VanEck Merk Gold Trust 10-K Cybersecurity GRC - 2024-03-29

Page last updated on July 16, 2024

VanEck Merk Gold Trust reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 15:38:35 EDT.


10-K filed on 2024-03-29

VanEck Merk Gold Trust filed a 10-K at 2024-03-29 15:38:35 EDT
Accession Number: 0001213900-24-027921

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Sponsor’s Chief Information Security Officer (“CISO”) is responsible for overseeing the Trust’s cybersecurity practices. The CISO also manages IT affecting the Trust. The CISO is responsible for overseeing the ongoing adequacy of design and effective implementation of these policies and procedures and to review these procedures at least annually. The CISO is trained as a computer scientist (Master of Science) with extensive programming and system administration experience. The CISO’s background includes study of many of the IT building blocks of a modern office infrastructure, including the study and programming of network protocols, information theory, public key cryptography. Information Systems Security The Sponsor’s CISO oversees the maintenance of an inventory of information systems (“Information Systems”) employed by the Sponsor of the Trust either directly or through a vendor. Information Systems include electronic and physical systems used to store, process or transmit information either directly or through a service provider. This includes all methods of data processing, transmission, and retention, both electronic and physical. Electronic Information Systems used by on behalf of the Trust must, at a minimum, adequately address security elements consistent with applicable state and local regulatory requirements and best practices pertaining to: ● Data Storage, ● User Access, and ● Data Transmission. The adequacy of security measures used by service providers for internal information will be evaluated in connection with the risk assessment process outlined below in the section labeled Risk Assessment. The CISO is responsible for classifying information, identifying risks, and identifying risk mitigation strategies. The CISO is also responsible for evaluating the adequacy of risk mitigation strategies prior to deploying any Information System. Externally hosted applications (those not installed on the Sponsor’s local network and servers) are reviewed by the CISO at least annually thereafter. Risk Identification The CISO will identify reasonably foreseeable risks to the security or integrity of each Information System. The risk identification process will consider appropriate internal and external threat scenarios based on people, process or technology vulnerabilities that could cause the Information System to be compromised, damaged, tampered with or otherwise impaired. Risk Mitigation The CISO will identify processes or controls to mitigate identified risks to the security or integrity of each Information System. The computer system security requirements set forth below in this policy may adequately mitigate certain identified risks. Other processes or controls may be required to adequately mitigate other risks. Risk Assessment As part of the Sponsor’s ISSP for the Trust, the CISO will document in a risk assessment the Information Systems for the Trust, risks identified in Information Systems, and related risk mitigation processes and controls. Included in the risk assessment will be an assessment of each risk’s potential impact on the operations affecting the Trust, on the security of the Trust’s data, and also potential business consequences of each risk. The CISO will review and update the risk assessment at least annually. Additionally, at least annually (for external hosted applications) and following any significant change in operations (for all applications), the CISO is responsible for gathering information about the operation of previously identified risk mitigation strategies and any changes to information classification, identified risks or risk mitigation strategies. The CISO must evaluate the risk mitigation strategies for ongoing adequacy. The evaluation must be documented in a form prescribed by the CISO. If the CISO concludes that risk mitigation strategies are inadequate for an Information System containing confidential or internal information, action will be taken to either correct the inadequacy in a timely manner or discontinue use of the Information System. 36 Cybersecurity Procedures The Sponsor has adopted procedures to implement the cybersecurity policy applicable to the Trust, which include the following: ● The Sponsor maintains system access rights and controls for the Trust including: - restricting Supervised Persons’ (a “Supervised Person” is each employee, officer, member, and other persons who are subject to the Sponsor’s supervision and control) network resources access to the systems which are necessary for their business functions, - use of passwords, - authentication of users, and - secure remote access protocols; ● The Sponsor maintains its systems carrying Trust data with appropriate updates and virus protections; ● The Sponsor promptly eliminates access to all networks, devices, and resources as part of its HR procedures in the event a Supervised Person resigns or is terminated. Such Supervised Person is required to immediately return all Sponsor-related equipment and information to the CISO; ● The Sponsor has adopted procedures governing the use of mobile devices for the business purposes affecting the Trust; ● The Sponsor prohibits Supervised Persons from installing software on company owned equipment without first obtaining approval from the CISO or other designated person(s); ● The CISO or other designated person(s) conducts periodic monitoring of the networks affecting the Trust to detect potential cybersecurity events; ● The CISO or other designated person(s) conducts periodic monitoring of the networks affecting the Trust to detect unauthorized data transfers; ● Security procedures to protect information that is electronically stored or transmitted include authentication protocols; secure access control measures, and encryption of all transmitted files; ● All suspicious activity involving the Information Systems affecting the Trust recognized or uncovered by personnel should be promptly reported to his or her supervisor and/or the CISO; and ● A Supervised Person must immediately notify his or her supervisor and/or the CISO to report a lost or stolen laptop, mobile device, and/or flash drive. The Chief Compliance Officer (“CCO”) oversees the Sponsor’s Cybersecurity policy and in collaboration with the CISO reviews it annually. There have been no cybersecurity incidents since the Trust has been founded.

Company Information

NameVanEck Merk Gold Trust
SIC DescriptionCommodity Contracts Brokers & Dealers
CategoryAccelerated filer
Fiscal Year EndJanuary 30