Udemy, Inc. 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

Udemy, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 16:10:45 EST.

Filings

10-K filed on 2025-02-19

Udemy, Inc. filed a 10-K at 2025-02-19 16:10:45 EST
Accession Number: 0001607939-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are subject to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Following these risk assessments, we work to design, implement, and maintain reasonable safeguards to mitigate identified risks; work to reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our Chief Information Security Officer and Head of Information Technology (“CISO”) , who reports to our Chief Financial Officer and Chief Technology Officer, to manage the risk assessment and mitigation process. Our CISO has over 25 years of industry experience, including serving in similar roles overseeing cybersecurity programs at other companies. In addition, our CISO has held Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP) and Certified Information Security Auditor (CISA) credentials for over a decade. Our CISO also currently holds the National Association of Corporate Directors (NACD) CERT Certificate in Cybersecurity Oversight from Carnegie Mellon University. As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with our Legal, Information Security, and Information Technology Departments and management. Personnel at all levels and departments are made aware of our cybersecurity policies through required trainings. From time to time, we engage outside consultants in connection with our risk assessment processes. These service providers assist us with evaluating, designing and implementing our cybersecurity policies and procedures, as well as monitoring and testing our safeguards. In addition to an ongoing “bug bounty” program, we engage with independent third parties to perform external testing of our security controls on an annual basis. We require third-party service providers to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company. For additional information regarding whether any risks from cybersecurity threats are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” including “-Risks related to technology, privacy, and cybersecurity-A cybersecurity attack or other security breach or incident could delay or interrupt service to our learners, instructors, and UB customers, harm our reputation or subject us to significant liability” in this Annual Report on Form 10-K. Governance Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in risk oversight. The Audit Committee directly assists the Board in its oversight of cybersecurity risk. The Audit Committee receives updates at least twice a year from management, including our CISO, on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, control maturity assessments, and relevant internal and industry cybersecurity incidents. Our CISO and our management Risk Committee, consisting of our executive leadership team, are responsible for overseeing our cybersecurity risk management processes. The processes by which our CISO and our Risk Committee are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents includes direct engagement with the security team by our CISO, as well as our incident reporting process. Under our incident reporting process, cybersecurity incidents are reported, and then reviewed by senior members of our information security, internal audit and legal department, who then evaluate and, if appropriate, escalate any incidents immediately to our Audit Committee.

Company Information