Ouster, Inc. 10-K Cybersecurity GRC - 2025-03-21

Page last updated on March 21, 2025

Ouster, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-21 16:08:17 EDT.

Filings

10-K filed on 2025-03-21

Ouster, Inc. filed a 10-K at 2025-03-21 16:08:17 EDT
Accession Number: 0001628280-25-014318

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have developed and implemented a cybersecurity program that seeks to ensure the confidentiality, integrity, and availability of the Company’s information assets, including its critical systems. The Company’s cybersecurity program is based on an ISO 27001 compliant Information Security Management System (ISMS). We use ISO 27001 as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity program is integrated into our overall risk management program; which is reviewed and evaluated by our Board, and shares reporting channels and governance processes that apply across the risk management program to other legal, compliance, strategic, operational, and financial areas. Key elements of our cybersecurity program include, but are not limited to, (i) raising security awareness of our employees and product development teams, and (ii) implementing and maintaining security operations that are designed to protect identities, networks, systems, and data and provide for detection, response, and recovery, including a cyber incident response plan. We engage external parties to enhance our cybersecurity program and to operate a variety of operational functions. We engage consultants, advisors and vendors who are recognized for their cybersecurity expertise or products to supplement, augment and/or test specific elements of our security program. We also engage third-party specialists to conduct security assessments and independent audits of the security of the Company’s systems and networks. The results of these assessments may be used to help us improve our cybersecurity program. The Company has adopted a third-party management policy to formalize the baseline of security controls that it expects its partners and other third-party companies (including service providers) to meet, in accordance with their criticality to our operations and respective risk profile, when directly interacting with the Company’s data. To mitigate risks that may arise from the Company’s interactions with service providers, suppliers, and vendors, we strive to ensure that our systems/services are integrated with trustworthy vendors. Although to date we have not experienced a material cybersecurity incident resulting in an interruption of our operations, the scope or impact of any future incident cannot be predicted with complete certainty. For additional information on our cybersecurity risks, see “We and our third-party providers are subject to cybersecurity risks, and any material failure, weakness, interruption, cyber event, incident, or breach of security could materially adversely affect our business, results of operations, and financial condition.” in Part 1, Item 1A for more information. Cybersecurity Governance Our Board considers cybersecurity risk as part of its overall risk oversight function and has delegated to the Audit Committee oversight of the Company’s cybersecurity program. The Audit Committee receives regular cybersecurity updates and reports from members of the Company’s executive team and the Senior Director of Information Security and Compliance and in turn briefs the full Board on these updates as part of its Committee report. In addition, the full Board receives a full report on the Company’s cybersecurity program at least annually. The Board is also apprised by the executive team and Senior Director of Information Security and Compliance of more significant or serious cybersecurity incidents. The Company has a Breach Response Team (“BRT”) led by our Senior Director of Information Security and Compliance under the direction of our executive team, and is responsible for assessing and managing our material risks from cybersecurity threats. The Senior Director of Information Security and Compliance has day to day responsibility for the Company’s cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Senior Director of Information Security and Compliance has served in various roles in information security for over 15 years, including serving as Associate Director of Cybersecurity of a public company as well as a PCI Qualified Security Assessor at a cybersecurity consulting firm. He holds a M.S. in Computer Science and has attained various certifications, including an Advanced Computer Certificate from Stanford University . Our executive team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from the Senior Director of Information Security and Compliance and other internal security personnel; threat intelligence and other information 41 Table of C ontents obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment. The Company’s executive team also monitors the activities of the BRT and where appropriate participates in and supports the BRT in the evaluation and remediation of actual or perceived cyber incidents in accordance with the Company’s incident response plan.

Company Information