Coinbase Global, Inc. 10-K Cybersecurity GRC - 2026-02-12

Page last updated on February 12, 2026

Coinbase Global, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-12 16:29:17 EST.

Company Summary

Coinbase is a crypto exchange and wallet platform that allows merchants and consumers to buy, sell, and store digital currencies.

Filings

10-K filed on 2026-02-12

Coinbase Global, Inc. filed a 10-K at 2026-02-12 16:29:17 EST
Accession Number: 0001679788-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented cybersecurity risk management processes intended to protect the confidentiality, integrity, and availability of our critical systems and information. While everyone at our company plays a part in managing cybersecurity risks, primary cybersecurity oversight responsibility is shared by our board of directors, our audit and compliance committee ("Audit Committee"), and senior management. Our cybersecurity risk management program is integrated into our overall enterprise risk management program. Our cybersecurity risk management program includes: - physical, technological, and administrative controls intended to support our cybersecurity and data governance framework, including protections designed to protect the confidentiality, integrity, and availability of our key information systems and customer, employee, partner, and other third-party information stored on those systems, such as access controls, encryption, data handling requirements, and other cybersecurity safeguards, and internal policies that govern our cybersecurity risk management and data protection practices; - a defined procedure for timely incident detection, containment, response, and remediation, including a written security incident response plan that includes procedures for responding to cybersecurity incidents; - cybersecurity risk assessment processes designed to help identify material cybersecurity risks to our critical systems, information, products, services, and broader enterprise IT environment; - a security team responsible for managing our cybersecurity risk assessment processes and security controls; - the use of external consultants or other third-party experts and service providers, where considered appropriate, to assess, test, or otherwise assist with aspects of our cybersecurity controls; - annual cybersecurity and privacy training of employees, including incident response personnel and senior management, and specialized training for certain teams depending on their role and/or access to certain types of information, such as consumer information; and - a third-party risk management process that includes internal vetting of certain third-party vendors and service providers with whom we may share data. As previously disclosed on a Current Report on Form 8-K filed with the SEC on May 15, 2025, a threat actor improperly obtained information about certain customer accounts and internal documentation, and used that information for social-engineering attempts (the "Data Theft Incident"). No passwords or private keys were compromised as a result of this incident. During the year ended December 31, 2025, we paid $311.2 million of cash related to the Data Theft Incident, comprising voluntary customer reimbursements and direct legal costs. We continue to face risks related to the Data Theft Incident, including harm to our reputation, and costs related to governmental investigations and regulatory scrutiny, and ongoing litigation. Over the past fiscal year, except as set forth herein, we have not identified any cybersecurity-related risks that have materially impacted our operations, business strategy, operating results, or financial condition. We will continue to monitor and assess our cybersecurity risk management program as well as invest in and seek to improve such systems and processes as appropriate. If we were to experience any further material cybersecurity incidents in the future, such incidents may have a material effect, including on our operations, business strategy, operating results, or financial condition. For more information regarding cybersecurity risks that we face, including previous cybersecurity incidents, and potential impacts on our business related thereto, see the section titled " Risk Factors " in Part I Item 1A of this Annual Report on Form 10-K. Cybersecurity Governance With oversight from our board of directors, the Audit Committee is primarily responsible for assisting our board of directors in fulfilling its ultimate oversight responsibilities relating to risk assessment and management, including relating to cybersecurity and other information technology risks. The Audit Committee oversees management's implementation of our cybersecurity risk management program, including processes and policies for determining risk tolerance, and reviews management's strategies for adequately mitigating and managing identified risks, including risks relating to cybersecurity threats. The Audit Committee has established the Enterprise Risk Management Working Group ("ERMWG"), comprising members of our senior management team and other senior leaders, including our Chief Security Officer ("CSO"), to provide executive oversight of our enterprise risk management program. The ERMWG receives updates on cybersecurity matters from various staff members, including our Chief Information Security Officer ("CISO") . The Audit Committee receives updates from members of management, including our CSO and CISO, on our cybersecurity risks at its quarterly meetings, and reviews metrics about cyber threat response preparedness, program maturity milestones, risk mitigation status, and the current and emerging threat landscape. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity threats or incidents, as well as any incidents with lesser impact potential. The Audit Committee reports to our board of directors regarding its activities, including those related to key cybersecurity risks, mitigation strategies, and ongoing developments, on a quarterly basis or more frequently as needed. The board of directors also receives updates from our CSO and CISO on our cyber risk management program and other matters relating to our data privacy and cybersecurity approach, including risk mitigations to bolster and enhance our data protection and data governance framework. Members of our board of directors receive presentations that include cybersecurity topics and the management of key cybersecurity risks from our CSO and CISO as part of the continuing education of our board of directors on topics that impact public companies. Our management team, including our CSO and CISO, is responsible for assessing and managing our material risks from cybersecurity threats and for our overall cybersecurity risk management program on a day-to-day basis, and supervises both our internal cybersecurity personnel and the relationship with our retained external cybersecurity consultants. Our CSO's and CISO's experience includes years of working in the cybersecurity field in various industries, including the financial services industry . Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including through periodic ERMWG meetings; briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Company Information