Bakkt Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

Bakkt Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 16:31:10 EDT.

Filings

10-K filed on 2024-03-25

Bakkt Holdings, Inc. filed an 10-K at 2024-03-25 16:31:10 EDT
Accession Number: 0001820302-24-000056

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks intellectual property loss or theft fraud extortion harm to employees or customers potential litigation, regulatory investigations or other proceedings, and other legal risks and reputational risks. We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. -73- Table of Contents To identify and assess material risks from cybersecurity threats, our Enterprise Risk Management program considers cybersecurity risks alongside other company risks as part of our overall risk assessment process. We perform specific cybersecurity risk assessments at least annually to identify and assess material cybersecurity threat risks, their severity, and potential mitigations. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises to further identify risks. To provide for the availability of critical data and systems, address regulatory compliance requirements, manage our material risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents, we undertake these activities: undertake an annual review of our policies and statements related to cybersecurity conduct cybersecurity awareness training for all employees annually conduct privileged access and incident training for employees involved in our systems and processes that handle sensitive data conduct regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats through policy, practice and contract (as applicable), require employees, as well as applicable third parties who provide services on our behalf, to treat customer information and data with care conduct tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies leverage the National Institute of Standards and Technology incident handling framework as the foundation of our incident response plan to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident and carry information security risk insurance that provides protection against the certain potential losses arising from a cybersecurity incident. Our incident response plan coordinates the activities we take in our efforts to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes designed to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. We regularly engage with independent third parties to review our cybersecurity program and assess the effectiveness of our controls. These third parties include our Internal Audit department as well as external reputable and well-known firms, all of which review various aspects of our cybersecurity program, processes, and controls throughout the year. We also maintain processes to address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our systems or data or facilities that house such systems and data. Cybersecurity considerations affect the selection and oversight of these third-party service providers. We perform diligence on these third parties and monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that we believe could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and be subject to certain obligations related to their cybersecurity practices. Like other technology companies, we have faced cybersecurity incidents in the past. As of the date of this Annual Report on Form 10-K, however, we have not assessed any risks from prior cybersecurity incidents as having materially affected or being reasonably likely to materially affect us. We face risks from cybersecurity threats, including those associated with cyberattacks and security breaches and incidents, in the future. For additional information regarding whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of -74- Table of Contents operations, or financial condition in Item 1A. Risk Factors and Item 7. Management s Discussion and Analysis of Financial Condition and Results of Operations of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Board s Audit and Risk Committee is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the entire Board receives an overview from management of our cybersecurity program and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and certain cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. The Board discusses such matters with our Chief Risk Officer (CRO) and Chief Information Security Officer (CISO). Members of the Board are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our enterprise risk management and strategy processes are led by our CRO. Cybersecurity program management and strategy processes are led by our CISO. Such individuals have collectively over 40 years of prior work experience in various roles involving managing enterprise risk and information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs, as well as several relevant degrees and certifications, including Certified Information Security Manager, Certified Information Systems Auditor, and Certified Information Systems Security Professional. The CRO and CISO provide regular updates to the executive management team. The executive management team monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through their participation in the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, the CRO and CISO report to the entire Board about cybersecurity threat risks, among other cybersecurity related matters, at least quarterly.

Company Information