Quantum Computing Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Quantum Computing Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 17:06:38 EST.

Filings

10-K filed on 2026-03-02

Quantum Computing Inc. filed a 10-K at 2026-03-02 17:06:38 EST
Accession Number: 0001213900-26-022417

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY A robust and consistent approach to cybersecurity is critical to achieving our strategic business objectives and protecting our intellectual property. As an advanced technology company developing quantum photonic products, we face a wide range of cybersecurity threats such as ransomware and denial-of-service attacks that affect most industry sectors, to attacks from highly sophisticated adversaries, including nation state actors, that target dual-use advanced technologies such as quantum computing. Our customers, suppliers and other business partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. The Board, through the Risk Committee, is actively involved in oversight of the Company's risk management program, and cybersecurity represents an important component of the Company's overall approach to enterprise risk management ("ERM"). The Company's cybersecurity policies, standards, processes and practices are integrated into the Company's ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Risk Management and Strategy As one of the critical elements of the Company's overall ERM approach, the Company's cybersecurity program is focused on the following key areas: ● Governance: As discussed in more detail under the heading "Governance," The Board's oversight of cybersecurity risk management is supported by the Risk Committee, which regularly interacts with the Company's ERM function, the Company's Information Technology Director ("IT Director"), other members of management and relevant management committees and councils, including management's Cybersecurity Council. ● Collaborative Approach: The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner, including assessments of materiality under applicable securities laws. ● Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company's information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, antimalware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. ● Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans that fully address the Company's response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. 30 ● Third-Party Risk Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company's systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. ● Education and Awareness: The Company provides regular, mandatory training for personnel regarding cybersecurity threats as a means to equip the Company's personnel with effective tools to address cybersecurity threats, and to communicate the Company's evolving information security policies, standards, processes and practices. The Company engages in the periodic assessment and testing of the Company's policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company periodically engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Risk Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. The Company has implemented policies for its personnel, including awareness programs, travel security programs and other related cybersecurity best practices. The information technology team manages the Company's cybersecurity policies, including employee training, with the ultimate goal of preventing cybersecurity incidents, if possible, while also maintaining IT system performance and data integrity to minimize the business impact should an incident occur. The Company is coordinating closely with the Board's Risk Committee to ensure that the Company will implement the appropriate cybersecurity technologies to protect the Company and its intellectual property. Governance The Board, in coordination with the Risk Committee, oversees the Company's ERM process, including the management of risks arising from cybersecurity threats. The Board and the Risk Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company's peers and third parties. The Board and the Risk Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, including those that are determined to be potentially material, as well as ongoing updates regarding any such incident until it has been addressed. To facilitate the success of the Company's cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the IT Director and the Risk Committee monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents on an ongoing basis, and report such threats and incidents to the Risk Committee when appropriate. In the event of an incident, the Company has developed an incident response plan, which sets forth the steps to be followed from incident detection and assessment to mitigation, recovery and notification and reporting, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate. The IT Director has served in various roles in information technology and information security for over 30 years, including serving as Senior System Administrator, Principal Architect, and Director of Cloud Engineering. To date, cybersecurity threats and any previously identified cybersecurity incidents have not materially affected the Company's business strategy, results of operations, or financial condition, and the Company is not aware of any cybersecurity risks that are reasonably likely to materially affect the Company. Although we take cybersecurity risks seriously, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Company. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. "Risk Factors" for a discussion of cybersecurity risks. 31

Company Information