|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management Strategy And Governance [Abstract]
|Cybersecurity Risk Management Processes For Assessing Identifying And Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to our employees, customers or third-party vendors and service providers and violation of data privacy or security laws.
Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through our cybersecurity risk management program, which includes third-party assessments, internal IT audits conducted by our Audit Committee and IT security, governance, risk and compliance reviews.
We have implemented a multi-layered cybersecurity approach which includes three primary elements: perimeter and intra-network defense, proactive monitoring and security training. We have in place safety and security measures designed to protect our systems against cybersecurity incidents. Our measures for assessing, identifying and managing material risks from cybersecurity threats and security incidents include:
We have also implemented incident response and breach management policies and procedures. Such incident response processes are overseen by leaders from our Information Security, Product Security, Compliance and Legal teams regarding matters of cybersecurity. As part of these processes, we engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards.
Our risk management program also assesses third-party cybersecurity risks and threats. We perform third-party risk assessments to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Such cybersecurity risks are evaluated when selecting and overseeing applicable third-party service providers and potential fourth-party risks that may handle and/or process our employee, business or customer data. Our evaluations include security questionnaires and legal review and oversight of contracts, including, but not limited to, contractual clauses related to cybersecurity and data privacy. In addition to new vendor onboarding, we have procedures in place to perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents. Although we have continued to invest in our due diligence, onboarding, and monitoring capabilities over critical third parties with whom we do business, including our third-party vendors and service providers, our control over the security posture of, and ability to monitor the cybersecurity practices of, such third parties remains limited, and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the cybersecurity infrastructure owned or controlled by such third parties. When we do become aware that a third-party vendor or service provider has experienced such compromise or failure, we attempt to mitigate our risk, including by terminating such third party’s connection to our information systems and networks where appropriate.
For a description of how risks from cybersecurity threats and security incidents could materially affect us, including our business strategy, results of operations or financial condition, see the sections titled “Item 3.D. Key Information—Risk Factors—Risks Related to Data Privacy and Security, Information Technology, and Intellectual Property—We rely significantly on the use of information technology, including technology provided by third-party service providers. Any failure, error, defect, inadequacy, interruption, or data breach or other security incident of our information technology systems, or those of our third-party service providers, could have an adverse effect on our business, reputation, financial condition, and results of operations” and “Item 3.D. Key Information—Risk Factors—Risks Related to Data Privacy and Security, Information Technology, and Intellectual Property—If sensitive or personal information about our customers is disclosed, or if we or our third-party service providers are subject to real or perceived cyberattacks or other security incidents, our customers may curtail use of our website, we may be exposed to liability and our reputation could suffer,” which are incorporated by reference into this Item 16.K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through our cybersecurity risk management program, which includes third-party assessments, internal IT audits conducted by our Audit Committee and IT security, governance, risk and compliance reviews.
We have implemented a multi-layered cybersecurity approach which includes three primary elements: perimeter and intra-network defense, proactive monitoring and security training. We have in place safety and security measures designed to protect our systems against cybersecurity incidents. Our measures for assessing, identifying and managing material risks from cybersecurity threats and security incidents include:
We have also implemented incident response and breach management policies and procedures. Such incident response processes are overseen by leaders from our Information Security, Product Security, Compliance and Legal teams regarding matters of cybersecurity. As part of these processes, we engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight And Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected Or Reasonably Likely To Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board Of Directors Oversight [Text Block]
|
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats and responses to incidents, should they arise. Members of the Audit Committee receive updates on a quarterly basis from senior management, including leaders from our Information Security, Technology and Legal teams, collectively known as the Security and Privacy Committee, regarding matters of cybersecurity. The Chief Technology Officer communicates this information to the Audit Committee on behalf of the Security and Privacy Committee. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives.
Our cybersecurity risk management and strategy processes are overseen by leaders from our Information Security, Technology and Legal teams. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items. The key management committee responsible for assessing and managing material risks from cybersecurity threats is the Security and Privacy Committee, which includes among others, Niv Price (Chief Technology Officer) and Dr. Omer Shwartz (Vice President of Information Security). Before joining Oddity, Mr. Price co-founded and served as director and Chief Executive Office of Voyage81 and prior to that served for over 20 years in the Intelligence Directorate of the Israeli Defense Forces in various technological and managerial positions. Mr. Price holds an M.Sc. in Electrical Engineering from Tel Aviv University and a Masters in Public Administration from Harvard University. Dr. Shwartz holds a PhD in Information Systems Engineering and Cybersecurity and has over 13 years of industry experience.
|Cybersecurity Risk Board Committee Or Subcommittee Responsible For Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process For Informing Board Committee Or Subcommittee Responsible For Oversight [Text Block]
|Our Audit Committee is responsible for the oversight of risks from cybersecurity threats and responses to incidents, should they arise. Members of the Audit Committee receive updates on a quarterly basis from senior management, including leaders from our Information Security, Technology and Legal teams, collectively known as the Security and Privacy Committee, regarding matters of cybersecurity. The Chief Technology Officer communicates this information to the Audit Committee on behalf of the Security and Privacy Committee. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives.
|Cybersecurity Risk Role Of Management [Text Block]
|The key management committee responsible for assessing and managing material risks from cybersecurity threats is the Security and Privacy Committee, which includes among others, Niv Price (Chief Technology Officer) and Dr. Omer Shwartz (Vice President of Information Security). Before joining Oddity, Mr. Price co-founded and served as director and Chief Executive Office of Voyage81 and prior to that served for over 20 years in the Intelligence Directorate of the Israeli Defense Forces in various technological and managerial positions. Mr. Price holds an M.Sc. in Electrical Engineering from Tel Aviv University and a Masters in Public Administration from Harvard University. Dr. Shwartz holds a PhD in Information Systems Engineering and Cybersecurity and has over 13 years of industry experience.
|Cybersecurity Risk Management Positions Or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions Or Committees Responsible [Text Block]
|Niv Price (Chief Technology Officer) and Dr. Omer Shwartz (Vice President of Information Security)
|Cybersecurity Risk Management Expertise Of Management Responsible [Text Block]
|Before joining Oddity, Mr. Price co-founded and served as director and Chief Executive Office of Voyage81 and prior to that served for over 20 years in the Intelligence Directorate of the Israeli Defense Forces in various technological and managerial positions. Mr. Price holds an M.Sc. in Electrical Engineering from Tel Aviv University and a Masters in Public Administration from Harvard University. Dr. Shwartz holds a PhD in Information Systems Engineering and Cybersecurity and has over 13 years of industry experience.
|Cybersecurity Risk Process For Informing Management Or Committees Responsible [Text Block]
|Our cybersecurity risk management and strategy processes are overseen by leaders from our Information Security, Technology and Legal teams. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items.
|Cybersecurity Risk Management Positions Or Committees Responsible Report To Board [Flag]
|true
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.