Bakkt Holdings, Inc. 10-K Cybersecurity GRC - 2025-03-19

Page last updated on March 20, 2025

Bakkt Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-19 21:51:59 EDT.

Filings

10-K filed on 2025-03-19

Bakkt Holdings, Inc. filed a 10-K at 2025-03-19 21:51:59 EDT
Accession Number: 0001628280-25-013959

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We regularly face cybersecurity threats from malicious third parties that could obtain unauthorized access to our internal systems, networks, and data. It is virtually impossible for us to entirely mitigate the risk of these and other security threats we face, and the security, performance, and reliability of our products may be disrupted by third parties, including nation-states, fraudsters, criminal syndicates, competitors, hackers, disgruntled employees, former employees, or contractors. While we have implemented security measures internally and have integrated security measures into our systems, network, and products, these measures may not always function as expected and may not always detect or prevent all unauthorized activity, prevent all security breaches or incidents, mitigate all security breaches or incidents, or protect against all attacks or incidents. Particularly in light of the extensive cybersecurity risks facing our company and the fact that we provide crypto digital asset products to our clients, we recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to protect our internal systems and our clients’ data. We have established a multi-layered approach to manage our cybersecurity risks with preventative and detective capabilities enabled in our network and internal systems that are designed to protect against identified cyber threats. This approach to cybersecurity includes, among other things, annual and periodic risk assessments; ongoing collaboration with our product and engineering teams for the purpose of securing our products, systems, and data; a vulnerability management program focused on proactively identifying, triaging and mitigating security vulnerabilities within our systems, penetration tests and other simulations; regularly required security training for all employees; and a comprehensive incident response process to identify, contain, and remediate cybersecurity incidents. We also engage with external cybersecurity assessors and consultants in evaluating and testing the design and operating effectiveness of controls. To identify and assess material risks from cybersecurity threats, our Enterprise Risk Management program considers cybersecurity risks alongside other company risks as part of our overall risk assessment process. We perform specific cybersecurity risk assessments at least annually to identify and assess material cybersecurity threat risks, their severity, and potential mitigations. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises to further identify risks. We are aware of risks associated with our use of third-party service providers , including those who have access to our systems, data, or facilities. We have implemented processes to help manage these risks. We conduct security assessments of third-party providers who may have access to sensitive information as part of our selection and onboarding process. We also conduct ongoing monitoring in the form of periodic reviews conducted by our security team based on the business criticality of the third-party service. As of the date of this Form 10-K we do not believe that these risks or any previous cybersecurity events or incidents have materially affected or are reasonably likely to materially affect us. We face risks from cybersecurity threats, including those associated with cyberattacks and security breaches and incidents, in the future. For additional information regarding whether and how risks from identified cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition refer to " Item 1A. Risk Factors " and " Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations " of this Form 10-K, which disclosures are incorporated by reference herein. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for the Board and management. The Board is responsible for monitoring and assessing strategic risk exposure, and our cybersecurity program and strategy are overseen by our Chief Information Security Officer (CISO) . Our CISO, who joined us in 2022, has over 25 years of prior work experience in various roles managing enterprise risk and information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs, as well as several relevant degrees and certifications, including Certified Information Security Manager, Certified Information Systems Auditor, and Certified -80- Information Systems Security Professional. The CISO provides regular updates to the executive management team and provides the quarterly Board updates, as discussed below. The executive management team allocates resources to support the cybersecurity program through allocation of budget. The Board administers its cybersecurity risk oversight function directly as a whole, as well as through its Audit and Risk Committee, which is responsible for oversight of risks from cybersecurity threats. At least quarterly, the entire Board receives an update from the CISO of our cybersecurity program covering topics such as results from third-party assessments, progress toward strategic goals, compliance with regulatory requirements, and certain cybersecurity threat risks or developments, as well as the steps management has taken to respond to such risks. Members of the Board are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs .

Company Information