CLEANSPARK, INC. 10-K Cybersecurity GRC - 2025-11-25

Page last updated on November 26, 2025

CLEANSPARK, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-25 16:46:20 EST.

Filings

10-K filed on 2025-11-25

CLEANSPARK, INC. filed a 10-K at 2025-11-25 16:46:20 EST
Accession Number: 0001193125-25-297510

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber security Cybersecurity risk may adversely impact our business. The impact could include weakened financial condition, litigation risk, degrading mining operations, loss of competitiveness, fraud, extortion, harm to employees, violation of applicable privacy or other regulations that could result in regulatory action and fines. Risk Management and Strategy We maintain a cybersecurity program to manage the confidentiality, integrity and availability of our data and information systems that support our business. The program is aligned with the National Institute of Standards and Technology Cybersecurity Framework 2.0 and is integrated into our overall risk management program. It is designed to develop appropriate strategies for preserving the confidentiality, integrity and availability of our data and information systems that can evolve with the changing cybersecurity threat landscape. We have implemented policies, procedures and technological tools to prevent, detect and mitigate cybersecurity risks posed by third parties. We use third-party security vendors to further strengthen our cybersecurity posture. These partners provide advanced monitoring, detection, and response capabilities that complement our internal controls and staff expertise. Their services include continuous threat intelligence, vulnerability management, and incident response support, which are integrated into our cybersecurity program. A written cybersecurity incident response plan that we tabletop yearly and cybersecurity insurance are also key components of our approach to managing the risk of a cyber event. Our incident response plan contains a materiality analysis framework based on Federal Information Processing Standards Publication 199. This materiality framework allows us to identify and classify cybersecurity events based on their impact to our data or information systems. This framework will assist us in expediting review of cyber events for materiality purposes that could require disclosure to the SEC. We have implemented a third-party risk management policy that categorizes the cybersecurity risk posed by third party vendors along with the type of cybersecurity controls we may require of those vendors. These may include employee training, cybersecurity tools like multi-factor authentication, and contractual requirements that vendors maintain appropriate technical, administrative and physical cybersecurity controls. This is in addition to the policies and practices we maintain to monitor access of our information systems and data using our internal staff and third-party vendors. As part of communicating the importance of cybersecurity at an enterprise-wide level, we require that all company employees participate in annual cybersecurity training. 44 Governance Our IT Steering and Risk Committee ("ITSRC") has been delegated the responsibility for managing cybersecurity risk for the company by the Board of Directors (the "Board"). This committee is chaired by our Chief Technology Officer & Chief Operating Officer and includes a diverse cross section of company stakeholders including the CFO, Director of IT, SVP of Security, and our General Counsel. On May 1, 2025, we added an outsourced virtual CISO who is a key advisor to the ITSRC, bringing over a decade of expertise in managing and maturing cybersecurity program that includes mitigation, incident prevention, detection and remediation disciplines. The ITSRC is also responsible for maintaining and monitoring legal and regulatory requirements and compliance as well as oversight of the adequacy of company cyber insurance. Our third-party security vendors, in collaboration with our Director of IT, keep the ITSRC apprised of efforts surrounding the prevention, detection, mitigation and remediation of any cyber threats or cybersecurity incidents. The Board is entrusted with the oversight of the management of cybersecurity risk and our cybersecurity program. The Board administers this oversight through its audit committee and the ITSRC. The ITSRC committee chair is responsible for reporting to the Board's audit committee with respect to cybersecurity at least twice per calendar year. The audit committee, as necessary, reports any findings and recommendations to the Board. As cyber threats evolve and as our cybersecurity program matures, the Board will consider further developing specific cybersecurity oversight functions and protocols. For more information on our cybersecurity related risks, see Part I, Item 1A. "Risk Factors" of this Annual Report on Form 10-K.

Company Information