Omada Health, Inc. 10-K Cybersecurity GRC - 2026-03-06

Page last updated on March 6, 2026

Omada Health, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-06 16:32:19 EST.

Filings

10-K filed on 2026-03-06

Omada Health, Inc. filed a 10-K at 2026-03-06 16:32:19 EST
Accession Number: 0001628280-26-015637

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our information and critical systems. This program is integrated into our overall risk management strategy, is designed to identify, assess, and mitigate critical risks from cybersecurity threats, and shares common methodologies, reporting channels, and governance processes that apply across the risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program is overseen by our Chief Information Security Officer ("CISO") and aspects of that program are regularly audited by third-party audit partners, who, as appropriate, help to assess our cybersecurity program against industry standards. Our information security program is informed by well-established regulatory frameworks, including the HIPAA Security and Privacy rules and various additional federal and state privacy regulations, as well as industry standards such as the American Institute of Certified Public Accountants ("AICPA") Trust Service Criteria, the National Institute of Standards and Technology Cybersecurity Framework, and the HITRUST Common Security Framework. We have an active HITRUST certification and Service Organization Control ("SOC") 2 Type II attestation on all five AICPA trust criteria that are audited annually and issued by external, independent entities. Key elements of our cybersecurity risk management program include but are not limited to the following elements: a security team principally responsible for managing our cybersecurity risk assessment processes, security controls, and response to cybersecurity incidents, vulnerability and penetration scanning on systems and applications; endpoint detection capabilities to identify malware and other indicators of threat activity; multifactor authentication; and blocking of malicious e-mail. In addition, we also provide annual cybersecurity awareness training for our employees and contractors, including those responsible for incident response, as well as senior management. Further, we use external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security. For example, we engage with an external security firm to perform regular penetration testing. We subject our key third-party service providers to risk evaluation based on our assessment of their criticality to our operations and respective risk profile. Additionally, we have a process to engage with these third parties to understand potential impacts of, and remediation efforts associated with, critical vulnerabilities. We also monitor our cybersecurity posture through periodic risk assessments designed to help identify material risks from cybersecurity threats to our critical systems and information. We also conduct external audits, which are reviewed primarily by our CISO and others as needed and incorporated into our overall cybersecurity risk management program. In the event of a potential cybersecurity incident, or a series of related cybersecurity incidents, we have a documented security incident response plan designed to provide a consistent approach to identifying, classifying and responding to the incident as well as a defined escalation process to management to assess the materiality. To date, we have not identified risks from any known cybersecurity incidents or threats, including as a result of our prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. See "Risk Factors Risks Related to Cybersecurity, Information Systems, and Intellectual Property" for additional information. Governance Related to Cybersecurity Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of our cybersecurity risk. This includes, but is not limited to, oversight of management's implementation of our cybersecurity risk management program. Our CISO reports to the Audit Committee on an annual basis on any relevant cybersecurity issues or risks, related controls, procedures and programming, as well as any material updates to our cybersecurity risk management and strategy, broader cybersecurity trends, and relevant educational information. In addition, our CISO updates the Audit Committee, where it deems appropriate, regarding any material cybersecurity incidents, as well as any incidents it considers to be significant or potentially significant. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board receives regular reports from our CISO related to evaluations of our cyber risk management program and other cybersecurity topics, informed by internal security staff and certain external experts. Our CISO , William Dougherty, has over twenty years of experience protecting and overseeing information security, information technology operations, and managed services for a host of technology companies. Mr. Dougherty regularly engages with other members of our executive management team, including our VP of Compliance, General Counsel, and Chief Technology Officer, as well as a Risk Committee of senior executives, to discuss cyber risk. Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.

Company Information