SharpLink Gaming, Inc. 10-K Item 1C. Cybersecurity - 2026-03-06
SharpLink Gaming, Inc. disclosed their cybersecurity strategy, risk management and governance process in an annual SEC Filing 10-K filing on 2026-03-06 17:31:54 EST
Company Summary
SharpLink Gaming, Inc. is an online performance-based affiliate marketing company that operates an international iGaming affiliate network (PAS) and a portfolio of state-specific direct-to-player websites to generate leads and drive depositors for sportsbook and online casino operators.
Filings
10-K filed on 2026-03-06
SharpLink Gaming, Inc. filed an SEC Filing 10-K filing on 2026-03-06 17:31:54 EST.
Accession Number: 0001493152-26-009214
Item 1C. Cybersecurity
Item 1C - Cybersecurity
Cybersecurity Risk Management and Strategy
Sharplink has implemented a cybersecurity risk management framework designed to identify, assess, manage and mitigate reasonably foreseeable cybersecurity risks to its information systems, applications, networks and data (collectively, "Company Assets"). This framework is supported by formal policies, including an Amended and Restated Cybersecurity Policy and a Corporate Incident Response Plan ("CIRP"), and is integrated into the Company's broader enterprise risk management and governance processes.
The Company's cybersecurity risk management framework is designed to address threats arising from human error, malicious attacks, system malfunctions, and third-party dependencies. Key components of the framework include risk assessment and incident severity classification, defined escalation and response procedures, access controls, employee training requirements, vendor due diligence practices, and post-incident review and remediation processes.
The Company routinely evaluates cybersecurity risks that could result in unauthorized access to, disruption of, or misuse of Company Assets, including risks that could compromise the confidentiality, integrity, or availability of data. Cybersecurity risks are assessed in the context of the Company's business operations, including its digital asset treasury activities and legacy affiliate marketing operations, and are considered alongside other operational and compliance risks.
Incident Response and Recovery
Sharplink maintains a formal Corporate Incident Response Plan that establishes a structured, step-by-step approach to responding to cybersecurity incidents, including identification, containment, eradication, recovery, and post-incident review. Upon identification of an actual or suspected cybersecurity incident, the Chief Financial Officer ("CFO") conducts an initial assessment and assigns a severity rating. Depending on the severity, incidents are escalated to a Security Incident Response Team ("SIRT") assembled by the CFO, which may include representatives from management, legal, accounting, information technology and other relevant functions.
The SIRT is responsible for coordinating response actions, preserving forensic evidence, assessing potential business and regulatory impacts, and evaluating whether an incident may be material for disclosure purposes. Material incidents are escalated to the Audit Committee of the Board of Directors and disclosed as required under applicable SEC rules.
Beginning in 2026, the Company plans to conduct periodic tabletop exercises simulating cybersecurity incidents to evaluate the effectiveness of its incident response procedures and to enhance readiness across management and key personnel.
Third-Party Risk Management
The Company uses third-party service providers and technology products in the ordinary course of business. Sharplink conducts due diligence on third-party vendors, particularly those with access to Company Assets or confidential data and requires vendors to implement appropriate cybersecurity safeguards and to promptly report incidents that could affect the Company's systems or data. While the Company does not currently outsource its core cybersecurity risk management function, it may engage third-party cybersecurity service providers in the future to support or enhance its program.
##TABLE_START 51 ##TABLE_END
##TABLE_START ##TABLE_END
Employee Training and Controls
Sharplink requires employees, contractors, and other authorized users of Company Assets to comply with cybersecurity controls and responsibilities outlined in its Cybersecurity Policy. These include requirements relating to password management, multi-factor authentication, device security, secure data transfers, incident reporting, and remote work safeguards. Employees are required to report actual or suspected cybersecurity incidents immediately to the CFO.
Beginning in 2026, the Company plans to implement a formal cybersecurity awareness training program for all employees, including training on phishing prevention, incident reporting, and secure handling of confidential data. Training effectiveness will be evaluated periodically and updated as necessary to reflect evolving risks and regulatory expectations.
Cybersecurity Governance
Oversight of cybersecurity risk is a shared responsibility among management and the Board of Directors. The Audit Committee of the Board provides primary oversight of cybersecurity risks and receives regular updates from management regarding cybersecurity risk assessments, incidents, response activities, and compliance with applicable disclosure requirements . The CFO is responsible for the day-to-day administration of the Company's cybersecurity program, including implementation of controls, incident response coordination, and reporting to the Audit Committee
Cybersecurity Risks and Incidents
The Company has not experienced a cybersecurity incident that it has determined to be material as of the date of this report. However, like other companies that rely on information systems and digital infrastructure, Sharplink has experienced cybersecurity incidents in the past. Cybersecurity threats are continually evolving, and there can be no assurance that future incidents will not occur or that they will not have a material impact on the Company's business, financial condition, results of operations, or reputation.
For additional information regarding cybersecurity risks, see Item 1A, "Risk Factors," including the risk factor titled " Despite our security measures, our information technology and infrastructure may be vulnerable to attacks by hackers or breached due to employee error, malfeasance or other disruptions. "
##TABLE_START 52 ##TABLE_END
##TABLE_START ##TABLE_END