Valkyrie Bitcoin Fund 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

Valkyrie Bitcoin Fund reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 16:40:28 EDT.

Filings

10-K filed on 2024-03-27

Valkyrie Bitcoin Fund filed an 10-K at 2024-03-27 16:40:28 EDT
Accession Number: 0001999371-24-004051

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Overview The Sponsor, its parent Valkyrie Investments Inc., and their respective affiliates (collectively, Valkyrie ) have adopted an organizational wide cybersecurity program. The program is administered by the Chief Compliance Officer ( CCO ) of Valkyrie Funds, LLC, an affiliate of the Sponsor and wholly-owned subsidiary of Valkyrie Investments Inc. Valkyrie s objective, in the development and implementation of this comprehensive cybersecurity program, is to create effective administrative, technical, and physical safeguards for the protection of personal information of the organization and its clients. Program Details Valkyrie has designated the CCO to implement and maintain the cybersecurity program. The CCO may delegate any of the CCO s responsibilities to appropriate designees as long as the CCO remains primarily responsible for compliance oversight and administration. The CCO will is responsible for: 1. Initial implementation of the cybersecurity program 2. Ongoing employee education 3. Regular testing of the cybersecurity program s safeguards 4. Evaluating the ability of each of our third party service providers to implement and maintain appropriate security measures for the personal information to which we have permitted them access, and requiring such third party service providers by contract to implement and maintain appropriate security measures. 5. Reviewing the scope of the security measures in the cybersecurity program at least annually, or whenever there is a material change in our business practices that may implicate the security or integrity of records containing personal information. Identification of Risks and Cybersecurity Governance To combat internal risks to the security, confidentiality, and/or integrity of any electronic records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, Valkyrie has identified the following risks that are present to its business as well as procedures to help mitigate those risks: Internal Threats 1. There must be communication to employees on the detailed provisions of the cybersecurity program at onboarding and annually. 2. Access to records containing client s personal information shall be limited to those persons who are reasonably required to know such information. 3. All security measures shall be reviewed at least annually, or whenever there is a material change in our business practices that may reasonably implicate the security or integrity of records containing personal information. 4. Terminated employees must return all records containing personal information, in any form, that may at the time of such termination be in the former employee s possession. 5. A terminated employee s physical and electronic access to personal information must be immediately blocked. Such terminated employee shall be required to surrender all keys, IDs or access codes or badges, business cards, and the like, that permit access to the firm s premises or information. Moreover, such terminated employee s remote electronic access to personal information must be disabled his/her voicemail access, e-mail access, internet access, and passwords must be invalidated. 6. Current employees user ID s and passwords must be managed in accordance to Valkyrie s password policy. 7. Employees are encouraged to report any suspicious or unauthorized use of customer information. 8. Employees are prohibited from keeping open files containing personal information on their computer screen when they are not at their desks. Employees are responsible for locking computer screen when away from workspace. 9. Employees must not share login information with co-workers. 22 External Threats 1. Valkyrie will maintain reasonably up-to-date firewall protection (if applicable) and operating system security patches, reasonably designed to maintain the integrity of the personal information, installed on systems processing personal information. 2. Valkyrie will maintain reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, installed on systems processing personal information. 3. To the extent technically feasible, personal information stored on portable devices, such as laptops or tablets, must be password protected, as must all records and files transmitted across public networks or wirelessly, to the extent technically feasible. 4. All computer systems must be monitored for unauthorized use of or access to personal information. Risks Associated with Remote Client Access and Funds Transfer Requests Currently, Valkyrie does not provide its clients with online account access nor does process funds transfer requests. If the firm s business changes to allow for remote client access and funds transfer requests, Valkyrie will update the cybersecurity program accordingly by identifying the potential risks involved and implementing the appropriate safeguards to protect the client s personal information. Risks Associated with Vendors and Other Third Parties Valkyrie periodically conducts risk assessments with vendors and other third parties that have access to the Firm s networks, customer data, and other sensitive information. Detection of Unauthorized Activity Employees who believe their terminal or computer systems have been subjected to unauthorized activity, or has otherwise been improperly accessed or used, are required to report the situation to the CCO immediately to determine the course of action. Valkyrie takes the issue of security seriously. Firm employees who use the technology and information resources of the firm must be aware that they can be disciplined if they violate this policy. Upon violation of this policy, an employee may be subject to discipline up to and including discharge. The specific discipline imposed will be determined by a case-by-case basis, taking into consideration the nature and severity of the violation of the cybersecurity program, prior violations of the policy committed by the individual, state and federal laws and all other relevant information. In a case where the accused person is not a firm employee, the matter shall be submitted to the CCO. The CCO may refer the information to law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s). Updates to the Cybersecurity Program The CCO reviews the cybersecurity program on a periodic basis and updates the program based on changes in the firm s business, effectiveness of the safeguards, and any additional risk factors that become present. The CCO will inform management of the results of the reviews and any recommendations for improved security arising out of the reviews. Furthermore, if an incident occurs that is determined to be in violation of the cybersecurity program, there shall be an immediate mandatory post-incident review of events and actions taken, if any, with a view to determining whether any changes in our security practices are required to improve the security of personal information for which the Firm is responsible.

Company Information