IREN Ltd 10-K Cybersecurity GRC - 2025-08-28

Page last updated on September 8, 2025

IREN Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-08-28 16:11:57 EDT.

Filings

10-K filed on 2025-08-28

IREN Ltd filed a 10-K at 2025-08-28 16:11:57 EDT
Accession Number: 0001878848-25-000063

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Recognizing the ever-evolving nature of cybersecurity threats, we have established a cybersecurity risk management program designed to safeguard the confidentiality, integrity, and availability of our critical systems and data. This program integrates into our overall enterprise risk management framework and draws guidance from industry standards and best practices, including the National Institute of Standards and Technology Framework. Key components of our cybersecurity risk management program include: 1 Identification and Assessment: a Identification and assessment of cybersecurity risks that could impact our operations, facilities, third-party vendors, critical systems, and information. b Utilizing threat intelligence and historical adversarial activity to inform risk assessments and readiness evaluations. 2 Risk Mitigation and Control: a Implementing administrative, physical, and technical controls designed to protect data and systems, as established in our Cyber Security policy. b Leveraging external service providers, including assessors, consultants, auditors, and other third parties, to assess, test, monitor, and respond to cybersecurity threats in an attempt to maintain robust security controls. 3 Third-Party Oversight: a Establishing processes to oversee and identify cybersecurity risks associated with third-party service providers. b Evaluating third-party vendors for compliance with our cybersecurity standards and requiring them to maintain appropriate security controls to protect our data. 4 Incident Response: a Maintaining a cybersecurity incident response plan that outlines procedures for responding to and managing cybersecurity incidents. b Conducting regular cybersecurity awareness training for all employees, contractors, interns, and any user with access to Company systems to increase the preparedness and awareness of risks and procedures. 5 Continuous Improvement: a Regularly updating and improving our cybersecurity practices and policies based on changing business practices, emerging threats, new technologies, and evolving industry standards. b Conducting ongoing penetration testing and benchmarking against industry practices to enhance our security posture. Cybersecurity Incidents : In our fiscal year ended June 30, 2025, we did not identify any cybersecurity incidents that have materially affected our business strategy, operations, or financial condition. We continue to monitor and seek to manage these risks proactively to protect the ongoing security and resilience of our organization. A cybersecurity incident could result in (i) an interruption in our services, (ii) the loss of ability to control or operate our equipment, (iii) misappropriation of personal data and (iv) the loss of critical data that could interrupt our operations, any of which could, among other things, adversely impact our reputation and brand and expose us to increased risks of violation of applicable 100 law, governmental and regulatory investigation and enforcement actions, or private litigation or other liability, including potentially significant financial losses. Cybersecurity Governance Our cybersecurity governance structure is designed to achieve effective oversight and management of cybersecurity risks across the organization. Board Oversight: a The Board holds ultimate oversight responsibility for our cybersecurity risk management program. It receives regular updates from management on cybersecurity risks, incidents, and the overall effectiveness of the program. b The Board’s Audit and Risk Committee is specifically tasked with overseeing cybersecurity and information technology risks, so that risk management strategies align with the company’s overall risk profile. Management Responsibility: a Day-to-day responsibility for managing cybersecurity risks lies with our Chief Technology Officer (CTO) who leads a dedicated cybersecurity team. This team includes internal and external security professionals with expertise in cybersecurity management. Incident Response Team: a Our Incident Response Team, led by our CTO, coordinates the Company’s response to cybersecurity incidents. This team includes representatives from IT, legal, investor relations, risk & compliance, and other relevant departments (as required). b The Incident Management Plan - Technology and Data, developed by our cybersecurity team, follows a structured process for escalating, assessing and categorizing cybersecurity incidents, and IREN’s response process, including remediation and post-incident activities. This is designed to be a systematic and coordinated approach to managing cybersecurity incidents. Relevant Expertise: a Our CTO has over 15 years of experience in cybersecurity management, and has a background in security and information technology solutions. b Members of the Cybersecurity team possess a diverse range of expertise, including prior work experience in cybersecurity, and specialized knowledge and skills in cybersecurity. Information Flow and Reporting: a Management regularly informs and updates the Board and the Audit and Risk Committee on cybersecurity risks, incidents, and the effectiveness of risk management strategies. b Management provides frequent informal communications to the Board between regularly scheduled meetings to keep the Board apprised of any emerging risks or incidents. For further details on the cybersecurity risks we face, refer to Part I, Item 1.A. “Risk Factors” of this Annual Report on Form 10-K.

Company Information