Okta, Inc. - (OKTA)

10-K Filing Date: March 01, 2024
Item 1C. Cybersecurity
Okta, like other companies, is subject to a wide variety of cybersecurity attacks on its systems and networks on an ongoing basis and with increasing sophistication. In addition to threats from traditional computer “hackers,” malicious code (such as malware, viruses, worms and ransomware), employee or contractor theft or misuse, password spraying, phishing and denial-of-service attacks, Okta and its third-party service providers now also face threats from sophisticated nation-state actors and organized crime groups who engage in attacks (including
48


advanced persistent threat intrusions). In the face of this threat landscape, Okta remains committed to protecting its systems, internal networks and its customers’ systems, and the information that it and they store and process.
Okta has an established cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of its critical systems, internal networks and information. This program implements policies, processes and controls to respond to cybersecurity threats and mitigate business impacts. Okta’s board of directors (the “board”) has delegated to the cybersecurity risk committee of the board (the “cybersecurity risk committee”) oversight responsibility of the cybersecurity risk management program, which includes a cybersecurity incident response plan.
Okta devotes significant resources, including human and financial capital, to create security measures, configuration policies and response plans to address cybersecurity threats. However, as a well-known provider of identity and security solutions, Okta is a particularly attractive target for such threats. For additional information related to these risks, see “Risk Factors” included under Part I, Item 1A of this Annual Report on Form 10-K. In the past we have experienced cybersecurity incidents, and we cannot anticipate when or the extent to which cybersecurity breaches will materially affect Okta or its customers’ use of Okta’s platform in the future. To date we have not identified any prior cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. There can be no assurance that Okta’s cybersecurity risk management program and processes, including its policies, controls or procedures, will be fully implemented, complied with or effective in protecting its systems and information.
Cybersecurity Risk Management and Strategy
Cybersecurity is essential for Okta. Our cybersecurity strategy is to develop a consistent framework of security controls that can apply to all business functions. To execute on this strategy, we integrate cybersecurity risk management into our broader enterprise risk management program. We also take a cross-functional approach to cybersecurity risk management by engaging teams across the business, including security, technical operations, engineering, IT, customer support, legal and communications, to implement shared processes for identifying, assessing and managing key cybersecurity risks.
We design and assess our cybersecurity risk management program against the National Institute of Standards and Technology Cybersecurity Framework (the “NIST Framework”). This does not imply that Okta satisfies any particular specifications or requirements, only that we use the NIST Framework to guide our efforts to improve our security posture.
Our cybersecurity risk management program consists of technical and organizational safeguards aimed at protecting the confidentiality of our systems and the Okta platform. From time to time, we engage external consultants and advisors to perform independent assessments and testing of our program, or otherwise assist with aspects of our program and security controls.
Key features of our cybersecurity risk management program include:
Designated security risk team. Our security risk management team is responsible for maintaining Okta’s cybersecurity risk management framework and risk assessments and tracking risk mitigation efforts. This team, together with our enterprise risk management team, monitors and regularly reports on our cybersecurity risk profile. Our internal audit team partners with these teams to provide input on the overall effectiveness of Okta’s security risk governance and management processes.
Risk assessments. We periodically perform enterprise-wide assessments to stay informed about critical security risks. Okta’s functional teams also assess risks associated with their specific activities, with supervision by the security risk management team. Functional team risk assessments follow an established framework that includes information-gathering from internal and external sources to identify risks, and evaluating the adequacy of controls to mitigate those risks. We have a management-level risk oversight committee, led by internal audit and security risk management personnel, that meets quarterly with other internal business leaders to review the results of these enterprise-wide and functional team risk assessments and evaluate the adequacy of any proposed mitigation plans.
Incident response planning. Okta’s cybersecurity incident response plan outlines the processes and procedures for responding to, remediating and resolving a security incident, and defines the roles and responsibilities of Okta personnel in responding to such incidents.



Security awareness training. We require our employees and contractors to complete general cybersecurity awareness training at least annually. These training sessions advise on how to protect Okta, our information systems and data, as well as our customers’ systems and data. From time to time we may also require supplemental cybersecurity training for certain members of our workforce depending on their job responsibilities.
Third-party risk management. We require high risk third-party vendors, suppliers and service providers to undergo a cybersecurity risk assessment prior to contracting with Okta. Certain third parties are monitored and reassessed on an ongoing basis, depending on their level of risk or in the event of changes to their products or services.
Cybersecurity Governance
Okta’s board oversees Okta’s enterprise risk management program, of which cybersecurity is a critical component. To facilitate the board’s supervision of cybersecurity matters, the board formed a cybersecurity risk committee. Among other responsibilities, the cybersecurity risk committee oversees Okta's cybersecurity program.
The cybersecurity risk committee receives regular updates from Okta’s chief security officer (the “CSO”) on our cybersecurity program. In addition, management updates the cybersecurity risk committee, as appropriate, regarding cybersecurity incidents. The cybersecurity risk committee reports to the board on its activities. In addition to receiving reports from the cybersecurity risk committee, the board periodically receives cyber risk management program briefings directly from the CSO. Additionally, the audit committee of the board receives cybersecurity updates as part of the audit committee’s oversight of Okta’s enterprise risk management program.
Our management team, including the CSO, is responsible for assessing and managing our risks from cybersecurity threats. The CSO partners with the security, technical operations, legal, internal audit, engineering and product development teams to supervise both our cybersecurity program and our retained external cybersecurity consultants, and to stay informed on Okta’s security and the overall security landscape. Our current CSO brings over 20 years of cybersecurity and risk management experience to his work at Okta, having held numerous security leadership positions in highly-regulated industries such as finance. Prior to joining Okta, the CSO was Senior Vice President and Chief Security Officer at Symantec Corporation, a leading cybersecurity company, where he had global oversight responsibility for all cybersecurity and physical security programs. His experience delivering cybersecurity at scale extends internationally, and includes security and risk management roles at companies in Australia, the United Kingdom and the United States. Our security team includes individuals with experience across a broad range of cybersecurity areas, including product security; cloud security; infrastructure security; security monitoring and incident response; identity and access management; vulnerability management; and governance, risk and compliance.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security and technical personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our technical environment.