|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 16K. Cybersecurity
Cyber-attacks are prevalent in the internet and technology sector in which we operate. Supervised by the audit committee, our experienced management team is responsible for identifying, assessing and mitigating cybersecurity risks. Our overall approach aims to address cybersecurity risks collaboratively and through a cross-function approach as part of our broader risk management process, with a particular focus on safeguarding the confidentiality of end-user information with which we have been entrusted. This involves identifying, preventing, and mitigating cybersecurity threats, as well as promptly and effectively responding to any cybersecurity incidents that may arise.
We employ a variety of strategies and measures to identify, assess and mitigate cybersecurity risks. Cybersecurity is the shared responsibility of our Security team, Global IT and various product teams. Our Security team promulgates security and data protection standards in the form of our Security Policy and related documents. Global IT maintains our network infrastructure, manages our hosting providers and supervises use of third-party information systems in accordance with our security standards. Our product teams design and operate software applications in accordance with our standards, each maintaining a “security champion” as point of contact for security related topics. For example:
a. Development Practices: Our Security team promulgates a Product Security Standard and related guidelines under our Security Policy. Product teams are expected to adhere to the standard by conducting the required security reviews by security champions, as well as automated scanning and product monitoring. The standard also provides instructions on secure development best practices and the implementation of security requirements in our software applications.
b. Infrastructure Security: Our Security team promulgates an Information Security Standard under our Security Policy. Global IT and other stakeholders are expected to implement the standard’s requirements relating to network access controls, password and authentication, and endpoint security. The standard also generally requires that the third-party collocation centers we use have a valid ISO 27001 certificate and that our servers are placed in special access zones.
c. Security Audits: The Security team’s security engineers conduct periodic audits of significant new and changed infrastructure elements, as well as risk assessments of new third-party service providers. We have a security-risk exception process where minor risks can be accepted by security team members and bigger risks require a business owner's approval. Security exceptions are regularly monitored and reviewed at least quarterly by the Security team. We have not engaged assessors, consultants, auditors, or other third parties in connection with any such processes.
d. Penetration Testing: Our Security team conducts penetration testing of systems and leverages external resources, including retaining a security consultant and maintaining an active bug bounty program which encourages white hat hackers to identify and report to us security vulnerabilities in our systems.
e. Security Training: Our Security team periodically provides security awareness training to our employees, educating them about common cybersecurity risks, phishing attacks, social engineering tactics, and safe online practices. Select staff and team members are also provided incident response training to educate them on the proper procedures for handling security incidents when they occur.
Despite the measures we have taken to protect our systems, our systems have in some cases been breached in the past and we cannot guarantee that, despite our reasonable efforts, they will not be breached again in the future.
Board Oversight
Pursuant to its charter, our audit committee has been delegated responsibility for discussing risk assessment and risk management with our management, as well as the actions management has taken to limit, monitor or control risk exposures, including with respect to cybersecurity threats. Management presents risk management issues to the audit committee on a quarterly basis. The audit committee is responsible for ensuring that our management has processes in place designed to identify and evaluate cybersecurity risks to which the company is exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. Our Board of Directors also includes additional directors with extensive experience in the internet and technology sector. See “Item 6. Directors, Senior Management and Employees.” For example, Director James Liu sits on our audit committee and has over 20 years of experience in internet and technologies companies and holds a bachelor’s degree in computer science from Shanghai Jiao Tong University. The work of the audit committee is reported to our board on a quarterly basis.
Management’s Role
Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, and putting in place appropriate mitigation measures. The Opera Risk Management Standard describes our approach to identifying, assessing, and mitigating risks in general, including cybersecurity risks in particular. Our management works collaboratively to implement risk management standards and reports prompt and timely information to our audit committee regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident when appropriate.
Our VP of Group IT, Mr. Krystian Zubel, owns Opera’s security program and is appointed as the risk owner for cybersecurity, providing periodic reporting on cybersecurity topics to management. Mr. Zubel manages our Global IT and Security teams and has 20 years of industry experience, as well as a master’s degree in computer science specializing in computer networks and systems from Wroclaw University of Science and Technology. Mr. Zubel has been managing Opera IT projects related to critical infrastructure at Opera for over a decade and reports directly to our Co-CEO, Mr. Lin Song, who sits on our Board of Directors, has a bachelor’s degree in information systems from the University of International Business and Economics, and has worked for our group for over 20 years serving in various technical and leadership roles. Mr. Zubel works closely with other members of our management team on cybersecurity issues, including in particular our EVP of Browsers, Mr. Krystian Kolondra. Mr. Kolondra has worked at Opera for over 18 years and has a master's degree in computer sciences from the University of Wroclaw.
Material Incidents
Cybersecurity incidents, as well as data breaches, are reported in our internal ticketing system and handled in accordance with our Incident Management Procedure. In accordance with the procedure, incidents must be promptly classified and mitigated by the incident owner based on severity. Relevant product and IT teams, together with the Security team, conduct a post-mortem analysis of all incidents to document mitigation, lessons learned, and future actions to prevent a recurrence. Incidents categorized as critical (including any personal data breach or incidents with potentially material effects) are reported within 12 hours of classification to our Co-CEO, General Counsel and CFO for materiality assessment and, where appropriate, reporting to our audit committee.
Over the past financial year, cybersecurity threats or incidents have not materially affected or are not reasonably likely to affect us, including our business strategy, results of operations or financial condition, but we cannot provide assurance that we will not be materially affected by any such risks, threats or incidents in the future.
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board Oversight
Pursuant to its charter, our audit committee has been delegated responsibility for discussing risk assessment and risk management with our management, as well as the actions management has taken to limit, monitor or control risk exposures, including with respect to cybersecurity threats. Management presents risk management issues to the audit committee on a quarterly basis. The audit committee is responsible for ensuring that our management has processes in place designed to identify and evaluate cybersecurity risks to which the company is exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. Our Board of Directors also includes additional directors with extensive experience in the internet and technology sector. See “Item 6. Directors, Senior Management and Employees.” For example, Director James Liu sits on our audit committee and has over 20 years of experience in internet and technologies companies and holds a bachelor’s degree in computer science from Shanghai Jiao Tong University. The work of the audit committee is reported to our board on a quarterly basis.
Management’s Role
Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, and putting in place appropriate mitigation measures. The Opera Risk Management Standard describes our approach to identifying, assessing, and mitigating risks in general, including cybersecurity risks in particular. Our management works collaboratively to implement risk management standards and reports prompt and timely information to our audit committee regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident when appropriate.
Our VP of Group IT, Mr. Krystian Zubel, owns Opera’s security program and is appointed as the risk owner for cybersecurity, providing periodic reporting on cybersecurity topics to management. Mr. Zubel manages our Global IT and Security teams and has 20 years of industry experience, as well as a master’s degree in computer science specializing in computer networks and systems from Wroclaw University of Science and Technology. Mr. Zubel has been managing Opera IT projects related to critical infrastructure at Opera for over a decade and reports directly to our Co-CEO, Mr. Lin Song, who sits on our Board of Directors, has a bachelor’s degree in information systems from the University of International Business and Economics, and has worked for our group for over 20 years serving in various technical and leadership roles. Mr. Zubel works closely with other members of our management team on cybersecurity issues, including in particular our EVP of Browsers, Mr. Krystian Kolondra. Mr. Kolondra has worked at Opera for over 18 years and has a master's degree in computer sciences from the University of Wroclaw.
Material Incidents
Cybersecurity incidents, as well as data breaches, are reported in our internal ticketing system and handled in accordance with our Incident Management Procedure. In accordance with the procedure, incidents must be promptly classified and mitigated by the incident owner based on severity. Relevant product and IT teams, together with the Security team, conduct a post-mortem analysis of all incidents to document mitigation, lessons learned, and future actions to prevent a recurrence. Incidents categorized as critical (including any personal data breach or incidents with potentially material effects) are reported within 12 hours of classification to our Co-CEO, General Counsel and CFO for materiality assessment and, where appropriate, reporting to our audit committee.
Over the past financial year, cybersecurity threats or incidents have not materially affected or are not reasonably likely to affect us, including our business strategy, results of operations or financial condition, but we cannot provide assurance that we will not be materially affected by any such risks, threats or incidents in the future.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Pursuant to its charter, our audit committee has been delegated responsibility for discussing risk assessment and risk management with our management, as well as the actions management has taken to limit, monitor or control risk exposures, including with respect to cybersecurity threats. Management presents risk management issues to the audit committee on a quarterly basis. The audit committee is responsible for ensuring that our management has processes in place designed to identify and evaluate cybersecurity risks to which the company is exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, and putting in place appropriate mitigation measures.
|Cybersecurity Risk Role of Management [Text Block]
|The audit committee is responsible for ensuring that our management has processes in place designed to identify and evaluate cybersecurity risks to which the company is exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our VP of Group IT, Mr. Krystian Zubel, owns Opera’s security program and is appointed as the risk owner for cybersecurity, providing periodic reporting on cybersecurity topics to management.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Director James Liu sits on our audit committee and has over 20 years of experience in internet and technologies companies and holds a bachelor’s degree in computer science from Shanghai Jiao Tong University. The work of the audit committee is reported to our board on a quarterly basis.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our management works collaboratively to implement risk management standards and reports prompt and timely information to our audit committee regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident when appropriate
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef