CoreWeave, Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

CoreWeave, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 16:14:01 EST.

Filings

10-K filed on 2026-03-02

CoreWeave, Inc. filed a 10-K at 2026-03-02 16:14:01 EST
Accession Number: 0001769628-26-000104

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We understand that data security is essential for privacy, compliance, and trust and maintain a cybersecurity risk management program designed to identify, evaluate, and manage risks through structured engagement with security domain leaders. Risks are assessed based on potential impact and likelihood, tracked in a centralized risk register, and managed through defined risk treatment decisions and ongoing monitoring. Cybersecurity risk posture and mitigation progress are periodically reported to executive leadership and the board of directors to support oversight and informed decision making. Material cybersecurity risks and associated threats are managed through a layered defense approach that integrates security governance, dedicated security leadership, and formal policies with technical and operational controls. These include access management, multi-factor authentication, device and configuration controls, secure development and platform-delivery practices, continuous monitoring, and threat detection and response capabilities. Preparedness is further supported by documented incident-response plans, business-continuity and disaster-recovery procedures, retained forensic resources, cyber-insurance coverage, and regular penetration testing. These processes are embedded within our broader enterprise risk-management framework. Cybersecurity risks are evaluated alongside operational and strategic risks and are incorporated into our company-wide risk assessments and reporting mechanisms. We engage external assessors, including independent security firms and certification bodies, to evaluate the effectiveness of our controls and support our compliance obligations. We align our security and compliance programs with industry-standard frameworks, including SOC 2 and ISO/IEC 27001, and require cloud infrastructure and data center colocation providers to maintain compliance with these frameworks throughout the term of their contracts. We maintain policies, processes, and procedures to oversee cybersecurity risks associated with third-party service providers, which include security due-diligence assessments, ongoing monitoring, and contractual requirements addressing security controls and incident-notification obligations. These processes help ensure that third-party relationships do not introduce unacceptable cybersecurity exposure. We continuously evaluate cybersecurity threats as part of our broader risk-management processes. To date, we have not experienced any cybersecurity incidents that have materially affected our business strategy, results of operations, or financial condition. Based on our current assessments, we do not believe that any known cybersecurity risks are reasonably likely to materially affect the company. We identify and address higher-risk cybersecurity threats through established monitoring, mitigation, and incident-response processes, which are designed to manage potential impacts before they escalate into material issues, including through coordination with legal, finance, external security advisors, and governmental agencies. For more information on our cybersecurity related risks, see Risks related to Our Business and Industry in Part I, Item 1A of this Annual Report on Form 10-K, including "A network or data security incident against us, or our third-party providers, whether actual, alleged, or perceived, could harm our reputation, create liability and regulatory exposure, and adversely impact our business, operating results, financial condition, and prospects." Governance Our Board of Directors provides direct oversight of risks arising from cybersecurity threats. Cybersecurity oversight is handled by the full Board rather than a separate committee. The Chief Information Security Officer (" CISO ") briefs the Board on an annual basis, providing updates on key cybersecurity risks, program status, significant developments, and progress against our strategic cybersecurity goals. These regular presentations, along with additional updates as needed, inform the Board's oversight and understanding of the company's cybersecurity risk posture. Management is responsible for assessing and managing the company's risks from cybersecurity threats through a defined leadership structure supported by specialized security teams and vetted external partners. Our cross-functional engineering, security, legal, operations, and compliance teams coordinate to ensure our cybersecurity commitments are continuously met and maintained. Overall accountability resides with the CISO, who oversees the company's cybersecurity program. The CISO has significant security and engineering leadership experience, including prior CISO roles, and brings deep expertise in enterprise security operations, incident response, and risk management. Our CISO is supported by dedicated information-security personnel who manage day-to-day security operations, including security engineering, secure development, vulnerability management, detection and response, offensive security, security and privacy compliance, third-party risk management, security risk management, security policy and education, detection and response, cyber, geopolitical, and physical threat intelligence, insider-threat monitoring, and global resiliency and crisis response. These teams are further supported by qualified third-party partners, including external auditors, penetration testers, and forensic firms retained for breach investigation and remediation support. Governance policies, documented procedures, and defined responsibilities enable risk-management activities to be coordinated and applied across our organization. Management monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through continuous endpoint and security monitoring, vulnerability and configuration assessments, log-analysis workflows, and established incident-response processes. Regular business reviews provide structured oversight of these activities, and visibility across cybersecurity, engineering, and executive leadership.

Company Information