LIGHTBRIDGE Corp 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

LIGHTBRIDGE Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:31:13 EST.

Filings

10-K filed on 2026-02-26

LIGHTBRIDGE Corp filed a 10-K at 2026-02-26 16:31:13 EST
Accession Number: 0001477932-26-001076

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Lightbridge utilizes third-party vendors to manage its information technology (IT) systems via a Managed Service Provider (MSP) for general administration of the IT process including providing a Virtual Chief Information Officer (vCIO). vCIO services include: (a) operational review, strategic planning, technology road-mapping; (b) development of a custom IT policy/handbook; and (c) reporting in accordance with the service level agreement and support commitment adherence data to Lightbridge via MSP's Service Delivery Team. vCIO will also: · Provide operational oversight of IT functions; · Identify and help plan for improvements to Lightbridge's overall infrastructure; · Assist with the management of technology vendors; · Act as a point of contact in emergency/systems-down situations and liaison between Lightbridge and Dataprise resources; and · Perform trend analysis and document recommendations to Lightbridge as needed. Lightbridge also utilizes third-party vendors to manage its cybersecurity needs via a Managed Services Security Provider (MSSP). MSSP services include: · Managed Security Services · Email Phishing Simulations · End User Security Awareness Training · Dark Web Credential Monitoring · Vulnerability Scanning · Next-Generation Anti-Virus We and our MSP/MSSP also utilize processes designed to reduce cybersecurity risk from third-party vendors and technology. For example, we may conduct upfront diligence of the third-party's cybersecurity, employ contracts that address cybersecurity risk, and monitor vendors' compliance with their representations regarding cybersecurity. The MSSP utilizes a Security Information and Event Management (SIEM) system to monitor the IT infrastructure. The SIEM and other third-party security tools/applications provide reports that include but are not limited to endpoint protection, employee security scores, phishing reports, Dark Web scanning and vulnerability scanning. The vCIO reports to our CFO. The vCIO (and support team) has appropriate experience and training in cybersecurity and is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from other professionals in the industry, many of whom hold cybersecurity certifications, and through the use of technological tools and software and results from third-party audits. The vCIO issues quarterly reports and reports to the CFO, as appropriate, to provide updates on the Company's cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. The Company requires its employees and applicable contractors to take yearly cyber training and its employees and applicable contractors are also required to sign confidentiality agreements for purposes including ensuring cybersecurity. We and our MSP/MSSP have established an incident response plan to assist with responding to cybersecurity incidents. The incident response plan includes our approach to identification, escalation, and restoration from incidents, such as engaging or informing third-party experts, law enforcement, and members of the Board of Directors, as appropriate. Governance The Board of Directors is aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established oversight mechanisms to promote effective governance in managing risks associated with cybersecurity threats because Lightbridge recognizes the significance of these threats to our operational integrity and stakeholder confidence. Furthermore, significant cybersecurity matters such as cybersecurity incidents that meet defined thresholds, and strategic risk management decisions are designed to be escalated to the Board of Directors, so that they have appropriate oversight and can provide guidance. Board of Directors Oversight The Audit Committee is central to the Board's oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with diverse expertise including risk management, technology, and finance that helps equip them to oversee cybersecurity risks effectively. The Audit Committee at least annually reviews information regarding the company's cybersecurity posture and the effectiveness of its risk management strategies. This review helps with oversight of areas for improvement and aligning cybersecurity efforts with the overall risk management framework. The CFO reports to the Audit Committee regarding cybersecurity risks and provides a comprehensive briefing to the Audit Committee on a regular basis as needed, with a minimum frequency of once per year. The CFO also maintains an ongoing dialogue with the Audit Committee regarding potential cybersecurity risks and cybersecurity incidents. The vCIO is also available to address the Audit Committee, if requested. If applicable, the Audit Committee has a process to evaluate the materiality of cybersecurity incidents to determine if the incident may require disclosure, such as a Form 8-K filing. This includes assessing the potential impact of cybersecurity risks or incidents on the company's financial position, operations, and reputation. Risks from Cybersecurity Threats As of the date of this Annual Report on Form 10-K, during the past three years, we have not experienced any cybersecurity incidents that have resulted in material disruption to operations, loss of data, or financial impact. There can be no guarantee that there will not be a future cybersecurity incident that will have a material impact. In the event of a cybersecurity incident, our insurance coverage may be inadequate to compensate us for any related losses we incur and, in some cases, our insurance coverage may not cover the cybersecurity incident at all. Additional information on cybersecurity risks we face can be found in Part I. Item 1A. Risk Factors -"Risks Related to Our Business and to the Commercialization of Lightbridge Fuel(TM)-The occurrence of cybersecurity incidents, or a deficiency in our cybersecurity or the cybersecurity of our service providers, could negatively impact our business by causing disruptions to our operations, a compromise or corruption of our confidential information, regulatory enforcement and other legal proceedings, and/or damage to our business, all of which could negatively impact our financial results" of this Annual Report on Form 10-K.

Company Information