Rigetti Computing, Inc. 10-K Cybersecurity GRC - 2025-03-07

Page last updated on March 7, 2025

Rigetti Computing, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-07 16:05:45 EST.

Filings

10-K filed on 2025-03-07

Rigetti Computing, Inc. filed a 10-K at 2025-03-07 16:05:45 EST
Accession Number: 0001558370-25-002499

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature, including information regarding our product architecture, software, algorithms, and applications (“Information Systems and Data”). Our information security function is supported by members of our legal team and a third party service provider, which helps identify, assess and manage the Company’s cybersecurity threats and risks, including through the use of the Company’s risk register. This team identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s risk profile using various methods including, for example: manual and automated tools; subscribing to and analyzing reports and services that identify cybersecurity threats; conducting scans of our threat environment; evaluating threats reported to us; conducting vulnerability assessments to identify vulnerabilities; and analyzing external threat intelligence feeds. Depending on the environment, product, or system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: performing risk analyses, establishing an incident response policy, having vulnerability management processes, and implementing certain security certificates for certain functions of our business; encrypting certain data, using network security controls; segregating data; maintaining access and physical security controls; managing, tracking, and disposing of assets; and monitoring our systems. In addition, we may refer to and perform assessments against the Center for Internet Security’s Critical Security Controls to help inform our cybersecurity program, as well as perform assessments such as penetration tests. Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of the Company’s enterprise risk management program and identified in the Company’s risk register; (2) our information security function works with management, including our Chief Technology Officer (“CTO”), to prioritize our risk management processes and mitigate cybersecurity threats that could more likely lead to a material impact to our business; (3) our senior management/committee evaluates material risks from cybersecurity threats against our overall business objectives and on a quarterly basis reports to the cybersecurity subcommittee of the audit committee of the board of directors, with the cybersecurity subcommittee reporting to the audit committee of the board of directors, which oversees our cybersecurity risk as part of our overall enterprise risk. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats , including for example: professional service firms; threat intelligence service providers; cybersecurity consultants; and cybersecurity software and managed cybersecurity service providers. We use third-party service providers to perform a variety of functions throughout our business, such as application providers and public cloud providers, as well as various third-party suppliers that support our manufacturing and development processes. We use certain vendor management processes to manage cybersecurity risks associated with our use of these providers, which includes reviewing the written information security programs of certain of our vendors. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. This can extend to contingent workers as well, who are required to complete background investigations and agree to adhere to policies, including for privacy and cybersecurity. Governance Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee , and specifically the subcommittee for cybersecurity, is responsible for overseeing Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by our legal team along with third-party service providers in coordination with the CTO. The CTO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CTO is responsible for approving budgets, helping prepare for potential cybersecurity incidents, approving technical cybersecurity processes, and reviewing security assessments and other security-related reports. Our CTO has over 20 years of experience in engineering and information technology management at various organizations. Our CTO collaborates regularly with our third-party service provider who provides a fractional Chief Information Security Officer, who has extensive experience in cybersecurity and a certification as a CISSP. Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents and vulnerabilities to members of management depending on the circumstances in accordance with the incident response policy, including the CTO, CFO, CEO, and others. Our information security function, together with our CTO, works with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response and vulnerability management processes include reporting to the cybersecurity subcommittee of the board of directors’ audit committee for certain cybersecurity incidents in accordance with the incident response plan. The cybersecurity subcommittee receives periodic reports from the CTO, which reflect input from the third-party service provider, concerning the Company’s risk profile, including significant cybersecurity threats and risk and the processes the Company has implemented to address them. The cybersecurity subcommittee also has access to various reports, summaries and presentations related to cybersecurity threats, risk and mitigation. Cybersecurity Threats As of December 31, 2024, we have not experienced any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents or threats, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect. However, we have in the past and also anticipate in the future we will be subject to cybersecurity incidents. We have in place insurance coverage designed to provide coverage in connection with cybersecurity incidents, provided, however, that such insurance coverage may be insufficient to cover all insured losses or all types of claims that may arise. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; loss of customers or sales; loss of intellectual property or other confidential business information; and other adverse consequences, which may adversely affect our business .

Company Information