Bitcoin Depot Inc. - (BTM)
10-K Filing Date: April 15, 2024
Cybersecurity Risk Management and Strategy
Identifying, assessing, and managing material risks associated with “cybersecurity threats,” as such term is defined in Item 106(a) of Regulation S-K, is important to Bitcoin Depot. Among the risks we strive to address and mitigate are the disruption of our business operations and the loss of personal and confidential data due to cybersecurity incidents, fraud, or extortion.
We integrate the identification, assessment, and management of cybersecurity risks into our overall risk management systems and processes. We detect and address such risks from cybersecurity threats in several ways, including through third-party assessments, internal governance, risk and compliance, participation in industry groups to obtain intel, IT audits, and IT security reviews. To protect
60
against, detect, and respond to cybersecurity incidents, we, among other things, leverage intrusion prevention and detection systems, perform penetration testing, conduct employee training, monitor emerging laws and regulations related to data protection and information security, and implement appropriate changes to comply with the identified emerging laws and regulations. To effectuate these processes, we regularly engage third-party auditors and advisors to assess our cybersecurity programs and ensure compliance with applicable guidelines, standards, and industry best practices.
Senior management, including our Bitcoin Depot’s Chief Technology Officer, Chief Information Security Officer, Cybersecurity Operations Director, Chief Financial Officer and General Counsel are responsible for implementing these security measures, as well as being involved in all aspects of cybersecurity incident response and data breach management processes. Bitcoin Depot’s incident management plan provides a roadmap for responding to and categorizing incidents. Bitcoin Depot’s IT and cybersecurity teams collaborate with other company stakeholders to develop strategies for mitigating and responding to identified cybersecurity events.
Our cybersecurity threat and risk management processes also involve assessing third-party risks. We maintain a Vendor Management Policy pursuant to which we assign a risk rating and assess third-party risks by conducting cybersecurity due diligence on our vendors, suppliers, and other entities with whom we do business. Due diligence includes, as appropriate, either requiring proof of security standard compliance or satisfactory responses to our Vendor Assessment Security Questionnaire. We also evaluate the cyber practices of, and cybersecurity risks associated with, the engagement of third-party service providers, including when we negotiate cybersecurity and data privacy contract terms, such as those relating to information security and audit rights.
Although we constantly evaluate cyber risks, we are unaware of any prior cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial conditions.
Cybersecurity Governance
Our Board of Directors and management prioritize cybersecurity. Although our full Board of Directors is generally responsible for cybersecurity risk management, it has assigned principal oversight responsibility of risks from cybersecurity threats to our Audit Committee. As described above, management is also responsible for assessing and managing risks from cybersecurity threats, and designated management personnel, including our Chief Technology Officer, Chief Information Security Officer, Cybersecurity Operations Director, Chief Financial Officer and General Counsel and Corporate Secretary meet quarterly as a Risk Committee to determine cybersecurity matters to be shared with the Audit Committee. The Risk Committee provides the Audit Committee updates on such matters on at least a quarterly basis. The Audit Committee reports cybersecurity risks to the full Board during quarterly meetings.
The members of senior management involved in managing our material risks from cybersecurity threats, including our Chief Technology Officer, Chief Information Security Officer, Cybersecurity Operations Director, Chief Financial Officer and General Counsel and Corporate Secretary are experienced in data security matters and financial reporting matters. Our Chief Information Security Officer has more than 20 years of experience in information technology and has served in multiple technology executive roles, including security-compliance-related roles and holds a degree in Computer Information Systems from Harding University. Our Chief Technology Officer holds a computer science degree and Master of Engineering in Computer Science from Massachusetts Institute of Technology and has held engineering roles in multiple financial technology companies. Our Cybersecurity Operations Director holds a Master of Science degree in computer engineering as well as a Master of Science degree in information assurance, both from Iowa State University. He has led the security operations centers for large, global data management software company, as well as a large payment processing company. Additionally, he has led audits and penetration tests as the senior manager of a consulting company. Prior to entering into the private sector, he served as a police officer where he was a detective, specializing in computer crimes and forensics. Our Chief Financial Officer has over 30 years of experience in financial statement reporting and auditing. Our General Counsel has significant experience advising on cybersecurity matters and data protection matters and building out cybersecurity and data privacy compliance program across business lines in the financial services industry.