Oklo Inc. 10-K Cybersecurity GRC - 2025-03-24

Page last updated on March 24, 2025

Oklo Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-24 16:16:36 EDT.

Filings

10-K filed on 2025-03-24

Oklo Inc. filed a 10-K at 2025-03-24 16:16:36 EDT
Accession Number: 0001628280-25-014490

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of our critical systems and information. In collaboration with the Company’s IT leadership, management has established structured processes for identifying, assessing, and mitigating cybersecurity risks that may impact our business operations including processes to identify cybersecurity risks associated with the use of third-party service providers. Senior leadership regularly provides updates to the Audit Committee of the Board of Directors on the status and outcomes of internal audits evaluating our cybersecurity systems, controls, and processes. Our program is guided by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, which serves as a valuable resource in helping us identify, assess, and manage cybersecurity risks aligned with our business needs. This does not imply that we meet any particular standards, specifications or requirements, only that we use NIST as a guide. Our cybersecurity risk management program is integrated into our overall risk management program, and shared common methodologies, reporting channels, and governance processes that apply across the risk management program to other legal, compliance, strategic, operational and financial risk areas. Our overall strategy in protecting against cybersecurity risks includes the following preventative and detective measures: - Multi-layered network security architecture - We have implemented firewalls, intrusion detection and prevention systems (IDPS), endpoint detection and response (EDR) solutions, and we utilize threat intelligence. - Incident Response - In the event of an incident, management has established an incident response plan designed to identify, evaluate, respond to, mitigate, and report potential cybersecurity threats, including notifying the Board or regulatory agencies, as deemed appropriate. This response plan is tested regularly and is intended to address cybersecurity risks to the corporate information technology (“IT”) environment including the Company’s systems, hardware, software, data, people, and processes. - Regular security assessments and penetration testing - We conduct periodic vulnerability assessments and simulated cyberattack exercises to identify and remediate security weaknesses in our IT infrastructure. - Third-party Security Operations Center (SOC) monitoring - We partner with a third-party SOC and incident response retainer to provide security monitoring, threat detection, and rapid incident response, ensuring proactive identification and mitigation of potential cyber threats. - Employee cybersecurity awareness and training programs - All employees are required to participate in cybersecurity training, including phishing simulations, social engineering awareness, and secure data handling practices. Oklo has not experienced any material cybersecurity incidents to date, and we are not aware of any threats, current or ongoing, that would materially affect or be reasonably likely to materially affect our results of operations or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors - If we or our third-party providers fail to protect confidential information and experience data security incidents, we may experience adverse effects, including regulatory enforcement consequences, on our business and results of operations.” Cybersecurity Governance The Board maintains oversight responsibility for cybersecurity risks and has delegated to the Audit Committee oversight of such risks, including oversight of management’s implementation of our cybersecurity risk management program. Management regularly reports to the Audit Committee of the Board regarding the status and outcomes of regular internal audits of cybersecurity systems, controls, and processes. As needed, management also briefs the Board on our cybersecurity environment and information security philosophy. We also review and advise our Board of cybersecurity threats to us, including emerging cybersecurity threats, as well as our plans and strategies to address them. Our cybersecurity management team consists of the following: - Chief Financial Officer - previously held roles associated with cybersecurity monitoring and reporting at bp plc, including being accountable for a global smart active monitoring implementation program focused on the North American Downstream business, as well as oversight for IT when serving as the CFO for the NA Fuels business for bp plc and while CFO at Renewable Energy Group. - Head of IT and Cyber - has over 20 years of IT leadership in cybersecurity, including risk management, incident response, and cybersecurity strategy across defense, education, and corporate sectors. He has managed IT and cyber operations for over 100,000 users, overseeing enterprise ERP, HRIS, internet services, email systems, and Security Operations Centers. He holds certifications including CISSP, CCNP, and ITIL. - Head of Business Operations - a sea soned operations and technology leader with extensive experience in scaling IT and cybersecurity functions for high-growth companies. He served as Chief Operating Officer of a Series A startup where he oversaw all operations and IT. - Head of Legal - has extensive experience helping companies manage cybersecurity, privacy, and data protection related risks across the technology, e-commerce, and healthcare sectors. He has served as the global Data Protection Officer at four companies, including at Shopify Inc. where he helped respond to cybersecurity incidents, and managed all related legal and regulatory impact. He also previously managed the cybersecurity function at a Series B startup where he served as General Counsel and Corporate Secretary. All of the above individuals have played a key role in our transition as a public company, working closely with external cybersecurity advisory specialists to evolve IT and cybersecurity practices to meet public company compliance stand ards. Our management team remains actively engaged in overseeing cybersecurity risk prevention, detection, mitigation, and remediation efforts. This is achieved through regular briefings from our internal IT and cyber staff, with insights from threat intelligence sources, including governmental, public, and private entities as well as guidance from external service providers. Additionally, management reviews alerts and reports generated by advanced security tools deployed within our environment to ensure a proactive and informed approach to cybersecurity threats.

Company Information