Ouster, Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Ouster, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 17:02:02 EST.

Filings

10-K filed on 2026-03-02

Ouster, Inc. filed a 10-K at 2026-03-02 17:02:02 EST
Accession Number: 0001628280-26-013313

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have developed and implemented a cybersecurity program that seeks to ensure the confidentiality, integrity, and availability of the Company's information assets, including its critical systems. We use the ISO 27001 Information Security Management System (ISMS) standard as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity program is integrated into our overall risk management program; which is reviewed and evaluated by our Board, and shares reporting channels and governance processes that apply across the risk management program to other legal, compliance, strategic, operational, and financial areas. Key elements of our cybersecurity program include, but are not limited to, (i) raising security awareness of our employees and product development teams, and (ii) implementing and maintaining security controls and operations that are designed to protect identities, networks, systems, and data and provide for detection, response, and recovery, including a cyber incident response plan. We engage external parties to enhance our cybersecurity program and to operate a variety of operational functions. We engage consultants, advisors and vendors who are recognized for their cybersecurity expertise or products to supplement, augment and/or test elements of our security program. We also engage third-party specialists to conduct security assessments and independent audits of the Company's systems and networks. The Company has adopted a third-party management policy to formalize the baseline of security controls that it expects its partners and other third-party companies (including service providers) to meet, in accordance with their criticality to our operations and respective risk profile based on their level of access to our systems and/or data. To mitigate risks that may arise from the Company's interactions with service providers, suppliers, and vendors, we strive to ensure that our systems/services are integrated with trustworthy vendors. Although to date we have not identified risks from cybersecurity threats or experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our operations, business strategy or financial condition, the scope or impact of any future incident cannot be predicted with certainty. For additional information on our cybersecurity risks, see "We and our third-party providers are subject to cybersecurity risks, and any material failure, weakness, interruption, cyber event, incident, or breach of security could materially adversely affect our business, results of operations, and financial condition." in Part 1, Item 1A for more information. Cybersecurity Governance Our Board considers cybersecurity risk as part of its overall risk oversight function and has delegated to the Audit Committee oversight of the Company's cybersecurity program. The Audit Committee receives regular cybersecurity updates and reports from members of the Company's executive team and the Senior Director of Information Security and Compliance and in turn briefs the full Board on these updates as part of its Committee report . In addition, the full Board receives a full report on the Company's cybersecurity program at least annually. The Board is also apprised by the executive team and Senior Director of Information Security and Compliance of more significant or serious cybersecurity incidents. 41 Table of C ontents Our Senior Director of Information Security and Compliance under the direction of our executive team, and is primarily responsible for assessing and managing our material risks from cybersecurity threats. The Senior Director of Information Security and Compliance has day to day responsibility for the Company's cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Senior Director of Information Security and Compliance has served in various roles in information security for over 15 years, including serving as Associate Director of Cybersecurity of a public company as well as a PCI Qualified Security Assessor at a cybersecurity consulting firm. He holds a M.S. in Computer Science and has attained various certifications, including an Advanced Computer Security Certificate from Stanford University. Our Senior Director of Information Security and Compliance assists the executive team by taking steps to stay informed about and monitor the Company's efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment. The Company's executive team also monitors the activities of the Breach Response Team ("BRT") and where appropriate participates in and supports the BRT in the evaluation and remediation of cyber and other security incidents in accordance with the Company's incident response plan.

Company Information