Okta, Inc. 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

Okta, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 16:01:29 EST.

Filings

10-K filed on 2025-03-05

Okta, Inc. filed a 10-K at 2025-03-05 16:01:29 EST
Accession Number: 0001660134-25-000049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management is an important part of our overall risk management efforts. Okta, Inc., like other companies, is subject to a wide variety of cybersecurity attacks on its systems, networks and data on an ongoing basis and with increasing sophistication. Given the evolving cybersecurity threat landscape facing us and our third-party service providers, we remain committed to protecting our systems, internal networks and our customers’ systems, and the information that we and they store and process. We have an established cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of Okta, Inc.’s critical systems, internal networks, and information. This program implements policies, processes and controls to respond to cybersecurity threats and mitigate business impacts. Our board of directors (the “board”) has delegated to the cybersecurity risk committee of the board (the “cybersecurity risk committee”) oversight responsibility of the cybersecurity risk management program, which includes a cybersecurity incident response plan. We devote significant resources, including human and financial capital, to create security measures, configuration policies and response plans to address cybersecurity threats. However, as a well-known provider of identity and security solutions, Okta, Inc. is a particularly attractive target to threat actors. For additional information related to these risks, see " Risk Factors " included under Part I, Item 1A of this Annual Report on Form 10-K. In the past we have experienced cybersecurity incidents, and cannot anticipate when or the extent to which cybersecurity incidents will materially affect us or our customers’ use of our platforms in the future. To date we have not identified any prior cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Despite our efforts, we cannot eliminate all risks related to cybersecurity threats or incidents. There can be no assurance that Okta, Inc.’s cybersecurity risk management program and processes will be fully implemented. Even if implemented, they may not be complied with or may not effectively protect our systems and information or those of our customers. Cybersecurity Risk Management and Strategy Cybersecurity is a top priority for Okta, Inc. Our cybersecurity strategy is to develop a consistent framework of security controls that can apply to all business functions. To execute on this strategy, we integrate cybersecurity risk management into our broader enterprise risk management program. We also take a cross-functional approach to cybersecurity risk management by engaging teams across the business, including security, technical operations, 42 engineering, IT, customer support, legal and communications, to implement shared processes for identifying, assessing, and managing key cybersecurity risks. We design and assess our cybersecurity risk management program against the National Institute of Standards and Technology Cybersecurity Framework (the “NIST Framework”). This does not imply that Okta, Inc.’s cybersecurity risk management program satisfies any particular specifications or requirements, only that we use the NIST Framework to guide our efforts to improve our security posture. Certain of our Okta Platform product offerings have attained multiple security certifications, the details of which are described in “Our Technology” under Part I, Item I of this Annual Report on Form 10-K. Our cybersecurity risk management program consists of technical and organizational safeguards aimed at protecting the confidentiality of our systems and platforms. From time to time, management will engage external consultants and advisors to perform independent assessments and testing of the cybersecurity risk management program, or otherwise assist with aspects of the program and security controls. Key features of our cybersecurity risk management program include: - Designated security governance, risk and compliance team . Our security governance, risk and compliance team is responsible for maintaining Okta, Inc.’s cybersecurity risk management framework and risk assessments, and for tracking risk mitigation efforts. This team, together with our enterprise risk management team, monitors and regularly reports on our cybersecurity risk profile. Our internal audit team partners with these teams to provide input on the overall effectiveness of Okta, Inc.’s security risk governance and management processes. - Risk assessments . We periodically perform security risk assessments to stay informed about relevant security risks. Functional teams across the business assess risks associated with their specific activities, following an established framework with supervision by the security governance, risk and compliance team. Okta, Inc. has a management-level risk oversight committee, led by internal audit and security risk management personnel, that meets quarterly with other internal business leaders to review the results of these security risk assessments and evaluate the adequacy of any proposed mitigation plans. - Incident response planning . Our cybersecurity incident response plan outlines the processes and procedures for responding to, remediating and resolving a security incident, and defines the roles and responsibilities of company personnel and third-party service providers who may assist in responding to such incidents. In fiscal 2025, we conducted tabletop exercises involving multiple operational teams, as well as an executive preparedness simulation with members of our management team, to educate personnel on their roles in response scenarios. - Security awareness training . We require our employees and contractors to complete general cybersecurity awareness training at least annually. These training sessions advise on employee responsibilities and relevant policies designed to protect us, our information systems and data, as well as our customers’ systems and data. From time to time we may also require supplemental cybersecurity training for certain members of our workforce depending on their job responsibilities. - Third-party risk management . We require high risk third-party vendors, suppliers and service providers to undergo a cybersecurity risk assessment prior to contracting with Okta, Inc. Certain third parties are monitored and reassessed on an ongoing basis, depending on their level of risk or in the event of changes to their products or services. Cybersecurity Governance Our board oversees Okta, Inc.’s enterprise risk management program, of which cybersecurity is an important component. To facilitate the board’s supervision of cybersecurity matters, the board formed the cybersecurity risk committee. Among other responsibilities, the cybersecurity risk committee provides oversight over the effectiveness of Okta, Inc.’s cybersecurity program. The cybersecurity risk committee receives regular updates on our cybersecurity program from our chief security officer (the “CSO”). In addition, management updates the cybersecurity risk committee, as appropriate, regarding cybersecurity incidents. Our cybersecurity risk committee reports to the board on its activities. In addition to receiving reports from the cybersecurity risk committee, our board periodically receives cyber risk management program briefings directly from the CSO . Additionally, the audit committee of the board (the “audit committee”) receives regular cybersecurity updates as part of the audit committee’s oversight over our enterprise risk management program. Our management team, including the CSO , is responsible for assessing and managing our risks from cybersecurity threats. The CSO partners with the security, technical operations, legal, internal audit, engineering and product development teams to supervise both our cybersecurity program and our retained third-party cybersecurity consultants, and to stay informed on security at Okta, Inc. and the overall security landscape. Our current CSO brings over 20 years of cybersecurity and risk management experience to his work at Okta, Inc., having held numerous security leadership positions in highly-regulated industries such as finance. His experience delivering cybersecurity at scale extends internationally, and includes security and risk management roles at companies in Australia, the United Kingdom and the United States. The Okta, Inc. security team includes individuals with experience across a broad range of cybersecurity areas, including product security; cloud security; infrastructure security; security monitoring and incident response; identity and access management; vulnerability management; and governance, risk and compliance. Okta, Inc.’s management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security and technical personnel; threat intelligence and other information obtained from governmental, public or private sources, including third-party consultants engaged by us; and alerts and reports produced by security tools deployed in our technical environment.

Company Information