cybersecurity events. As of the date of this Annual Report on Form 10-K, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likel y to materially affect the Company, including our business strategy, results of operations, or financial condition. However, we face ongoing cybersecurity risks, including threats that might become more sophisticated and effective over time, and we cannot anticipate when or the extent to which cybersecurity incidents or breaches will materially affect the Company. Additional information on the cybersecurity risks we face is discussed in Part I, Item 1A, "Risk Factors," in this Annual Report on Form 10-K, including Risks Related to Privacy, Data Protection and Cybersecurity: "A breach of our security measures or unauthorized access to proprietary and confidential data, or a perception that any security breach or other incident has occurred, may result in our platform or products being perceived as not secure, lower customer use or stoppage of use of our products, and significant liabilities." Governance Our Board of Directors considers cybersecurity as part of its overall risk oversight function and has established oversight mechanisms to support effective governance in managing risks associated with cybersecurity threats. All of our Board members have experience in the technology industry including Sigal Zarmi who is a former CIO of various technology companies, and our CTO, Yoav Landman. Data protection under their guidance and oversight remains a strategic priority at the highest levels of our organization. The Board has delegated to the Audit Committee the responsibility to oversee the information security program (see below) and is also updated regularly regarding matters discussed with the Audit Committee. The Audit Committee is responsible for oversight of our information security program and receives reports (in particular, in connection with the meetings of the Cybersecurity Subcommittee of the Audit Committee) at least quarterly from executive management, including the CTO and CIO, concerning cybersecurity and other related matters . The Audit Committee's charter directs that the committee oversee and periodically review the Company's risks related to privacy, cybersecurity, and information and technology security, including: - discussing with management the Company's plans to mitigate cybersecurity risks and response to data breaches; - reviewing any reports from management on data breaches, and - overseeing the disclosure of any significant risks and incidents to the extent required by applicable law, including SEC rules and regulations. Over the past two decades, our CIO has held various positions in information technology and information security, including as CIO in two public companies, managing and controlling cybersecurity long-term programs and risks. Both our CTO, who is a co-founder of JFrog and is also a member of our Board, and our CIO have extensive experience assessing and managing cybersecurity programs and cybersecurity risks, and they work closely to define the initiatives of our cybersecurity program, the CIO organization structure and cyber business continuity plan planning. Our CTO is updated regularly on the status of our cybersecurity program. This allows us to address emerging threats and make informed decisions in real-time and to protect our systems on a timely basis. Our Chief Legal Officer coordinates the legal review of our privacy and cybersecurity programs, and our VP of Internal Audit leads an annual internal audit plan which includes a component either focused on cybersecurity, privacy, or information technology security. Internal audit findings are reported to the Audit Committee on a quarterly basis.

Company Information