Core Scientific, Inc./tx 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

Core Scientific, Inc./tx reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 17:48:18 EDT.

Filings

10-K filed on 2024-03-12

Core Scientific, Inc./tx filed an 10-K at 2024-03-12 17:48:18 EDT
Accession Number: 0001628280-24-010682

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We are subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including intellectual property theft fraud extortion harm to employees or customers violation of privacy laws and other litigation and legal risk and reputational risk. We have implemented a risk-based approach, guided by Federal Information Processing Standards Publication 199, to identify, classify, and appropriately assess the range of cybersecurity threats that could affect our business and information systems. Accordingly, security incidents are evaluated, classified by severity and prioritized for response, mitigation and remediation. From a high level, our incident response framework consists of five elements: (1) proactively identifying and appropriately managing cybersecurity risks to our systems, assets, data, and other capabilities (2) designing and implementing the appropriate safeguards to timely deliver business services (3) implementing systems and processes to detect the occurrence of cybersecurity events (4) responding to events in a systematic and comprehensive fashion and (5) utilizing mechanisms to promote system resilience and the restoration of critical business functions that may have been impaired due to a security incident. Our cybersecurity program is aligned with industry standards and best practices, such as the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework. Fundamentally, our information security program is tasked with developing pragmatic strategies for preserving the confidentiality, integrity and availability of Company and customer information. Pursuant to this approach, we have implemented controls to prevent, detect and mitigate cybersecurity risks posed by third parties. We use various tools and methodologies, including a written incident response plan and cybersecurity insurance, to manage and mitigate cybersecurity risk. Those tools and methodologies are evaluated on a regular and continuing basis. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, penetration tests and threat intelligence feeds. Through both short-term game day events and more prolonged campaigns, red team programming is designed to continuously stress test the fortitude of our information security systems and assist in identifying areas of potential vulnerability. Based on the results of these simulated exercises, we aim to harden any identified exposure points and adjust our security processes to ensure dynamism and responsiveness. Along with our in-house cybersecurity capabilities, we also periodically engage third parties to assist with detecting and responding to cybersecurity risks. Third parties may be engaged to assist with procedures including red and blue team training exercises and penetration testing. We require third-party service providers with access to personal, confidential or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices. Amongst other controls, we maintain policies and practices that monitor, regulate and limit remote access of our information systems. Our business depends on the availability, reliability, and security of our information systems, networks, data, and intellectual property. Any disruption, compromise, or breach of our systems or data due to a cybersecurity threat or incident could adversely affect our operations, customer service, product development, and competitive position. They may also result in a breach of our contractual obligations or legal duties to protect the privacy and confidentiality of our stakeholders. Such a breach could expose us to business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation, regulatory scrutiny and actions, reputational harm, customer dissatisfaction, harm to our vendor relationships, or loss of market share. To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have, or are likely to, materially affect us, our business strategy, results of operation or financial condition. For more information on the risks from cybersecurity threats that we face, refer to Part I, Item 1A. Risk Factors, of this Annual Report on Form 10-K, including but not limited to the risk factors titled, We may be vulnerable to both physical and cybersecurity breaches, which could disrupt our operations and have a material adverse effect on our business, financial condition and results of operations 42 and We may be exposed to cybersecurity threats and breaches, which could have a material adverse effect on our business, financial condition and results of operations . Governance Our information security team is led by our Chief Information Security Officer and is comprised of dedicated professionals responsible for overseeing cybersecurity risk management and mitigation, incident prevention, detection and remediation. These teams are spearheaded by professionals with decades of cybersecurity leadership experience across multiple industries, including our Chief Technology Officer. Our leadership working group meets on a weekly basis to discuss our approach to the rapidly-evolving cybersecurity landscape. To ensure that our top-level strategy is disseminated throughout the Company, our information security team provides hands-on and often role-specific training and awareness programs to our employees. Our employees with network access participate annually in required training, including spear phishing and other awareness training. We also periodically conduct simulated phishing exercises to practice appropriate response and augment employee awareness of established and emerging cyber threats. One of the key functions of our Board of Directors is informed oversight of our risk management process, including cybersecurity risk. Our Board of Directors considers cybersecurity risk and mitigation as a critical component of its risk oversight function and intends to further develop specific cybersecurity oversight functions and protocols. Our Board of Directors administers this oversight function directly through the Board of Directors as a whole, as well as through various standing committees of our Board of Directors, including the Audit Committee, that address risks inherent in their respective areas of oversight. In particular, our Board of Directors is responsible for monitoring and assessing strategic risk exposure and our Audit Committee has the responsibility to consider and discuss our major financial risk exposures and the steps our management has taken to monitor and control these exposures, including guidelines and policies to govern the process by which risk assessment and management is undertaken. The Audit Committee also monitors compliance with legal and regulatory requirements and is charged with oversight of the adequacy of Company s insurance programs, including cyber insurance.

Company Information