Galaxy Digital Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Galaxy Digital Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 17:24:51 EST.

Filings

10-K filed on 2026-02-26

Galaxy Digital Inc. filed a 10-K at 2026-02-26 17:24:51 EST
Accession Number: 0001859392-26-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our management and board of directors recognize the critical importance of maintaining the trust and confidence of our customers, partners, and employees, including the importance of managing cybersecurity risks, and we have integrated these policies and procedures into our overall risk management systems and processes. While everyone at our company is expected to play a part in managing cybersecurity risks, our board of directors, as discussed in more detail under "-Governance" below and key members of our senior management team, are involved in the oversight of our information security program. Our information security program is based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards, and is integrated into our overall enterprise risk management program. We utilize an overarching framework to address enterprise information security governance, which seeks to protect information assets and systems against attacks and incidents while establishing appropriate security as a priority for our information technology infrastructure and throughout the product development process. Our information security team, including a team of dedicated engineers, and certain cross-functional employees routinely assess material risks from cybersecurity threats, and assess and update our cybersecurity risk management program in response to emerging trends and changes in our operations. We also engage third parties, including consultants and auditors, to evaluate the effectiveness of our risk management program, control environment, and cybersecurity practices through security audits, penetration testing, and other engagements. Our information security program is managed by our Chief Technology Officer ("CTO"), who reports to our Chief Operating Officer and oversees a team responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. Our foundational security engineering, governance risk and compliance, product security and security operations teams report to our CTO and provide regular updates on significant or potentially significant threats and incidents. Our CTO has over 25 years of experience serving in information security and technology roles at financial services and technology companies. Our information security program includes an incident response program that coordinates activities across multiple teams in responding to cybersecurity incidents in accordance with a defined Incident Management Policy. This program is 84 Table of Content designed to detect, analyze, and escalate cybersecurity events, and includes a cybersecurity incident response team responsible for containment and recovery activities, and a crisis response team to liaise with business stakeholders, secure priority resources, and validate completion of any post-incident activities. In addition, we have established an executive security risk management committee composed of senior representatives of our legal, finance, information security, product, and marketing teams, which meets on a quarterly basis to review our information security program and any noteworthy developments in the quarter. Finally, we coordinate internal simulations of cybersecurity incidents periodically to test the processes we have established. We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. We conduct initial due diligence on the cybersecurity profile of our vendors as they are onboarded and provide continuous monitoring of critical third-party infrastructure and monitor any known breaches of those third-party systems. We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We also provide regular, mandatory training for our personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats and to communicate our evolving information security policies, standards, processes and practices . Although we are subject to ongoing and evolving cybersecurity threats, over the past fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents we have experienced from time to time, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, operating results, or financial condition. We will continue to monitor and assess our cybersecurity risk management program as well as invest in and seek to improve such systems and processes as appropriate. If we were to experience a material cybersecurity incident in the future, such incident may have a material effect, including on our operations, business strategy, operating results, or financial condition. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see the section titled "Risk Factors" in Part I, Item 1A of this Annual Report. Cybersecurity Governance With oversight from our board of directors, the Audit Committee is primarily responsible for assisting our board of directors in fulfilling its ultimate oversight responsibilities relating to risk assessment and management, including relating to cybersecurity and other information technology risks. The Audit Committee oversees management's implementation of our cybersecurity risk management program, including processes and policies for determining risk tolerance, and reviews management's strategies for adequately mitigating and managing identified risks, including risks relating to cybersecurity threat The Audit Committee receives updates from members of management, including our CTO, on our cybersecurity risks periodically, and reviews metrics about cyber threat response preparedness, program maturity milestones, risk mitigation status, and the current and emerging threat landscape. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity threats or incidents, as well as any incidents with lesser impact potential. The Audit Committee reports periodically to our board of directors regarding its activities, including those related to key cybersecurity risks, mitigation strategies, and ongoing developments. The board of directors also receives updates from our CTO on our cyber risk management program and other matters relating to our data privacy and cybersecurity approach, including risk mitigations to bolster and enhance our data protection and data governance framework. Members of our board of directors receive presentations that include cybersecurity topics and the management of key cybersecurity risks from our CTO as part of the continuing education of our board of directors on topics that impact public companies.

Company Information