LIGHTBRIDGE Corp 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

LIGHTBRIDGE Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 17:00:26 EST.

Filings

10-K filed on 2025-03-03

LIGHTBRIDGE Corp filed a 10-K at 2025-03-03 17:00:26 EST
Accession Number: 0001477932-25-001404

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Lightbridge utilizes third-party vendors to manage its Information Technology (IT) systems via a Managed Service Provider (MSP) for general administration of the IT process including providing a Virtual Chief Information Officer (vCIO). vCIO services include: (a) operational review, strategic planning, technology road-mapping; (b) development of a custom IT policy/handbook; and (c) reporting in accordance with the service level agreement and support commitment adherence data to Lightbridge via MSP’s Service Delivery Team. vCIO services also include the following: · Providing operational oversight of IT functions · Identify and help plan for improvements to Lightbridge’s overall infrastructure · Assist with the management of technology vendors · Act as a point of contact in emergency/systems down situations and liaison between Lightbridge and Dataprise resources · Perform trend analysis and document recommendations to Lightbridge as needed. Lightbridge also utilizes third-party vendors to manage its cybersecurity needs via a Managed Services Security Provider (MSSP). MSSP services include: · Managed Security Services · Email Phishing Simulations · End User Security Awareness Training · Dark Web Credential Monitoring · Vulnerability Scanning · Next-Generation Anti-Virus (“NGAV”) We and our MSP/MSSP also utilize processes designed to reduce cybersecurity risk from a third-party vendor and technology. For example, we may conduct upfront diligence of the third-party’s cybersecurity, employ contracts that address cybersecurity risk, and monitor vendors compliance with their representations regarding cybersecurity. The MSSP utilizes a Security Information and Event Management (SIEM) system to monitor the IT Infrastructure. The SIEM and other third-party security tools/applications provide reports that include but are not limited to endpoint protection, employee security scores, phishing reports, Dark Web scanning and vulnerability scanning. The vCIO reports to our CFO. This vCIO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from other professionals in the industry, many of whom hold cybersecurity certifications, and through the use of technological tools and software and results from third-party audits. The vCIO issues quarterly reports and reports to the CFO, as appropriate, to provide updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. The Company requires its employees and applicable contractors to take a yearly cyber training courses and its employees and applicable contractors are also required to sign confidentiality agreements for purposes including ensuring cybersecurity. We and our MSP/MSSP have established an incident response plan to assist with responding to cybersecurity incidents. The incident response plan includes our approach to identification, escalation, and restoration from incidents, such as engaging or informing third-party experts, law enforcement, and members of the Board of Directors, as appropriate. Governance The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established robust oversight mechanisms to promote effective governance in managing risks associated with cybersecurity threats because Lightbridge recognizes the significance of these threats to our operational integrity and stakeholder confidence. Furthermore, significant cybersecurity matters such as significant cybersecurity incidents, and strategic risk management decisions are designed to be escalated to the Board of Directors, so that they have appropriate oversight and can provide guidance. Board of Directors Oversight The Audit Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with diverse expertise including risk management, technology, and finance that helps equip them to oversee cybersecurity risks effectively. The Audit Committee conducts an annual review of the company’s cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and aligning cybersecurity efforts with the overall risk management framework. The CFO reports to the Audit Committee regarding cybersecurity risks and provides a comprehensive briefing to the Audit Committee on a regular basis as needed, with a minimum frequency of once per year. The CFO also maintains an ongoing dialogue with the Audit Committee regarding emerging or potential cybersecurity risks and cybersecurity incidents. The Audit Committee evaluates the materiality of cybersecurity incidents to determine if they require disclosure, such as an 8-K filing. This includes assessing the potential impact of cybersecurity risks or incidents on the company’s financial position, operations, and reputation. Risks from Cybersecurity Threats As of the date of this report, while we are not aware of any material risks from cybersecurity threats, including cybersecurity incident, that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition, there can be no guarantee that there will not be a future cybersecurity incident that will have a material impact. In the event of a cybersecurity incident, our insurance coverage may be inadequate to compensate us for any related losses we incur and, in some cases, our insurance coverage may not cover the cybersecurity incident at all. Additional information on cybersecurity risks we face can be found in Part I, Item 1A. Risk Factors - “We are exposed to risks related to cybersecurity and protection of confidential information” of this Annual Report on Form 10-K.

Company Information