VanEck Bitcoin Trust - (HODL)
10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity.
Risk Management, Strategy and Governance
The Trust has no employees or internal information systems and is managed by the Sponsor. Thus, the Trust relies on the Sponsor and VanEck, the parent company of the Sponsor, as well as the Bitcoin Custodian and other service providers to protect the Trust’s information from cybersecurity threats. VanEck has policies, standards, and procedures on information security (the “Cybersecurity Documents”). The Cybersecurity Documents govern the procurement, use, storage, protection and permissions of data systems, applications and devices. The Cybersecurity Documents outline the correct usage of elements
75 |
and tasks on the networks/infrastructure to ensure safe operation, high availability, performance, and data accuracy.
VanEck has adopted the National Institute of Standards and Technology’s (“NIST”) cybersecurity framework as its security outline. The program is reviewed annually. Using the NIST framework as a guide, VanEck’s cybersecurity program is organized around the following program domains:
● | Identify critical assets, data, systems and capabilities, cybersecurity strategy and governing elements, threats and cybersecurity risks |
● | Protect assets (data, systems, networks, personnel, etc.) from external or internal malicious actors and failed practices |
● | Detect anomalies and security events through environments monitoring, analysis, remediation, and reporting. Engage outside vendors to periodically test the network infrastructure and software applications against known vulnerabilities and to ensure the use of a best practice security program |
● | Respond to incidents regardless of source or causality |
● | Recover through planning, improvements and communications (external and internal) |
● | Conduct after-action evaluation to identify what went well, what did not go well and improve VanEck systems on the back of an issue |
VanEck employs third-party firms to assess its cybersecurity posture, conduct penetration testing, and forensic analysis.
VanEck maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, counterparties and clients, as well as the systems of third parties that could significantly and adversely impact VanEck’s business in the event of a cybersecurity incident affecting those third-party systems. Third-party risks are included within VanEck’s NIST framework, and risk identification and mitigation are supported by VanEck’s cybersecurity program. VanEck also performs diligence on certain third parties and monitors cybersecurity threats and risks identified through such diligence.
Roles and Responsibilities
Roles and responsibilities for cybersecurity have been established first by VanEck’s cybersecurity policy and secondly by its connection to the governance structure of the firm and VanEck’s risk management committee (the “Risk Management Committee”), which is comprised of senior-level employees. Cybersecurity is closely aligned with not only risk management, but also with business continuity planning and response. In addition, the importance of cybersecurity protection and its practice at the manager and employee level is frequently communicated to the staff globally. Specifically, VanEck’s Chief Information Security Officer, reporting to the co-chair of the Risk Management Committee, is responsible for conducting the firm’s cybersecurity risk assessment, as well as providing regular staff educations with a special emphasis on proper desktop and email security and conduct. Special training is also given to recently on-boarded staff. VanEck’s Chief Administrative Officer and Chief Technology Officer, together with VanEck’s Chief Information Security Officer, are responsible for the day-to-day operations of the firm cybersecurity infrastructure including normal operations as well as any remedial work required in response to an incident. The communication responsibility in the event of an incident is shared by VanEck’s CEO and the General Counsel.
Since our commencement of operations, we have not experienced a material information security breach incident and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of
76 |
operations, or financial condition. See “Item 1A. Risk Factors— Other Risks—Due to the increased use of technologies, intentional and unintentional cyber-attacks pose operational and information security risks.”