MARA Holdings, Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

MARA Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 16:49:11 EST.

Filings

10-K filed on 2026-03-02

MARA Holdings, Inc. filed a 10-K at 2026-03-02 16:49:11 EST
Accession Number: 0001507605-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Information Security Program The mission of our information security organization is to design, implement, and maintain an information security program that seeks to protect our systems, services, and data against unauthorized access, disclosure, modification, damage, and loss. Our information security program is staffed by internal personnel and supported, as needed, by external security and technology specialists. We continue to invest in information security resources to mature, expand, and adapt our capabilities to address evolving cybersecurity risks and threats. Management of our information security program is led by senior leadership and supported by the Information Security Advisory Team (the "ISAT"), as further detailed under the caption "Cybersecurity Governance" below. Cybersecurity Risk Management and Strategy Cybersecurity risk management is an integral component of our overall information security program and is designed to support the ongoing identification, assessment and management of risks to the confidentiality, integrity, and availability of our critical systems, data, and operations. Our cybersecurity risk management approach is informed by guidance from the National Institute of Standards and Technology ("NIST") and the Cryptocurrency Security Standard ("CCSS"), which we use as reference points to help identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management activities include: - Identifying cybersecurity risks that could impact our facilities, third-party vendors and partners, operations, critical systems, information assets, and broader enterprise information technology ("IT") environment. Risk identification is informed by threat intelligence, current and historical adversarial activity, and industry specific threat trends ; - Assessing cybersecurity risks, including periodic evaluations of control effectiveness and organizational readiness should such risks materialize; and - Addressing identified risks through risk treatment decisions and, where appropriate, tracking remediation activities through documented action plans, including the use of compensating controls or risk acceptance where warranted. We periodically engage third-party consultants and service providers to support independent assessments, penetration testing and other security validation activities, as well as to assist with monitoring and incident response capabilities as needed. Cybersecurity risks are inherent to our business and industry. While we have experienced and may continue to experience cybersecurity threats and incidents, we have not experienced cybersecurity incidents that have materially affected our business strategy, results of operations, or financial condition to date. Cybersecurity Governance Our Board of Directors (the "Board") considers cybersecurity risk as part of its overall risk oversight responsibilities and has delegated primary oversight of cybersecurity and other IT risks to the Board's Risk and Audit Committee. Management oversight of cybersecurity risk is supported by the ISAT, a cross-functional group that includes leaders from information technology, cybersecurity, finance, legal, internal audit and operations, as well as external advisors as appropriate. The ISAT supports management by advising on cybersecurity risks, controls, and strategic initiatives and by facilitating coordination across the organization. Day-to-day management of the information security program is led by the Head of Cybersecurity in coordination with information technology leadership. The ISAT meets at least semi-annually, and more frequently as needed, to review cybersecurity risks, program maturity and emerging threats. The ISAT provides updates to the Risk and Audit Committee regarding cybersecurity matters, and the Risk and Audit Committee receives periodic briefings and continuing education related to cybersecurity risk management. Material cybersecurity incidents and significant cybersecurity risk matters are escalated to the Risk and Audit Committee in accordance with established escalation procedures.

Company Information