CLEANSPARK, INC. 10-K Cybersecurity GRC - 2024-12-03

Page last updated on December 3, 2024

CLEANSPARK, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-03 12:19:49 EST.

Filings

10-K filed on 2024-12-03

CLEANSPARK, INC. filed a 10-K at 2024-12-03 12:19:49 EST
Accession Number: 0000950170-24-132565

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber security Cybersecurity risk may adversely impact our business. The impact could include weakened financial condition, litigation risk, degrading mining operations, loss of competitiveness, fraud, extortion, harm to employees, violation of applicable privacy or other regulations that could result in regulatory action and fines. We have developed and implemented a cybersecurity program to manage the confidentiality, integrity and availability of our data and information systems that support our business. The program is aligned with the National Institute of Standards and Technology Cybersecurity Framework 2.0 and is integrated into our overall risk management program. It is designed to develop appropriate strategies for preserving the confidentiality, integrity and availability of our data and information systems that can evolve with the changing cybersecurity threat landscape. We have implemented policies, procedures and technological tools to prevent, detect and mitigate cybersecurity risks posed by third parties. We use third party providers to help us consistently monitor and evaluate our cybersecurity program and performance through actions that include hiring a contract Chief Information Security Officer (“CISO”) with decades of cybersecurity experience to help manage our program. We also use industry standard technology tools including vulnerability scans, penetration tests, firewalls, endpoint detection and threat intelligence. A written cybersecurity incident response plan that we tabletop yearly and cybersecurity insurance are also important pillars in our approach to managing the risk of a cyber event. Our incident response plan contains a materiality analysis framework based on Federal Information Processing Standards Publication 199. This materiality framework allows us to identify and classify cybersecurity events based on their impact to our data or information systems. This framework will assist us in expediting review of cyber events for materiality purposes that could require disclosure to the SEC. We have implemented a third party risk management policy that categorizes the cybersecurity risk posed by third party vendors along with the type of cybersecurity controls we may require of those vendors. These may include employee training, cybersecurity tools like multi-factor authentication, and contractual requirements that vendors maintain appropriate technical, administrative and physical cybersecurity controls. This is in addition to the policies and practices we maintain to monitor access of our information systems and data using our internal staff and third party vendors. As part of communicating the importance of cybersecurity at an enterprise wide level, we require that all company employees participate in annual cybersecurity training. Governance Our IT Steering and Risk Committee (“ITSRC”) has been delegated the responsibility for managing cybersecurity risk for the company. This committee is chaired by our Chief Technology Officer and includes a diverse cross section of company stakeholders including the Senior IT Manager, General Counsel, VP of Organizational Development and a member of our Third Party Audit team. As of July 1, 2024, we added an outsourced virtual CISO who is a key advisor to the ITSRC, specifically for his decades of expertise in managing and maturing a cybersecurity program that includes mitigation, incident prevention, detection and remediation disciplines. The ITSRC meets at least semi-annually to assess our approach to evolving cybersecurity threats and its impact on our cybersecurity program. The ITSRC is also responsible for maintaining and monitoring legal and regulatory requirements and compliance as well as oversight of the adequacy of company cyber insurance. Our third party security vendors, in collaboration with our Senior IT Manager, keep the ITSRC apprised of efforts surrounding the prevention, detection, mitigation and remediation of any cyber threats or cybersecurity incidents. The Board of Directors (the “Board”) is entrusted with the oversight of the management of cybersecurity risk and our cybersecurity program. The Board administers this oversight through its audit committee and the ITSRC. The ITSRC committee chair is responsible for reporting to the Board’s audit committee with respect to cybersecurity at least twice per calendar year. The audit committee, as necessary, reports any findings and recommendations to the Board. As cyber threats evolve and as our cybersecurity program matures, the Board will consider further developing specific cybersecurity oversight functions and protocols. For more information on our cybersecurity related risks, see Part I, Item 1A. “Risk Factors” of this Annual Report on Form 10-K. 38

Company Information