Soluna Holdings, Inc 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

Soluna Holdings, Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 16:21:35 EDT.

Filings

10-K filed on 2025-03-31

Soluna Holdings, Inc filed a 10-K at 2025-03-31 16:21:35 EDT
Accession Number: 0001641172-25-001756

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity We, like other companies in our industry, face several cybersecurity risks in connection with our business. Our business strategy, results of operations, and financial condition have not, to date, been affected by risks from cybersecurity threats. During the reporting period, we have not experienced any material cyber incidents, nor have we experienced a series of immaterial incidents, which would require disclosure. We proactively approach cybersecurity through a systemized thorough process established by our internal Management and IT teams as well as external IT providers. These processes are specifically designed to adapt to the evolving cybersecurity environment, enabling us to respond swiftly and effectively to new and emerging threats. Our cybersecurity initiative incorporates elements from multiple industry benchmarks, including frameworks from the National Institute of Standards and Technology and the Center for Internet Security. We regularly assess the threat landscape and take a holistic view of cybersecurity risks with a layered cybersecurity strategy based on prevention, detection, and mitigation. Our internal IT team works closely with our external IT management provider to comprehensively evaluate cybersecurity risks. They focus on monitoring, identifying, and addressing significant cybersecurity issues in real-time by employing advanced software monitoring platforms for effective mitigation and management. In addition, we have several avenues to gather risk intelligence and potential threats identified by various services and capabilities to adjust our security strategy. We also have Company-wide policies and procedures concerning cybersecurity and technology standards, including a Resource and Data Recovery policy. In addition, we have other policies related to endpoint and network protection, encryption standards, malware/ransomware protection, multi-factor authentication, operational security, and confidential information. These policies go through an internal review process and are approved by appropriate members of management. We have invested in IT security, encompassing various strategies such as enhanced end-user training, implementing layered defense systems, identifying and safeguarding critical assets, bolstering monitoring and alert capabilities, and consulting with expert advisors. On the management front, our IT security team diligently oversees alert systems and routinely convenes to evaluate current threat levels, analyze trends, and strategize effective remediation methods. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party vendors and service providers. The internal business owners of the hosted applications are required to review user access at least annually and provide a System and Organization Controls (“SOC”) 1 or SOC 2 report from the vendor. If a third-party vendor is unable to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Governance Under the direction of the Company’s Chief Technology Officer (“CTO”) and Director of Information Technology, with oversight from the Board, we maintain a security governance structure to evaluate and address cyber risk. The CTO and the Director of IT are responsible for developing and implementing our information security program. Our CTO is an Executive Sponsor of the Cyber Security Program and has over a decade of experience in the Defense sector working directly with technology-driven Operational Security. The Director of IT regularly oversees the Company’s cybersecurity program. This comprehensive review includes examining management’s initiatives to identify and detect potential threats, outlining planned responses and recovery strategies for potential incidents, evaluating recent improvements made to the Company’s security detection and response capabilities, and assessing management’s advancement along the cybersecurity strategic roadmap. The internal IT team also subscribes to various threat intelligence services to evaluate our security strategy or defense mechanism against such threats. 42 Our board of directors has ultimate oversight of our strategic and business risk management and, as such, has oversight responsibilities for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks. Management is responsible for identifying, assessing, and managing material cybersecurity risks on an ongoing basis, establishing and updating processes to ensure such potential risks are monitored, putting in place appropriate mitigation measures, and will be providing regular reports on cybersecurity trends and risks, and should they arise, any material incidents with our board of directors.

Company Information