Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | The Company has cybersecurity risk management processes in place to identify, assess, and manage material risks from cybersecurity threats to protect the confidentiality, integrity, and availability of our IT systems and information. The Company’s risk assessment process also includes an established process of due diligence for third-party suppliers, assessing potential privacy and security risks occurring both before and after integration. Our cybersecurity risk management process is part of the Company’s overall enterprise risk management ("ERM") process. We engaged an independent, third-party certified audit firm to perform a comprehensive cybersecurity assessment based on the National Institute of Standards and Technology cybersecurity framework. We continuously perform independent IT security assessments of our key IT assets including web application and network infrastructure. The Company also performs continuous bug bounty programs focused on identifying and rectifying vulnerabilities on our key applications and has a centralized identity and provisioning management system. We are regularly conducting phishing simulations across our employees to provide “experiential learning” on how to recognize phishing attempt. We also manage employee devices through a centralized Mobile Device Management ("MDM"), allowing us to enforce policies within our network. MDM solutions also allow the Company to remotely configure settings, deploy apps, enforce security protocols, and monitor device usage. Employee devices are also protected against malicious activities and threats through the deployment of an automated and behavior-based Endpoint Detection and Response ("EDR"). Additionally, our engineering teams leverage advanced security tools to identify and address potential security issues during the build and deployment process. We maintain a dedicated Security Operations Center ('SOC') that provides continuous, 24/7 monitoring and response capabilities. The SOC is designed to identify and mitigate potential threats through proactive vulnerability management and the ongoing assessment of the cybersecurity threat landscape to prevent unauthorized access to our systems and data. On also maintain engagements with third-party cybersecurity experts to ensure immediate access to forensic and technical support for the remediation of significant security incidents. While On maintains cybersecurity insurance, coverage may not fully mitigate all financial impacts associated with cybersecurity threats or disruptions. While prior incidents have not materially affected our business strategy, results of operations or financial condition, and although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cybersecurity incident would not materially affect our business strategy, results of operations or financial conditions For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition, refer to Item 3.D, "Risk Factors," in this Annual Report, including the risk factor titled “A security breach, including a cybersecurity incident or other disruption to our IT systems could result in adverse effects on the confidentiality, integrity, or availability of our IT systems or any information residing therein, including the loss, theft, misuse, unauthorized disclosure, or unauthorized access of customer, supplier, or sensitive company information or could disrupt our operations. Such cybersecurity threats could damage our relationships with customers, suppliers or employees, expose us to litigation or regulatory proceedings, or harm our reputation, any of which could materially adversely affect our business strategy, financial condition or results of operations.”
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | The Company has cybersecurity risk management processes in place to identify, assess, and manage material risks from cybersecurity threats to protect the confidentiality, integrity, and availability of our IT systems and information. The Company’s risk assessment process also includes an established process of due diligence for third-party suppliers, assessing potential privacy and security risks occurring both before and after integration. Our cybersecurity risk management process is part of the Company’s overall enterprise risk management ("ERM") process.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | While every individual at the Company contributes to managing cybersecurity risks, our board of directors is responsible for overseeing our ERM activities, including material risks related to cybersecurity threats. The board of directors receives an update on the Company’s ERM process and the risk trends related to cybersecurity at least annually. To help ensure effective oversight, the board of directors also receives reports on information security and cybersecurity from the Chief Technology Officer ("CTO") periodically throughout the year. On's CTO is responsible for the assessment and management of material risks from cybersecurity threats, sits on the Company's senior leadership board and reports directly to On's CEO and CFO. The Company's information security function, which reports directly to our CTO, performs ongoing assessments to identify and mitigate cybersecurity threats. Our information security function has the required expertise with cybersecurity, as demonstrated by prior work experience, possession of a cybersecurity certification or degree, or other cybersecurity experience. The CTO and information security function also monitor the prevention, detection, and remediation of cybersecurity incidents and work closely with the Company's ERM team to ensure a consistent risk management process. This includes periodic reporting to the extended founder team, board of directors, and to the Company's group reporting team when any cybersecurity incidents identified are deemed material.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | While every individual at the Company contributes to managing cybersecurity risks, our board of directors is responsible for overseeing our ERM activities, including material risks related to cybersecurity threats. The board of directors receives an update on the Company’s ERM process and the risk trends related to cybersecurity at least annually. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | To help ensure effective oversight, the board of directors also receives reports on information security and cybersecurity from the Chief Technology Officer ("CTO") periodically throughout the year. |
| Cybersecurity Risk Role of Management [Text Block] | On's CTO is responsible for the assessment and management of material risks from cybersecurity threats, sits on the Company's senior leadership board and reports directly to On's CEO and CFO. The Company's information security function, which reports directly to our CTO, performs ongoing assessments to identify and mitigate cybersecurity threats. Our information security function has the required expertise with cybersecurity, as demonstrated by prior work experience, possession of a cybersecurity certification or degree, or other cybersecurity experience. The CTO and information security function also monitor the prevention, detection, and remediation of cybersecurity incidents and work closely with the Company's ERM team to ensure a consistent risk management process. This includes periodic reporting to the extended founder team, board of directors, and to the Company's group reporting team when any cybersecurity incidents identified are deemed material.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | CTO |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our information security function has the required expertise with cybersecurity, as demonstrated by prior work experience, possession of a cybersecurity certification or degree, or other cybersecurity experience |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The CTO and information security function also monitor the prevention, detection, and remediation of cybersecurity incidents and work closely with the Company's ERM team to ensure a consistent risk management process. This includes periodic reporting to the extended founder team, board of directors, and to the Company's group reporting team when any cybersecurity incidents identified are deemed material.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |