Rigetti Computing, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

Rigetti Computing, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 16:07:59 EDT.

Filings

10-K filed on 2024-03-14

Rigetti Computing, Inc. filed an 10-K at 2024-03-14 16:07:59 EDT
Accession Number: 0001558370-24-003234

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature, including information regarding our product architecture, software, algorithms, and applications ( Information Systems and Data ). Our information security function is led by our Senior Director for Information Technology (IT) and supported by members of our legal team and a third party service provider, which helps identify, assess and manage the Company s cybersecurity threats and risks, including through the use of the Company s risk register. This team identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company s risk profile using various methods including, for example: manual and automated tools subscribing to and analyzing reports and services that identify cybersecurity threats conducting scans of our threat environment evaluating threats reported to us conducting vulnerability assessments to identify vulnerabilities and external threat intelligence feeds. Depending on the environment, product, or system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an incident response policy, vulnerability management processes, implementing certain security certificates for certain functions of our business encrypting certain data, using network security controls segregating data maintaining access and physical security controls managing, tracking, and disposing of assets monitoring our systems and maintaining cybersecurity insurance. 73 Table of Contents Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of the Company s enterprise risk management program and identified in the Company s risk register (2) our information security team works with management, including our Chief Technology Officer ( CTO ), to prioritize our risk management processes and mitigate cybersecurity threats that could more likely lead to a material impact to our business (3) our senior management/committee evaluates material risks from cybersecurity threats against our overall business objectives and reports to the cybersecurity subcommittee of the audit committee of the board of directors, with the cybersecurity subcommittee reporting to the audit committee of the board of directors which evaluates and oversees our cybersecurity risk as part of our overall enterprise risk. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example: professional service firms threat intelligence service providers cybersecurity consultants and cybersecurity software and managed cybersecurity service providers. We use third-party service providers to perform a variety of functions throughout our business, such as application providers and public cloud providers, as well as various third-party suppliers that support our manufacturing and development processes. We use certain vendor management processes to manage cybersecurity risks associated with our use of these providers, which includes reviewing the written information security programs of certain of our vendors. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions litigation fines and penalties disruptions of our business operations reputational harm loss of revenue or profits loss of customers or sales and other adverse consequences, which may adversely affect our business . Governance Our board of directors addresses the Company s cybersecurity risk management as part of its general oversight function. The board of directors audit committee, and specifically the subcommittee for cybersecurity, is responsible for overseeing Company s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Senior Director for IT, who has 25 years of leadership experience in information security, and various IT and security certifications, including certified information systems security professional (CISSP). The Senior Director for IT is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, and communicating key priorities to relevant personnel. Our CTO is responsible for approving budgets, helping prepare for potential cybersecurity incidents, approving technical cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents and vulnerabilities to members of management depending on the circumstances, including the CTO, CFO, CEO, and others. Our information security function, together with our CTO, works with the Company s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company s incident response and vulnerability management processes include reporting to the cybersecurity subcommittee of the board of directors audit committee for certain cybersecurity incidents. The cybersecurity subcommittee receives periodic reports from the Senior Director for IT or the CTO concerning the Company s risk profile, including significant cybersecurity threats and risk and the processes the Company has implemented to address them. The cybersecurity subcommittee of the audit committee also receives/has access to various reports, summaries and presentations related to cybersecurity threats, risk and mitigation. 74 Table of Contents

Company Information