Fidelity Ethereum Fund 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Fidelity Ethereum Fund reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:04:13 EST.

Filings

10-K filed on 2026-02-25

Fidelity Ethereum Fund filed a 10-K at 2026-02-25 16:04:13 EST
Accession Number: 0001193125-26-071486

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Overview The Sponsor, Fidelity Management & Research LLC, and their respective affiliates operating as a business organization (collectively, "Fidelity") and its Enterprise Cybersecurity organization, on behalf of the Trust, have established a risk management program which includes processes to identify , assess, and manage cybersecurity risks, including material risks from cybersecurity threats, and to put in place appropriate controls to mitigate these risks and reduce the potential impact to the Trust and its Shareholders. The Trust does not have any employees and relies upon Fidelity and its Enterprise Cybersecurity organization for the Trust's day-to-day operations and to establish strategies, policies, and standards for the security of, and operations in, cyberspace. Management of cybersecurity risk is a key area of focus for the Enterprise Cybersecurity organization, as threat actors continue to target Fidelity with sophisticated, ever-evolving attacks. Enterprise Cybersecurity's mission is to protect Fidelity and its customers from these attacks and other cyber incidents through risk optimization, policies, controls, technical capabilities, and employee training and awareness on risks, policies and standards. As Enterprise Cybersecurity implements measures to address cyber risk, it also continuously reviews its resources to better enhance security of systems, networks, data, and other technology. The potential impact of risks from cybersecurity threats on the Trust are assessed on an ongoing basis. These risks are regularly evaluated to determine if they could materially affect the Trust's business strategy, operational results, and financial condition. During the reporting period, Fidelity did not identify any material risks from cybersecurity threats that have materially affected or are reasonability likely to materially affect the Trust, including its day-to-day operations, financial condition, or business strategies. While Fidelity will continue to enhance its approach to address cybersecurity risk, it is possible that it will not be successful in preventing or mitigating a future cybersecurity incident that could have a material impact on Fidelity or the Trust's operations, financial condition, and business strategies. Third Party Risk and Engagement The Trust depends on and engages various third parties, including suppliers, vendors, and service providers, to operate its business. Third party incidents, such as supply chain attacks, ransomware operations, or insider misconduct, could result in a material impact to the Trust through the compromise of sensitive information or system failures. To address these risks, Fidelity has a vendor oversight program which includes periodic reviews of the cyber controls of third-party service providers , with the frequency of such reviews generally based on the nature of the Trust's information processed by the vendor and the vendor's criticality to business operations. Independent Assessment of Controls On behalf of the Trust, Fidelity engages third-party consultants to assess, identify, and/or manage material risks from cybersecurity threats. For example, Fidelity engages third-party consultants to perform audits of its cybersecurity measures and risk management processes, including those applicable to Trust. Fidelity has also hired qualified independent assessors to review applicable security controls in accordance with the American Institute of Certified Public Accountants' System and Organization Controls assurance programs. Additionally, Fidelity utilizes third-party consultants with specific areas of cybersecurity expertise to review and report on various aspects of its cybersecurity program, including those applicable to the Trust. The results of these consulting engagements are shared with the Sponsor as part of periodic reporting. Monitoring Emerging Threats Threat actors' utilization of emerging and new technologies such as Artificial Intelligence to enhance cyber-attacks is an ongoing risk. Fidelity's Cyberthreat Intelligence (CTI) unit within Enterprise Cybersecurity is designed to alert stakeholders, control owners, and decision-makers of emerging cyber threats to Fidelity infrastructure, vendors, and clients. CTI operates via a follow-the-sun approach, monitoring criminal, nation-state, hacktivist, and insider groups and their use of these technologies to carry out attacks. CTI utilizes information gathered from public and private sources, including industry groups such as the U.S. Cybersecurity and Infrastructure Security Agency and the Financial Services Information Sharing and Analysis Center. The organization analyzes such information and incorporates threat actors' tactics, techniques, and procedures into the program's security monitoring and detection tools and processes. 65 Organization and Management Fidelity Enterprise Cybersecurity is comprised of several product areas that are designed to defend against attack, damage, and unauthorized action to information, data, and systems. Among these functions are: Detect and Respond , which is responsible for delivering global cybersecurity operations, intelligence, and analytics to ensure data confidentiality, integrity, and availability for Fidelity and its customers. This product area utilizes the latest tools and technology to monitor Fidelity's environment for signs of suspicious activity, as well as proactively detect and hunt for the latest cyber threats. Key functions include the Security Operations Center, Threat Intelligence, Insider Threat, and Endpoint Security. The Information Security Office , which is a team that assists with the migration and implementation of Enterprise Cybersecurity policy into each of the firm's business units. Each Fidelity business unit has a dedicated Information Security Office team that partners with the business on cyber client engagement, security advisory, risk reduction, regulatory compliance, and education and awareness. Application and Infrastructure Security , which is responsible for identifying, assessing, and mitigating risks posed by software vulnerabilities, malware, and configuration exposures in Fidelity's applications and technology infrastructure. This product area focuses on critical functions such as vulnerability scanning, penetration testing, and vendor application remediation, enabling Fidelity to address risks from vulnerabilities before they are exploited. Enterprise Cybersecurity also employs several teams that work together and are responsible for enabling Fidelity with a persistent readiness posture through comprehensive cyber risk management from risk identification through remediation. These teams include Cyber Risk, Cyber Controls & Policy, and Cyber Regulatory & Audit. Together, these teams provide a foundation and framework for the Enterprise Cybersecurity organization to align with industry standards, meet regulatory expectations, and adjust to changing risks. Governance and Oversight The Sponsor, in conjunction with Fidelity's Enterprise Cybersecurity organization, provides strategic oversight regarding cybersecurity risks and threats to the Trust. The Sponsor's Compliance and Risk Management Committee ("CRMC"), comprised of various officers of the Sponsor and the broader Fidelity organization, receives and reviews periodic reports from senior executives in Fidelity's Enterprise Cybersecurity Organization, including Fidelity's Chief Information Security Officer ("CISO") and members of the CISO's staff. These reports contain information about risks from cybersecurity threats, including results of independent reviews of the cybersecurity program, summaries of recent threat intelligence assessments, progress on key initiatives and strategies, and updates on recent regulatory activities, including new regulations and examinations. The CRMC is responsible for assessing and managing material risks from cybersecurity threats. In connection with the Trust's reliance on Fidelity and its Enterprise Cybersecurity organization, the CRMC relies on the cybersecurity expertise of Fidelity's CISO and members of the CISO's staff to assist in assessing and managing the Trust's material risks from cybersecurity threats. Fidelity's CISO has over thirty years of experience as a technology and information risk management leader, holding global senior management roles with large, diversified financial services companies. He has served as Fidelity's CISO since May 2024. He reports to Fidelity's Head of Technology and Global Services. The Sponsor is informed about cybersecurity incidents, including material cybersecurity incidents, impacting the Trust. The Sponsor monitors the prevention, detection, mitigation, and remediation of such incidents, including through the receipt of notifications from service providers and reliance on communications with risk management, legal, cybersecurity, information technology, and/or compliance personnel of Fidelity. In conjunction with Fidelity's Enterprise Cybersecurity organization, the Sponsor, on behalf of the Trust, also participates in regular testing of applicable incident response processes to ensure appropriate escalation, mitigation, communication, and reporting processes are in place . 66

Company Information