MARA Holdings, Inc. 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

MARA Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 17:01:41 EST.

Filings

10-K filed on 2025-03-03

MARA Holdings, Inc. filed a 10-K at 2025-03-03 17:01:41 EST
Accession Number: 0001507605-25-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Information Security Program The mission of our information security organization is to design, implement, and maintain an information security program that protects our systems, services, and data against unauthorized access, disclosure, modification, damage, and loss. The information security organization is comprised of internal and external security and technology professionals. We continue to make investments in information security resources to mature, expand, and adapt our capabilities to address emerging cybersecurity risks and threats. The information security organization is overseen by the Information Security Advisory Team (the “ISAT”), further detailed under the caption “Cybersecurity Governance” below. Cybersecurity Risk Management and Strategy Cybersecurity risk management is one component of our information security program that guides continuous improvement to, and evaluates the confidentiality, integrity, and availability of our critical systems, data, and operations. Our approach to controls and risk management is based on guidance from the National Institute of Standards and Technology (“NIST”) and the CryptoCurrency Security Standard (“CCSS”). This does not mean that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST and CCSS as a guide to help us identify, assess, and manage cybersecurity controls and risks relevant to our business. Our cybersecurity risk management program includes: - Identifying cybersecurity risks that could impact our facilities, third-party vendors/partners, operations, critical systems, information, and broader enterprise information technology (“IT”) environment. Risks are informed by threat intelligence, current and historical adversarial activity, and industry specify threats ; - Performing a cybersecurity risk assessment to evaluate our readiness if the risks were to materialize; and - Ensuring risk is addressed and tracking any necessary remediation through an action plan. In addition, we periodically engage third-party consultants and providers to assist us in assessing, testing, enhancing and monitoring our cybersecurity risk management programs and responding to any incidents. These third parties work in conjunction with the ISAT in an effort to continuously improve our cybersecurity risk posture. Examples of third-party actions include risk assessments and penetration testing of our systems. While we face a number of ongoing cybersecurity risks in connection with our business, such risks have not materially affected us to date, including our business strategy, results of operations, or financial condition. Cybersecurity Governance Our Board of Directors (the “Board”) considers cybersecurity risk as part of its risk oversight function and has delegated the oversight of cybersecurity and other IT risks to the Board’s Risk and Audit Committee. As part of this oversight, we created the ISAT . The ISAT is comprised of cybersecurity consultants and senior managers and executives from multiple functions within MARA, including IT, finance, legal, internal audit and operations. Members of the ISAT have extensive professional experience in cybersecurity, software engineering and information technology and hold industry-recognized certifications, including Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP). The ISAT oversees our information security program and our strategy, including management’s implementation of cybersecurity risk management. The ISAT meets at least semi-annually to discuss matters involving cybersecurity risks. The ISAT ultimately provides information to our Risk and Audit Committee regarding its activities, including those related to cybersecurity risks. The Risk and Audit Committee also receives a briefing and continuing education from a member of the ISAT relating to our cybersecurity risk management program at least annually. The ISAT is responsible for notifying the Risk and Audit Committee of material cybersecurity incidents.

Company Information