BTCS Inc. - (BTCS)

10-K Filing Date: March 21, 2024
ITEM 1C. CYBERSECURITY

 

We are subject to various cyber and other security threats, including attempts to gain unauthorized access to sensitive information and networks; virtual and cyber threats to our directors, officers, and employees; and threats to the security of our infrastructure and assets. To mitigate the threats to our business, we take a comprehensive approach to cybersecurity risk management. Our Board and our management oversee our risk management program, including the management of cybersecurity risks. We have established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats, including those discussed in our Risk Factors, and have integrated these processes into our overall risk management systems and processes. We have devoted financial and personnel resources to implement and maintain security measures to meet regulatory requirements and stakeholder expectations, and we intend to continue to make investments as may be required to maintain the security of our data and cybersecurity infrastructure. While there can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective, we believe that the Company’s sustained investment in people and technologies has contributed to a culture of continuous improvement that has put the Company in a position to protect against potential compromises.

 

As of the date of this report, we are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. We can provide no assurance that there will not be incidents in the future or that past or future attacks will not materially affect us, including our business strategy, results of operations, or financial condition.

 

Risk Management and Strategy

 

Our cybersecurity risk management program (“cybersecurity program”) is designed and assessed by leveraging the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), customized to align with our entity size, risk profile, and industry best practices. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

 

The key objectives for the Company’s cybersecurity program are to implement and sustain effective security controls to stop intrusion attempts and to maintain and continuously improve its ability to respond to attacks and incidents. Success in achieving these objectives relies upon using quality technology solutions, cultivating and maintaining a team of skilled professionals, and continuously improving processes. Our cybersecurity program in particular focuses on the following key areas:

 

Risk Assessment: We conduct risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments are designed to identify reasonably foreseeable internal and external material cybersecurity risks to our critical systems, information, products, services, and our broader Company-wide IT environment, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Risk assessments take into account information from internal stakeholders, known information security vulnerabilities, and information from external sources, including reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants as needed. The results of our assessments are used to develop initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader Company-wide risk assessment that is then periodically reported to our Board and Audit Committee.

 

12
 

 

Technical Safeguards: We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence, and incident response experience.

 

Incident Response and Recovery Planning: We have established a comprehensive incident response and recovery plan that guides our response in the event of a cybersecurity incident.

 

Vendor Risk Management: We have implemented a robust vendor risk management program, which is designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers in response to questionnaires and meetings as well as information from third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities, and investigate security incidents that have impacted our third-party providers, as appropriate. We also obtain and review Systems and Organization Control (“SOC”) reports from several of our key service providers.

 

Education and Awareness: Our policies require each of our employees to contribute to our data security efforts. We regularly remind employees and third-party contractors of the importance of handling and protecting data, including through privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. All employees and third-party contractors are directed to report to our senior management any irregular or suspicious activity that could indicate a cybersecurity threat or incident.

 

Governance

 

Our senior management team, led by our Chief Financial Officer and Chief Technology Officer, is responsible for assessing and managing our material risks from cybersecurity threats. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence, and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

 

The Audit Committee of our Board of Directors considers cybersecurity risks and other information technology risks as part of its risk oversight function and evaluates our risk assessment and management policies, including periodic discussions with our senior officers. In addition, management updates the Board of Directors, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. Our Audit Committee also meets at least quarterly with our independent registered accounting firm and communicates with them regarding any cybersecurity-related risks.