|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Company has cybersecurity risk management processes in place to identify, assess, and manage material risks from cybersecurity threats to protect the confidentiality, integrity, and availability of our IT systems and information. The Company’s risk assessment process also includes an established process of due diligence for third-party suppliers, assessing potential privacy and security risks
occurring both before and after integration. Our cybersecurity risk management process is part of the Company’s overall enterprise risk management ("ERM") process.
We engaged an independent IT auditor to perform a cybersecurity assessment based on the National Institute of Standards and Technology cybersecurity framework. We continue to engage IT consultants to perform independent IT security assessments of our key IT assets inclusive of web application and network infrastructure. The Company also performs continuous bug bounty programs focused on identifying and rectifying vulnerabilities on our key applications and has a centralized identity and provisioning management system and employees are assessed and trained on a monthly basis via the performance of phishing simulations to provide “experiential learning” on how to recognize phishing attempt. We also manage employee devices through a centralized Mobile Device Management ("MDM"), allowing us to secure and enforce policies within our network. MDM solutions also allow the Company to remotely configure settings, deploy apps, enforce security protocols, and monitor device usage. Employee devices are also protected against malicious activities and threats. Additionally, our engineering teams leverage advanced security tools to identify and address potential security issues during the build and deployment process.
While On maintains cybersecurity insurance, coverage may not fully mitigate all financial impacts associated with cybersecurity threats or disruptions. While prior incidents have not materially affected our business strategy, results of operations or financial condition, and although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cybersecurity incident would not materially affect our business strategy, results of operations or financial conditions
For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition, refer to Item 3.D, "Risk Factors," in this Annual Report, including the risk factor titled “A security breach, including a cybersecurity incident or other disruption to our IT systems could result in adverse effects on the confidentiality, integrity, or availability of our IT systems or any information residing therein, including the loss, theft, misuse, unauthorized disclosure, or unauthorized access of customer, supplier, or sensitive company information or could disrupt our operations. Such cybersecurity threats could damage our relationships with customers, suppliers or employees, expose us to litigation or regulatory proceedings, or harm our reputation, any of which could materially adversely affect our business strategy, financial condition or results of operations.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company has cybersecurity risk management processes in place to identify, assess, and manage material risks from cybersecurity threats to protect the confidentiality, integrity, and availability of our IT systems and information. The Company’s risk assessment process also includes an established process of due diligence for third-party suppliers, assessing potential privacy and security risks
occurring both before and after integration. Our cybersecurity risk management process is part of the Company’s overall enterprise risk management ("ERM") process.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
While every individual at the Company contributes to managing cybersecurity risks, our board of directors is responsible for overseeing our ERM activities, including material risks related to cybersecurity threats. The board of directors receives an update on the Company’s ERM process and the risk trends related to cybersecurity at least annually. To help ensure effective oversight, the board of directors also receives reports on information security and cybersecurity from the Chief Technology Officer ("CTO") periodically throughout the year.
On's CTO is responsible for the assessment and management of material risks from cybersecurity threats, sits on the Company's senior leadership board and reports directly to our Co-CEO, CFO. The Company's information security function, which reports directly to our CTO, performs ongoing assessments to identify and mitigate cybersecurity threats. Our information security function has the required expertise with cybersecurity, as demonstrated by prior work experience, possession of a cybersecurity certification or degree, or other cybersecurity experience. The CTO and information security function also monitor the prevention, detection, and remediation of cybersecurity incidents and work closely with the Company's ERM team to ensure a consistent risk management process. This includes periodic reporting to the extended founder team, board of directors, and to the Company's group reporting team when any cybersecurity incidents identified are deemed material.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|While every individual at the Company contributes to managing cybersecurity risks, our board of directors is responsible for overseeing our ERM activities, including material risks related to cybersecurity threats. The board of directors receives an update on the Company’s ERM process and the risk trends related to cybersecurity at least annually.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|To help ensure effective oversight, the board of directors also receives reports on information security and cybersecurity from the Chief Technology Officer ("CTO") periodically throughout the year.
|Cybersecurity Risk Role of Management [Text Block]
|
On's CTO is responsible for the assessment and management of material risks from cybersecurity threats, sits on the Company's senior leadership board and reports directly to our Co-CEO, CFO. The Company's information security function, which reports directly to our CTO, performs ongoing assessments to identify and mitigate cybersecurity threats. Our information security function has the required expertise with cybersecurity, as demonstrated by prior work experience, possession of a cybersecurity certification or degree, or other cybersecurity experience. The CTO and information security function also monitor the prevention, detection, and remediation of cybersecurity incidents and work closely with the Company's ERM team to ensure a consistent risk management process. This includes periodic reporting to the extended founder team, board of directors, and to the Company's group reporting team when any cybersecurity incidents identified are deemed material.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|CTO
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our information security function has the required expertise with cybersecurity, as demonstrated by prior work experience, possession of a cybersecurity certification or degree, or other cybersecurity experience
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The CTO and information security function also monitor the prevention, detection, and remediation of cybersecurity incidents and work closely with the Company's ERM team to ensure a consistent risk management process. This includes periodic reporting to the extended founder team, board of directors, and to the Company's group reporting team when any cybersecurity incidents identified are deemed material.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef