USBC, Inc. 10-K Cybersecurity GRC - 2025-12-19

Page last updated on December 19, 2025

USBC, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-12-19 09:02:46 EST.

Filings

10-K filed on 2025-12-19

USBC, Inc. filed a 10-K at 2025-12-19 09:02:46 EST
Accession Number: 0001654954-25-014138

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our cybersecurity and risk management program is designed to protect the confidentiality, integrity, and availability of our critical information systems and the data they hold. Due to the nature of our business and our customers, we face many potential cybersecurity challenges and threats, including attempts to gain unauthorized access to our intellectual property, trade secrets, codebase, proprietary or confidential information, fraud, denial-of-service attacks, attacks from foreign nations, as well as threats to our identity and personnel. Because we operate in financial-technology and data-sensitive environments, we expect these threats to continue to evolve and increase in complexity. We have implemented IT systems and processes designed to help defend against the ever-evolving threat landscape while remaining agile to keep up with such threats. As we expand efforts in the financial technology sector, we will continue to invest in strengthening and supporting a robust cybersecurity posture and defense. We leverage a combination of cybersecurity frameworks to protect our assets. We use the controls from these frameworks as well as guidelines and best practices from the industry to develop our cybersecurity plan. Our cybersecurity plan and its elements are reviewed regularly to ensure they meet the requirements and expectations of our security needs. We have a cybersecurity policy in place, which includes monthly meetings with internal cybersecurity and technology experts to review and maintain the procedures, ensuring they reflect current best practices. Our cybersecurity program is spearheaded by our cybersecurity department, with support from external advisors and approval from executive management. The stakeholders have been identified and know their roles within the documented cybersecurity process. Our Board of Directors receives periodic reports and annual updates on our cybersecurity posture, and both the Chief Information Security Officer and the Chief Financial Officer share responsibility for our program and solicit support from third-party experts as necessary. Our cybersecurity team consists of highly senior resources holding multiple certifications and degrees relating to cybersecurity and best practices. Risk is assessed based on multiple factors and is overseen by the Audit Committee. Our IT and cybersecurity teams update and maintain our digital asset inventory to ensure all digital assets are included in our risk management process. The same is also true for all physical records/files as well as physical assets that would be considered intellectual property. Key assets are identified, and risk is assessed based on business impact, availability of information, and attack feasibility. After the risks have been identified, they are reviewed with the Audit Committee and stakeholders to create action plans or exception requests for the acceptance of risk. We leverage third party applications and software, as well as vulnerability and cybersecurity testing by third party cybersecurity experts, to help identify vulnerabilities within our system's boundaries. These vulnerability lists are used to create remediation plans and are prioritized based on severity and attack feasibility. An incident response plan has been established, which provides detailed information on actions to take in the event of an incident. The plan defines the incident response team, details the incident response lifecycle, and provides templates to make the process easier to document and follow. Timelines, communication methods, and notification information are included in the plan to ensure the process can be followed in high-pressure situations that can occur during incidents. We have had no material cybersecurity incidents in the last 24 months. However, during the fiscal year ended September 30, 2025, our leased office was physically broken into through a firemen's access conduit in an isolated physical security incident that did not result in a material impact on our operations, financial condition or results of operations. No items/assets were taken and the access conduit has since been disabled. We are in the process of installing additional physical security measures to make the location less vulnerable to unauthorized entry. Sensitive and confidential data are an essential part of our business. We leverage a cybersecurity policy that identifies the type of information we store and what level of encryption and access role entitlement is required to store and access the data. This document also details the overarching requirements for encryption, such as encryption methods, and secret/key storage and retention. These requirements are periodically reviewed to ensure continued alignment with industry standards and regulatory expectations.

Company Information