D-Wave Quantum Inc. 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

D-Wave Quantum Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:10:02 EDT.

Filings

10-K filed on 2025-03-14

D-Wave Quantum Inc. filed a 10-K at 2025-03-14 16:10:02 EDT
Accession Number: 0001907982-25-000060

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have implemented policies and procedures to evaluate, identify, and handle material risks associated with cybersecurity threats. These protocols are integrated into a comprehensive risk register dedicated to our cloud-based platform and internal systems access. The register undergoes an annual review conducted by the internal information technology (IT) department, overseeing cybersecurity protection for our on-premises systems, and the DevOps department, responsible for cybersecurity protection in the cloud. We also conduct regular risk assessments to identify threats to our information security systems. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. We assess the risks facing the Company after our controls are accounted for, and then determine mitigation measures for each such risk. Our risk management processes also assess third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners. Following these risk assessments, we re-examine our systems and processes to ensure that reasonable safeguards are in place to minimize identified risks and address any issues that arise. The head of our IT department, who reports to our Chief Financial Officer, works with management to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. 53 As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with IT and management. Personnel at all levels receive regular mandatory training on our cybersecurity policies and practices, no less than once per quarter. Key safeguards include, but are not limited to, access controls, authentication, third-party security obligations, and other technical and organizational measures. In addition, the Company maintains policies and procedures for backups, business continuity, and disaster recovery, and regularly tests its policies and procedures to ensure they allow for timely recovery and restoration of backups and the availability of critical resources.. We enlist third-party service providers to support us in conducting information security reviews of our infrastructure, and the evaluation of our company policies . These providers undertake comprehensive evaluations that delineate potential risks, categorized by criticality and associated level of effort. Subsequently, the Company will undertake a meticulous examination of the internal risk register to potentially recalibrate the likelihood of identified risks, taking into consideration the vulnerabilities unearthed by the third-party assessment. Depending on the type of services required, the sensitivity of the relevant IT systems and data, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. T he Company conducts due diligence prior to engaging a vendor to provide services and requires the vendor to contractually commit to appropriate data protection measures, depending on the nature of the services provided. As part of the software request and vendor evaluation process, we ensure there is a secure method for transmitting data. This includes verifying that encryption is in place both in transit and at rest. Additionally, we require vendors to provide a SOC 2 Type 2 report, which we review to confirm that security controls have been audited and validated. These measures help ensure that third-party vendors maintain appropriate safeguards for handling and sharing confidential information. Upon identifying vulnerabilities, we commit to addressing them promptly, prioritizing based on their criticality. High-priority remediation efforts will be coordinated with the collaboration of Enterprise IT and DevOps teams to ensure swift and effective resolution. While the Company’s Leap TM quantum cloud system holds SOC 2 Type 2 compliance, it’s noteworthy that the correlation extends to all our IT systems, even though they are not explicitly within the defined scope. As a result, these interconnected IT systems align with SOC 2 Type 2 standards. Similarly, our policies regarding cybersecurity and IT systems are relevant for SOC 2 Type 2 compliance, but also apply to everyone in the entire organization. We have not currently identified any cybersecurity challenges that have materially impaired our operations or financial standing. For additional information regarding risks from cybersecurity threats, please refer to Item 1A, “Risk Factors,” in this Form 10-K. Governance Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. While the board of directors’ audit committee is responsible for overseeing management’s risk assessment and risk management policies generally, to enhance oversight and governance in this area, the board of directors has recently established a standing committee (the “Cybersecurity Committee”), that will advise on cybersecurity matters and provide strategic guidance and direction for our cybersecurity program. The Cybersecurity Committee will convene as necessary to address critical or emerging cybersecurity concerns and to ensure alignment on approach. In the event of an incident, the Company has developed an incident response plan, which sets forth the steps to be followed from incident detection and assessment to mitigation, recovery and notification and reporting, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate. Our Chief Financial Officer and the head of our IT department , both of whom are primarily responsible for managing our cybersecurity risks, mitigation strategies and responses to any such issues that may arise, collaborate with the Cybersecurity Committee and report to the entire Board on a quarterly basis, or more frequently as needed. Our Chief Financial Officer oversees the Company’s IT department and has extensive experience in managing IT organizations and securing cybersecurity insurance coverages, which we currently maintain. The head of our IT department drives our strategic IT initiatives and cybersecurity risks assessments, drawing upon over two decades of enterprise technology management expertise. 54 Our Chief Financial Officer and the head of our IT department oversee our cybersecurity policies and processes, including those described above. The Company’s overall risks and assessments are monitored by a cross functional team composed of members of senior management, security, legal, information technology and financial reporting, which evaluates risks associated with assets such as infrastructure, software, people, processes, and data. A partnership exists between these aforementioned individuals and departments so that identified issues are addressed in a timely manner and incidents are escalated to the appropriate parties as required. The Company’s incident response plan is tested and adjusted regularly or in response to a particular incident or significant threats where appropriate.

Company Information