JFrog Ltd 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

JFrog Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 16:43:43 EST.

Filings

10-K filed on 2025-02-14

JFrog Ltd filed a 10-K at 2025-02-14 16:43:43 EST
Accession Number: 0000950170-25-021340

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have developed an information security program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our information security program is managed by our SVP, Chief Security Officer (“CSO”), whose team (the “CSO Office”) is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, technologies, and processes. Our CSO’s primary responsibility includes assessing, monitoring, and managing our cybersecurity risks. Her background includes extensive experience as an enterprise CSO, with over 24 years of experience in the field of cybersecurity. In partnership with our Chief Information Officer (“CIO”) who leads our Governance Risk and Compliance (“GRC”) function, the CSO Office oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee security training program. The CSO Office implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and advanced compliance systems to identify and mitigate potential vulnerabilities. The CSO Office collaborates closely with key departments within the Company, including the office of our Chief Technology Officer (“CTO”), Engineering, IT, DevOps, Support, and Production, to implement our Vulnerability Management Remediation Plan. This collaboration is aligned with industry standards of the Software Development Life Cycle, underscoring our commitment to maintaining robust security protocols across all phases of our operations. We have developed and maintain a robust cybersecurity incident response plan. JFrog’s cybersecurity incident response team has a comprehensive strategy and policies in place for managing security incidents. Along with swift threat classification, containment, and eradication, the strategy includes notification procedures to promptly inform and support stakeholders in accordance with applicable data breach notification laws. Incident analysis is carried out to understand root causes and drive continuous improvement. Our information security controls and practices are certified against globally recognized standards: ISO 27001, ISO 27701, ISO 27017, SOC 2 Type II, CSA start level 1, TISAX and KY3P by S&P Global. We are also aligned to cybersecurity practices and controls recommended by the National Institute of Standards and Technology (“NIST”), part of the U.S. Department of Commerce. Our third-party vendor risk management program addresses third party vendors with access to our systems or data, or who process data on our behalf, and includes a risk-based approach and security assessments throughout the third-party life-cycle, from onboarding to termination, as well as through contractual controls and technological controls to monitor the vendors’ posture. This program is designed to oversee and identify risks from cybersecurity threats associated with its use of third-party service providers. Training and Awareness Our employees undertake cybersecurity and data privacy training during onboarding. The majority of our employees complete annual refresher modules. JFrog also maintains a secure-code training program for developers and quarterly phishing simulation to improve our employees’ awareness. Any employee who does not meet our performance expectations in such simulations is required to undergo additional training. Engagement with Third-Parties on Risk Management Given the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, helping our cybersecurity strategies and processes remain consistent with applicable generally adopted industry best practices. Our collaborations with these third parties include: - regular audits, threat assessments and penetration testing; - consultation on security enhancements; - bug bounty program for identifying security weaknesses in our products and services; - designing partnership with third party vendors; - using our in-house security tools as customers; and - global incident response experts for potential critical cybersecurity events. As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. For more detailed information about the cybersecurity risks we face, please see Item 1A, “Risk Factors,” in this Annual Report on Form 10-K, including Risks Related to Privacy, Data Protection and Cybersecurity: " A breach of our security measures or unauthorized access to proprietary and confidential data, or a perception that any security breach or other incident has occurred, may result in our platform or products being perceived as not secure, lower customer use or stoppage of use of our products, and significant liabilities." Governance Our Board of Directors considers cybersecurity as part of its overall risk oversight function and believes it has established robust oversight mechanisms to support effective governance in managing risks associated with cybersecurity threats. All of our Board members have experience in the technology industry and our CTO, Yoav Landman, is a member of our Board. Data protection under their guidance and oversight remains a strategic priority at the highest levels of our organization. The Board has delegated to the Audit Committee the responsibility to oversee the information security program (see below) and is also updated regularly regarding matters discussed with the Audit Committee. The Audit Committee is responsible for oversight of our information security program and receives reports at least quarterly from executive management, including the CSO, CTO, and CIO, concerning cybersecurity matters. The Audit Committee’s charter directs that the committee oversee and periodically review the Company’s risks related to privacy, cybersecurity, and information and technology security, including: - discussing with management the Company’s plans to mitigate cybersecurity risks and response to data breaches; - reviewing any reports from management on data breaches, and - overseeing the disclosure of any significant risks and incidents to the extent required by applicable law, including SEC rules and regulations. Our CSO, who reports directly to our CTO, works closely with our CIO who reports directly to our Chief Executive Officer. Over the past two decades, our CIO has held various positions in information technology and information security, including as CIO in two public companies, managing and controlling cybersecurity long-term programs and risks. Both our CTO, who is a co-founder of JFrog and is also a member of our Board, and our CSO have extensive experience assessing and managing cybersecurity programs and cybersecurity risks, and they work closely to define the initiatives of our cybersecurity program, the CSO organization structure and cyber business continuity plan planning. Our CTO is updated regularly on the status of our cybersecurity program. This allows us to address emerging threats and make informed decisions in real-time and to protect our systems on a timely basis. Finally, our VP of Internal Audit leads an annual internal audit plan which includes a cybersecurity, privacy, or information technology security component. Internal audit findings are reported to the Audit Committee on a quarterly basis.

Company Information