Ondas Holdings Inc. 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

Ondas Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 08:48:37 EDT.

Filings

10-K filed on 2025-03-12

Ondas Holdings Inc. filed a 10-K at 2025-03-12 08:48:37 EDT
Accession Number: 0001213900-25-022968

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk management and strategy We rely on our information technology to operate our business. We have policies and processes designed to protect our information technology systems, some of which are managed by third parties, and resolve issues in a timely manner in the event of a cybersecurity threat or incident. As part of our broader risk management framework, we have identified the potential cybersecurity risks to our business and implemented structured controls to mitigate them. Our business applications and hosting services are designed to minimize the impact of cybersecurity incidents, with designated backup systems in place where necessary. To enhance cybersecurity resilience, we have implemented a structured Information Security Management System (ISMS) certified in accordance with ISO 27001, providing a comprehensive approach to managing cybersecurity risks and aligning with industry best practices. Our risk mitigation efforts include a combination of administrative, technical, and operational controls, such as real-time monitoring and detection activities, anti-malware and endpoint protection solutions, annual employee cybersecurity training, regular security audits, third-party penetration testing, and a clear communication and reporting structure to facilitate timely responses to security incidents. We have a Cybersecurity Incident Response Plan (CIRP) that defines roles, responsibilities, and reporting mechanisms, as well as a structured incident response process covering preparation, detection, response, documentation, and post-incident analysis. This plan outlines possible cybersecurity threats and response measures for incidents such as denial-of-service attacks, malicious code attacks, website defacement, data corruption, and data leakage. In addition, we maintain a Business Continuity Plan (BCP) in accordance with ISO 27001 to ensure operational resilience, including detailed continuity procedures, system restoration timeframes, and recovery strategies for various scenarios. 38 To address cybersecurity risks associated with third-party service providers, we have established procedures, policies, and tools for identifying, assessing, and mitigating potential threats. This process begins with a third-party risk assessment, which is performed and updated as needed. Our Information Security Guidelines for Suppliers ensure compliance with security standards, while our Access Control Policies regulate third-party access to sensitive systems, and our Cloud System Information Security Procedures govern data security in cloud environments. We also engage third-party consultants to assist in designing and enhancing our cybersecurity risk management framework, including penetration testing and continuous threat monitoring. To date, we have not encountered cybersecurity threats or incidents that have had a material impact on our business. Governance Our Board of Directors has specific oversight responsibility for cybersecurity, which also oversees our general risk management. The Board of Directors reviews and discusses with management our policies, practices and risks related to information security and cybersecurity. Our Chief Financial Officer has primary responsibility for assessing, monitoring, and managing cybersecurity risks. Leaders of our Ondas Networks and OAS segments, along with the Chief Financial Officer, meet quarterly to assess cybersecurity risks, identify emerging threats, and evaluate our risk management framework. The Chief Financial Officer provides quarterly updates to the Board of Directors on any cybersecurity-related risks. Our incident response plan includes notifying the Board of Directors of any material threats or incidents as they arise. Although these members of our senior management do not have direct cybersecurity expertise obtained through certifications, their experience managing the Company, which includes consulting and coordinating as necessary with in-house and third-party information technology specialists, enables them to effectively assess and manage material risks from cybersecurity threats. At OAS, risk management oversight is further managed through our Head of Information Security, who is responsible for overseeing the information security aspects of our cybersecurity framework. Our Head of Information Security brings extensive expertise to the role, with military experience in information security, a B.Sc. in Information Systems Engineering, and specialized training in computer and information systems security/information assurance from the TÜV SÜD Academy. Additionally, our Head of Information Security is certified by the Standards Institution of Israel as a Senior Internal Auditor for ISO 27001. Her areas of expertise include performing risk assessments, developing business continuity plans, drafting information security policies and procedures, conducting internal audits, leading information security training, and evaluating information systems This structured approach ensures that our cybersecurity governance remains robust, proactive, and aligned with industry best practices. At Ondas Networks, risk management is further managed through the use of expert third party companies to assist in managing relevant risks. In particular, the Company outsources its information technology function and monitoring to a third-party provider whereby it benefits from a professionally managed network monitoring, management, maintenance, detection and response system and a 24/7 security operations center with both onsite and remote support services. Any cybersecurity incident would be reported to the Company promptly by our third-party consultant. 39

Company Information