ENERGY FUELS INC 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

ENERGY FUELS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 17:17:22 EST.

Filings

10-K filed on 2026-02-26

ENERGY FUELS INC filed a 10-K at 2026-02-26 17:17:22 EST
Accession Number: 0001385849-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company maintains a Cybersecurity Risk Management Program (" CRMP ") designed to identify, assess, manage, monitor, mitigate and report cybersecurity risks, which is integrated into the Company's enterprise risk management framework. The CRMP applies a layered security approach across prevention, detection and mitigation, informed by ongoing assessment of the threat landscape. The Company operates an Information Security Management System (" ISMS ") comprised of a coordinated set of IT security policies, standards and procedures designed to protect information assets and support effective management of cybersecurity risks. The ISMS includes IT-focused policies covering areas such as access control, change management, patch management and operation security, as well as user-focused policies addressing acceptable use, artificial intelligence usage and password guidelines. These policies are reviewed periodically and updated as required to reflect changes in risk, technology and regulatory expectations. The Company's Cybersecurity Policy, which governs the ISMS and is maintained on a confidential basis, is reviewed and approved annually by the Audit Committee and the Board. Cybersecurity training is an integral component of the ISMS and focuses on educating employees on their obligations under these policies, reinforcing secure use of Company systems and data and supporting consistent policy compliance across the organization with training tailored to roles and responsibilities. The underlying controls of the CRMP are aligned with internationally recognized best practices, standards and regulatory frameworks for cybersecurity, information security and data protection. These include, where applicable, the National Institute of Standards and Technology (" NIST ") Cybersecurity Framework, the Center for Internet Security (" CIS ") and Service Organization Controls (" SOC 1 ") issued by the American Institute of Certified Public Accountants. The CRMP is designed to support compliance with applicable global privacy and data protection obligations, including the Australian Privacy Act 1988 (" Privacy Act ") and the EU General Data Protection Regulation (" GDPR "), and is expected to be scalable across all jurisdictions in which the Company operates, now and in the future. The Company's evaluation of, and integration efforts relating to, these existing frameworks have resulted in strongly aligned information security and risk management elements, methods and technologies. The Company continually scrutinizes and refines its cybersecurity and risk management programs to ensure they remain responsive to the evolving threat landscape and effectively address emerging risks across all areas of the business. The Company has expanded its investment in IT and cybersecurity with the implementation of layered security controls, improved identification and protection of critical assets, and strengthened monitoring and alerting capabilities. As part of this approach, the Company has implemented a fully managed Detection and Response (" MDR ") service that combines an advanced security platform spanning endpoint, identify and cloud environments with 24/7 monitoring by specialist security analysts. This service provides continuous threat hunting, investigation and response capabilities to proactively detect and contain cybersecurity threats. The Company has appointed a Director Global IT to assess and analyze the Company's enterprise cybersecurity, governance, risk, and compliance (" GRC ") operations and programs against the NIST Cybersecurity Framework and the CIS Critical Security Controls. In addition, the Company engages specialist independent third-party cybersecurity firms to conduct annual penetration testing (internal and external) to validate the effectiveness of technical controls and identify areas for improvement. These activities support the ongoing maturity of the Company's cybersecurity program and inform a rolling multi-year roadmap to further enhance the Company's cyber resilience and to protect stakeholders, systems and information assets. The Company has established its interdisciplinary team to monitor and assess cybersecurity risks on an ongoing basis, which is led by the Company's Chief Financial Officer (" CFO ") . It is a cross-departmental team that consists of legal, finance, internal audit and operations personnel, with all significant implementation efforts executed by the Director Global IT, who has more than 30 years of experience in IT, including extensive involvement in cybersecurity strategy, enterprise risk management and the oversight of IT environments spanning multiple sites and jurisdictions. The team is in charge of developing, maintaining and measuring compliance with CRMP and dedicates significant resources to cybersecurity and risk management processes to adapt to the ever-changing cybersecurity landscape and to respond to emerging threats in a timely and effective manner. Additionally, the team reviews enterprise-level cybersecurity risks at least annually, or more frequently as required, including risks arising from third-party service providers. 73 Table of Conten t s The Company maintains a structured cybersecurity incident management framework supported by continuous security monitoring, employee awareness and training and formally documented response procedures. Any cybersecurity incidents are identified through technical and internal reporting mechanisms and are managed in accordance with the Company's Incident Response Plan and Disaster Recovery Plan (together, the " Response Plans "). The Response Plans define the governance, escalation, containment, investigation, remediation, recovery and communications requirements for cybersecurity incidents, including executive and Board-level oversight where appropriate. The framework is designed to enable timely detection, effective response and orderly recovery from cybersecurity incidents while supporting regulatory and contractual reporting obligations and the safe restoration of normal business operations. The Board has delegated primary oversight of the Company's cybersecurity risks and management's approach to monitoring, mitigating and responding to those risks to the Company's Audit Committee. Management, led by the CFO and supported by relevant cross-functional leaders, providing the Audit Committee with regular updates on the effectiveness of the CRMP at least quarterly, and more frequently as required. These updates cover material developments in the threat environment, emerging standards, vulnerability and risk assessments, third-party reviews and relevant technology and information security trends. Cybersecurity risks are also reviewed by the Board annually as part of the Company's enterprise risk management process. The Audit Committee receives timely notification of any cybersecurity incident that meets applicable regulatory or stock exchange reporting thresholds, along with ongoing updates until the incident is fully resolved. The Company faces risks from "cybersecurity threats" (as defined in Item 106(a) of Regulation S-K) that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. The Company has experienced, and will likely continue to experience, immaterial "cybersecurity incidents" (as defined in Item 106(a) of Regulation S-K) in the ordinary course of its business. However, prior cybersecurity incidents have not had, and are not reasonably likely to have, a material adverse effect on the Company's business, financial condition, results of operations or cash flows. See Part I, Item 1A. Risk Factors - An information security incident, including a cybersecurity breach, could have a negative impact to the Company's business or reputation. 74 Table of Conten t s

Company Information