KALTURA INC - (KLTR)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Kaltura has developed and implemented a cybersecurity risk management program, intended to protect the confidentiality, integrity, and availability of our critical systems and information.
We aim to be proactive in our approach to cybersecurity, with our practices informed by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This approach aids us in identifying and managing cyber risks in a manner that aligns with our business operations. While the NIST CSF serves as a guiding framework to help us identify, assess, and manage cybersecurity risks, this does not imply we adopt a blanket adherence to its standards and requirements in all respects. Our cybersecurity risk management program is further informed by the industry-recognized certifications we have obtained through comprehensive third-party evaluations, including ISO/IEC 27001, ISO 27701, ISO 27799, ISO 22301, SOC 2 Type 2, and SOC 3.
Our cybersecurity risk management program is integrated into the broader scope of Kaltura's enterprise risk management framework, including processes for managing risks, from legal and compliance to strategic, operational, and financial threats, through shared methodologies, reporting channels, and governance processes.
Key elements of our cybersecurity risk management program encompass:
a.Risk Assessments: A risk assessment process to identify and evaluate material cybersecurity threats to our systems, data, products, services, and overall IT environment.
a.Security Team Expertise: Our security team, led by our Chief Information Security Officer (CISO), who oversees our cybersecurity risk assessments, the implementation of security controls, and the coordination of our incident response efforts.
a.External Collaboration: We engage with external service providers, where appropriate, for assessing and testing our security processes and controls.
a.Cybersecurity Awareness Training: Security awareness and training programs for our employees.
a.Incident Response Preparedness: Our incident response plan outlines our approach to addressing and responding to cybersecurity incidents and to findings, vulnerabilities and incidents that could lead to or allegedly be suspected as cybersecurity incidents.
a.Third-Party Risk Management: A process for evaluating and managing the risks associated with our service providers, suppliers, and vendors who access our critical systems and data.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us or are reasonably likely to materially affect us. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors – Risks Related to Information Technology, Intellectual Property and Data Privacy and Security” - "A real or perceived bug, defect, security vulnerability, error, or other performance failure involving our platform, products or solutions could cause us to lose revenue, damage our reputation, and expose us to liability." and "If we or our third-party service providers experience a security breach, data loss or other compromise, including if unauthorized parties obtain access to our customers’ data, our reputation may be harmed, demand for our platform, products and solutions may be reduced, and we may incur significant liabilities."
Cybersecurity Governance
Cybersecurity risk is a critical aspect of our Board of Directors' risk oversight function. The Board has entrusted the Audit Committee with the oversight of cybersecurity and other IT-related risks. This committee monitors the execution of our cybersecurity risk management program.

61


Table of Contents

Regular briefings are provided to the Audit Committee by management, regarding the cybersecurity risk landscape and any significant cybersecurity incidents. These updates are then relayed to the full Board as deemed necessary by the Audit Committee. Our management team also receives regular internal briefings.
Board members are regularly educated on cybersecurity issues through presentations from our Chief Information Security Officer (CISO) and internal security team. External experts may also be consulted to provide additional insights or reports when necessary.
Our management team, including the CISO, Data Privacy Officer (DPO), CCO (Chief Customer Officer) and Chief Product Officer (CPO), is responsible for the assessment and mitigation of cybersecurity threats and overseeing both our internal security personnel and external cybersecurity consultants. Our management team’s cumulative experience includes decades working in cybersecurity and information security, including in the government and public and private companies, and overseeing risk management generally. Among other things, our CISO is a graduate of the Technion’s Information Security Program as a Technion Certified CISO and brings vast experience as former Security Specialist in the U.S. Department of State, Senior Lead Information Security Architect at one of the Israeli leading banks, and Head of Cyber Architecture, Engineering & Research Group at one of the leading Israeli Aerospace & Defense companies. The team reporting to our CISO further includes experienced specialists in the area of Cyber Forensics and Counterterrorism and Network Security Engineers holding B.S. Computer Science Degrees and other relevant certifications.