ON24 INC. 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 13, 2025

ON24 INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 17:44:31 EDT.

Filings

10-K filed on 2025-03-12

ON24 INC. filed a 10-K at 2025-03-12 17:44:31 EDT
Accession Number: 0001110611-25-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity is an important component of our overall risk management program. Our cybersecurity policies and practices are integrated into our risk management program and are based on recognized frameworks. ON24 is certified under ISO 27001:2013 and 27701:2019, which sets forth a strict framework for managing security and privacy risks, including the necessary internal process and policies to deal with cybersecurity risks and incidents. Risk Management and Strategy Our cybersecurity program focuses on the following key areas: - Governance: Our Chief Information Officer (“CIO”) leads our cybersecurity risk management program, with oversight from our board of directors. Our CIO closely collaborates with Information Security and Legal/Privacy leaders with the support of other members of management and teams comprised of personnel with a broad range of experience in the technology industry. - Collaboration: We have implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents. - Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention, data leak prevention and detection systems, anti-malware functionality and access controls. - Incident Response and Recovery Planning: We have established and maintain comprehensive cybersecurity incident response and recovery plans, including legal obligations to report incidents, which we test and evaluate from time to time. - Third-Party Risk Management : We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors and customers, that could adversely impact our business in the event of a cybersecurity incident affecting third-party systems. - Education: We provide regular, mandatory training for staff regarding cybersecurity and privacy awareness. We periodically assess and test our cybersecurity policies and practices. These efforts include tabletop exercises, vulnerability and penetration tests, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We also engage third parties to assess our cybersecurity measures. As of December 31, 2024, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, although we are unable to provide any assurance that such risks will not become material in the future. Governance Our board of directors oversees cybersecurity as part of its risk oversight function. The audit committee also assists our board of directors in fulfilling its responsibilities with respect to oversight of our cybersecurity programs, including assisting with reviewing the adequacy and effectiveness of our cybersecurity policies and practices and receiving regular presentations and reports from management. The audit committee provides regular briefings to our board of directors as appropriate. We follow an incident response plan that includes reporting prompt and timely information regarding material cybersecurity incidents, remediation, and related matters. Our CIO and other leaders work collaboratively across our organization to protect our information systems from cybersecurity threats and to promptly respond to incidents in accordance with our incident response plan, including the necessary steps to ensure remediation. Through ongoing communications, these teams monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to our board of directors when appropriate. Our CIO has over 20 years of professional experience specializing in business transformation, change management, executive leadership, and IT strategy, and has worked with technology security, banking and media companies. Our head of Information Security also brings over 20 years of security, privacy, and compliance experience from public and private sector roles, including leading the security programs at SaaS companies for over a decade.

Company Information