D-Wave Quantum Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

D-Wave Quantum Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:13:29 EST.

Filings

10-K filed on 2026-02-26

D-Wave Quantum Inc. filed a 10-K at 2026-02-26 16:13:29 EST
Accession Number: 0001907982-26-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have adopted certain policies and are continuously updating our policies and procedures to evaluate, identify, and handle material risks associated with cybersecurity threats to align with industry and regulatory expectations, including the U.S. Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program. These protocols are integrated into a comprehensive risk register dedicated to our cloud-based platform and internal systems access. The register undergoes a review, at least annually, conducted by the internal information technology (" IT ") department, overseeing cybersecurity protection for our on-premises systems, and the DevOps department, responsible for cybersecurity protection in the cloud, and is updated upon material changes, acquisitions, or significant threat activity. We also conduct regular risk assessments to identify threats to our information security systems. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. We assess the risks facing us after our controls are accounted for, and then determine mitigation measures for each such risk. Our risk management processes also assess third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners. Following these risk assessments, we re-examine our systems and processes to ensure that reasonable safeguards are in place to minimize identified risks and address any issues that arise. Our Chief Information Security Officer works with management to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with IT and management. Personnel at all levels receive regular mandatory training on our cybersecurity policies and practices. Key safeguards include, but are not limited to, access controls, authentication, third-party security obligations, and other technical and organizational measures. In addition, we maintain policies and procedures for backups, business continuity, and disaster recovery, and regularly test our policies and procedures to ensure they allow for timely recovery and restoration of backups and the availability of critical resources. 58 We enlist third-party service providers to support us in conducting information security reviews of our infrastructure, and the evaluation of our company policies. These providers undertake comprehensive evaluations that delineate potential risks, categorized by criticality and associated level of effort. Subsequently, we undertake a meticulous examination of the risks to potentially recalibrate the likelihood of identified risks, taking into consideration the vulnerabilities unearthed by the third-party assessment. As noted above, this register is reviewed at least annually and updated upon material changes, acquisitions, or significant threat activity. Depending on the type of services required, the sensitivity of the relevant IT systems and data, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. We conduct due diligence prior to engaging a vendor to provide services and require the vendor to contractually commit to appropriate data protection measures, depending on the nature of the services provided. As part of the software request and vendor evaluation process, we ensure there is a secure method for transmitting data. This includes verifying that encryption is in place both in transit and at rest. Additionally, we require key vendors to provide a SOC 2 Type 2 report, which we review to confirm that security controls have been audited and validated. These measures help ensure that third-party vendors maintain appropriate safeguards for handling and sharing confidential information. Upon identifying vulnerabilities, we commit to addressing them promptly, prioritizing based on their criticality. High-priority remediation efforts will be coordinated with the collaboration of Enterprise IT and DevOps teams to ensure swift and effective resolution. While our Leap quantum cloud system holds SOC 2 Type 2 compliance, it is noteworthy that the correlation extends to all our IT systems, even though they are not explicitly within the defined scope. As a result, these interconnected IT systems align with SOC 2 Type 2 standards. Similarly, our policies regarding cybersecurity and IT systems are relevant for SOC 2 Type 2 compliance, but also apply to everyone in the entire organization. We have not currently identified any cybersecurity challenges that have materially impaired our operations or financial standing. For additional information regarding risks from cybersecurity threats, please refer to Item 1A, "Risk Factors," in this Form 10-K. Governance Our board of directors addresses our cybersecurity risk management as part of its general oversight function. While the board of directors' audit committee is responsible for overseeing management's risk assessment and risk management policies generally, to enhance oversight and governance in this area, the board of directors in 2025 established a standing committee that advises on cybersecurity matters and provides strategic guidance and direction for our cybersecurity program (the " Cybersecurity Committee "). The Cybersecurity Committee convenes as necessary to address critical or emerging cybersecurity concerns and to ensure alignment on approach. In the event of an incident, we have developed an incident response plan, which we are continuously updating and which sets forth the steps to be followed from incident detection and assessment to mitigation, recovery and notification and reporting, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate. The incident response plan includes escalation thresholds, decision authorities, and post-incident review processes. Our Chief Information Security Officer , who is primarily responsible for managing our cybersecurity risks, mitigation strategies and responses to any such issues that may arise, collaborates with the Cybersecurity Committee and reports to the entire Board on a quarterly basis, or more frequently as needed. Our Chief Information Security Officer oversees our IT department and has extensive experience in managing IT organizations and securing cybersecurity insurance coverages, which we currently maintain. Our Chief Information Security Officer drives our strategic IT initiatives and cybersecurity risk assessments, drawing upon over two decades of enterprise technology management expertise. Our Chief Information Security Officer oversees our cybersecurity policies and processes, including those described above. Our overall risks and assessments are monitored by a cross-functional team composed of members of senior management and the security, legal, information technology and financial reporting departments, which evaluates risks associated with assets such as infrastructure, software, people, processes, and data. A partnership exists between these aforementioned individuals and departments so that identified issues are addressed in a timely manner and incidents are escalated to the appropriate parties as required. Our incident response plan, which includes escalation thresholds, decision authorities, and post-incident review processes, is tested and adjusted regularly or in response to a particular incident or significant threats where appropriate. 59

Company Information