IonQ, Inc. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

IonQ, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:11:14 EST.

Filings

10-K filed on 2026-02-25

IonQ, Inc. filed a 10-K at 2026-02-25 16:11:14 EST
Accession Number: 0001193125-26-071562

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We recognize the importance of identifying and managing cybersecurity risks and have integrated cybersecurity risk management into our overall risk management processes. We have implemented processes to identify, assess, detect, evaluate and mitigate ongoing security threats to our information technology systems and data as well as those of third parties upon which we rely. 50 We conduct periodic and ad-hoc risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks and the sufficiency of existing policies, procedures, systems and safeguards in place to manage such risks. As part of our risk management process, we conduct application security and vulnerability assessments, undergo third-party penetration testing of both our digital and physical assets, maintain ongoing risk assessments and monitor various third-party risk feeds. Our risk management processes also assess third party risks , and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers and other business partners. In evaluating our response to our application security assessments, penetration tests and risk feeds, our team collaborates with technical and business stakeholders to further analyze the risk to the company, and form detection, mitigation and remediation strategies to enhance our current security program. Our security program is aligned to the National Institute of Standards and Technology Cybersecurity Framework Special Publication 800-53 standard, and we have obtained a SOC 2 Type 2 Certification. Although we refer to such frameworks in developing our cybersecurity risk management approaches, our use of them as guides is not intended to suggest that we meet any particular technical standards, specifications or requirements set forth therein. We maintain an incident response plan that includes, among other areas, prioritization guidelines, data collection and evidence handling, communication channels and partners and, if required, law enforcement engagement. We maintain relationships with both local and national law enforcement agencies. We evaluate security incidents on a scale of severity to determine the appropriate incident handling protocols. We require all employees to undertake data protection and security training at least annually. We provide specialized training to targeted groups of employees depending on their role and the larger threat landscape. We are briefed regularly by national law enforcement, and work with external consulting firms on custom training and evaluations. In addition, we regularly consider and enter into strategic transactions for the acquisition of, investment in or partnership with businesses, solutions or technologies, and therefore we conduct risk assessments with respect to such businesses, solutions or technologies and integrate them into our cybersecurity risk management program and implement the processes, assessments and plans described herein. While we have experienced cybersecurity incidents in the past, to date, none have materially affected or are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. We continue to invest in the cybersecurity and resiliency of our systems and networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. Additional information about cybersecurity risks we face is discussed in Item 1A of Part I, "Risk Factors," under the heading "If our information technology systems, data, or physical facilities, or those of third parties upon which we rely, are or were compromised, we could experience adverse business consequences resulting from such compromise," and additional information about risks related to our ability to successfully integrate acquired businesses, including implementing our cybersecurity risk management processes, is discussed under the headings " Acquisitions and other strategic investments involve a number of inherent risks, any of which could result in the benefits anticipated not being realized," and "We have experienced in the past, and could also suffer in the future, disruptions, outages, defects and other performance and quality problems with our systems, including our information technology systems, our research and development activities, our facilities, our other fixed assets or with the public cloud, internet and other infrastructure on which they rely," in Item 1A of Part I, "Risk Factors," each of which should be read in conjunction with the information contained within this Item 1C, Cybersecurity. Cybersecurity Governance The Board oversees our overall risk management process, including cybersecurity risks, directly and through its committees. Our Audit Committee is responsible for the oversight of cybersecurity risks, including our assessment of potential vulnerabilities and threats, evaluation of incidents and monitoring of the implementation of key actions and projects to further enhance our ability to detect and manage ongoing security threats. Key members of management, including our security officer, provide updates to our Audit Committee on at least a semi annual basis. In addition to committee updates, our security officer also meets with the full Board at least annually to discuss our overall risk profile and associated ongoing mitigation efforts. The briefings provided to our Audit Committee and Board include updates on our key cyber risks and threats, the status of projects to strengthen our information security systems and incident readiness programs, assessments of the information security program and our key assets, as well as the emerging threat landscape. Our Chief Information Security Officer has over a decade of management and executive level information technology experience and reports to our Chief Information Officer. Our Chief Information Security Officer is a member of the senior leadership team, collaborates closely with key members of management including our President and Chief Executive Officer, Chief Financial Officer and Chief Operating Officer, Chief Legal Officer and Chief Administrative Officer, Chief Business Officer, Chief Information Officer, EVP of Global Engineering and Chief Product Officer to continuously monitor and evaluate our ongoing risk profile and 51 mitigation strategies. Our Chief Information Security Officer also provides ad hoc updates to management on cybersecurity-related news and events and discusses any updates to our cybersecurity risk management and strategy programs as a result of these matters. Our team includes personnel for supply chain security, governance risk and compliance and security engineering. We also leverage external industry partners in key areas including penetration testing, forensics and for our security operations center. We use industry standard security tools across our program and reevaluate these annually as we digest the evolving threat landscape. Our overall risks and assessments are monitored by a cross functional team composed of members of senior management, security, legal and financial reporting. A partnership exists between these aforementioned individuals and departments so that identified issues are addressed in a timely manner and incidents are escalated to the appropriate parties as required.
Item 1C, Cybersecurity. Cybersecurity Governance The Board oversees our overall risk management process, including cybersecurity risks, directly and through its committees. Our Audit Committee is responsible for the oversight of cybersecurity risks, including our assessment of potential vulnerabilities and threats, evaluation of incidents and monitoring of the implementation of key actions and projects to further enhance our ability to detect and manage ongoing security threats. Key members of management, including our security officer, provide updates to our Audit Committee on at least a semi annual basis. In addition to committee updates, our security officer also meets with the full Board at least annually to discuss our overall risk profile and associated ongoing mitigation efforts. The briefings provided to our Audit Committee and Board include updates on our key cyber risks and threats, the status of projects to strengthen our information security systems and incident readiness programs, assessments of the information security program and our key assets, as well as the emerging threat landscape. Our Chief Information Security Officer has over a decade of management and executive level information technology experience and reports to our Chief Information Officer. Our Chief Information Security Officer is a member of the senior leadership team, collaborates closely with key members of management including our President and Chief Executive Officer, Chief Financial Officer and Chief Operating Officer, Chief Legal Officer and Chief Administrative Officer, Chief Business Officer, Chief Information Officer, EVP of Global Engineering and Chief Product Officer to continuously monitor and evaluate our ongoing risk profile and 51 mitigation strategies. Our Chief Information Security Officer also provides ad hoc updates to management on cybersecurity-related news and events and discusses any updates to our cybersecurity risk management and strategy programs as a result of these matters. Our team includes personnel for supply chain security, governance risk and compliance and security engineering. We also leverage external industry partners in key areas including penetration testing, forensics and for our security operations center. We use industry standard security tools across our program and reevaluate these annually as we digest the evolving threat landscape. Our overall risks and assessments are monitored by a cross functional team composed of members of senior management, security, legal and financial reporting. A partnership exists between these aforementioned individuals and departments so that identified issues are addressed in a timely manner and incidents are escalated to the appropriate parties as required.

Company Information