Risk management and strategy

We rely on our information technology to operate our business. We have policies and processes designed to protect our information technology systems, some of which are managed by third parties, and resolve issues in a timely manner in the event of a cybersecurity threat or incident.

As part of our broader risk management framework, we have identified the potential cybersecurity risks to our business and implemented structured controls to mitigate them. Our business applications and hosting services are designed to minimize the impact of cybersecurity incidents, with designated backup systems in place where necessary.

We maintain an information security management system aligned with ISO 27001 standards (“ISO”), which supports a structured approach to managing cybersecurity risks and aligning with industry best practices. Our controls include administrative, technical, and operational measures such as monitoring and detection activities, anti-malware and endpoint protection solutions, employee training, and periodic third-party assessments.

We have a Cybersecurity Incident Response Plan (CIRP) that defines roles, responsibilities, and reporting mechanisms, as well as a structured incident response process covering preparation, detection, response, documentation, and post-incident analysis. This plan outlines possible cybersecurity threats and response measures for incidents such as denial-of-service attacks, malicious code attacks, website defacement, data corruption, and data leakage. In addition, we maintain a Business Continuity Plan (BCP) in accordance with ISO to ensure operational resilience, including detailed continuity procedures, system restoration timeframes, and recovery strategies for various scenarios.

To address cybersecurity risks associated with third-party service providers, we have established procedures, policies, and tools for identifying, assessing, and mitigating potential threats. This process begins with a third-party risk assessment, which is performed prior to onboarding service providers and updated as needed. Our Information Security Guidelines for Suppliers ensure compliance with security standards, while our Access Control Policies regulate third-party access to sensitive systems, and our Cloud System Information Security Procedures govern data security in cloud environments. We also engage third-party consultants to assist in designing and enhancing our cybersecurity risk management framework, including penetration testing and continuous threat monitoring.

To date, we are not aware of any cybersecurity incidents that have had or are reasonably likely to have a material adverse effect on our business strategy, results of operations, or financial condition.

Governance

Our Board of Directors has oversight responsibility for cybersecurity risk as part of its broader oversight of the Company’s enterprise risk management. The Board of Directors periodically reviews and discusses with management the Company’s policies, practices and risks related to information security and cybersecurity.

Management is responsible for the day-to-day assessment and management of cybersecurity risk. Our Chief Financial Officer has primary responsibility for coordinating cybersecurity risk management efforts, reflecting the centralized oversight of enterprise risk, financial reporting systems, and compliance functions. Leaders of our Ondas Networks and OAS segments, along with the Chief Financial Officer, meet regularly to assess cybersecurity risks, identify emerging threats, and evaluate the effectiveness our risk management framework. The Chief Financial Officer provides updates to the Board of Directors regarding cybersecurity risks as appropriate. Our incident response plan includes escalation procedures, including notifying the Board of Directors of any material threats or incidents as they arise. While these members of senior management do not possess formal cybersecurity certifications, their experience managing the Company, together with consultation and coordination with internal and third-party information technology specialists, enables them to effectively oversee and manage material cybersecurity risks.

Cybersecurity risk management is further supported by a dedicated Chief Information Officer, who oversees the information security components of the Company’s cybersecurity framework. The Chief Information Officer has over 20 years of relevant expertise in information security, risk assessments, business continuity planning, and the development and implementation of information security policies and procedures, and holds professional trainings and certifications relevant to information security and ISO compliance.

This structured approach is designed to support the Company’s cybersecurity governance and aligns with industry practices.

Governance

Our Board of Directors has oversight responsibility for cybersecurity risk as part of its broader oversight of the Company’s enterprise risk management. The Board of Directors periodically reviews and discusses with management the Company’s policies, practices and risks related to information security and cybersecurity.

Management is responsible for the day-to-day assessment and management of cybersecurity risk. Our Chief Financial Officer has primary responsibility for coordinating cybersecurity risk management efforts, reflecting the centralized oversight of enterprise risk, financial reporting systems, and compliance functions. Leaders of our Ondas Networks and OAS segments, along with the Chief Financial Officer, meet regularly to assess cybersecurity risks, identify emerging threats, and evaluate the effectiveness our risk management framework. The Chief Financial Officer provides updates to the Board of Directors regarding cybersecurity risks as appropriate. Our incident response plan includes escalation procedures, including notifying the Board of Directors of any material threats or incidents as they arise. While these members of senior management do not possess formal cybersecurity certifications, their experience managing the Company, together with consultation and coordination with internal and third-party information technology specialists, enables them to effectively oversee and manage material cybersecurity risks.

Cybersecurity risk management is further supported by a dedicated Chief Information Officer, who oversees the information security components of the Company’s cybersecurity framework. The Chief Information Officer has over 20 years of relevant expertise in information security, risk assessments, business continuity planning, and the development and implementation of information security policies and procedures, and holds professional trainings and certifications relevant to information security and ISO compliance.

This structured approach is designed to support the Company’s cybersecurity governance and aligns with industry practices.

Risk management and strategy

We rely on our information technology to operate our business. We have policies and processes designed to protect our information technology systems, some of which are managed by third parties, and resolve issues in a timely manner in the event of a cybersecurity threat or incident.

As part of our broader risk management framework, we have identified the potential cybersecurity risks to our business and implemented structured controls to mitigate them. Our business applications and hosting services are designed to minimize the impact of cybersecurity incidents, with designated backup systems in place where necessary.

We maintain an information security management system aligned with ISO 27001 standards (“ISO”), which supports a structured approach to managing cybersecurity risks and aligning with industry best practices. Our controls include administrative, technical, and operational measures such as monitoring and detection activities, anti-malware and endpoint protection solutions, employee training, and periodic third-party assessments.

We have a Cybersecurity Incident Response Plan (CIRP) that defines roles, responsibilities, and reporting mechanisms, as well as a structured incident response process covering preparation, detection, response, documentation, and post-incident analysis. This plan outlines possible cybersecurity threats and response measures for incidents such as denial-of-service attacks, malicious code attacks, website defacement, data corruption, and data leakage. In addition, we maintain a Business Continuity Plan (BCP) in accordance with ISO to ensure operational resilience, including detailed continuity procedures, system restoration timeframes, and recovery strategies for various scenarios.

To address cybersecurity risks associated with third-party service providers, we have established procedures, policies, and tools for identifying, assessing, and mitigating potential threats. This process begins with a third-party risk assessment, which is performed prior to onboarding service providers and updated as needed. Our Information Security Guidelines for Suppliers ensure compliance with security standards, while our Access Control Policies regulate third-party access to sensitive systems, and our Cloud System Information Security Procedures govern data security in cloud environments. We also engage third-party consultants to assist in designing and enhancing our cybersecurity risk management framework, including penetration testing and continuous threat monitoring.

To date, we are not aware of any cybersecurity incidents that have had or are reasonably likely to have a material adverse effect on our business strategy, results of operations, or financial condition.