Udemy, Inc. - (UDMY)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are subject to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our Vice President of Information Technology (“VP of IT”), who reports to our Chief Financial Officer, and our Vice President, Engineering Infrastructure & Security (“VP of Engineering”), who reports to our Chief Technology Officer, to manage the risk assessment and mitigation process. Our VP of IT and our VP of Engineering each have over 20 years of industry experience, including serving in similar roles overseeing cybersecurity programs at other companies. In addition, our VP of Engineering has been a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CISM) and has been Certified in Risk and Information Systems Control (CRISC) for over a decade.
As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with our Legal, Information Security, and Information Technology Departments and management. Personnel at all levels and departments are made aware of our cybersecurity policies through required trainings.
We engage outside consultants in connection with our risk assessment processes. These service providers assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We require third-party service providers to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.
For additional information regarding whether any risks from cybersecurity threats are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” including the risk factor entitled “Risks related to technology, privacy, and cybersecurity: A cybersecurity attack or other security breach or incident could delay or interrupt service to our learners, instructors, and UB customers, harm our reputation or subject us to significant liability” in this annual report on Form 10-K.
Governance
Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in risk oversight. The Audit Committee directly assists the Board in its oversight of cybersecurity risk. The Audit Committee receives updates at least twice a year from
43

management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, control maturity assessments, and relevant internal and industry cybersecurity incidents.
Our VP of IT, our VP of Engineering and our Risk Committee, consisting of our executive leadership team, are responsible for overseeing our cybersecurity risk management processes. The processes by which our VP of IT, our VP of Engineering and our Risk Committee are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents includes direct engagement with the security team by our VP of IT and VP of Engineering, as well as our incident reporting process. Under our incident reporting process, cybersecurity incidents are reported, and then reviewed by senior members of our information security, internal audit and legal department, who then evaluate and, if appropriate, escalate any incidents immediately to our Audit Committee.