KULR Technology Group, Inc. - (KULR)

10-K Filing Date: April 12, 2024

ITEM 1C. CYBERSECURITY

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. Our customers, suppliers and subcontractors face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance, and results of operations.

Cyber partners are a key part of our cybersecurity infrastructure. KULR partners with leading cybersecurity companies, leveraging third-party technology and expertise. KULR engages with these partners to monitor and maintain the performance and effectiveness of products and services that are deployed in KULR’s environment.

KULR’s Chief Technology Officer (“CTO”), in conjunction with our third-party providers, is responsible for assessing and managing KULR’s cyber risk management program, informs senior Management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents, and supervises such efforts.

We deploy online cybersecurity training for employees and consider this a critical step in safeguarding the Company’s data and assets. The training provides employees with a baseline understanding of cybersecurity fundamentals to prevent security breaches and safely identify potential threats. The training techniques to strengthen our defensive stance against the increasing number and sophistication of cyberattacks worldwide include insider attacks, phishing and email attacks and data protection. Employee completion of cybersecurity training is tracked and monitored via an online administrative portal.

The Board of Directors oversees Management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Management regularly briefs the Board of Directors on our cybersecurity and information security posture, and the Board of Directors is apprised of cybersecurity incidents at quarterly Board of Directors meetings.

21

We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated within the Company’s enterprise risk management system and addresses both the corporate information technology (“IT”) environment and customer-facing products. The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”). We conduct an annual assessment of our practices and standards against the NIST CSF.

Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, risk and compliance reviews, and regular meetings with KULR executives. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform vulnerability testing using external third-party tools and techniques to test security controls, conduct employee training, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes.

We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. We have experienced, and may continue to experience, cyber incidents in the normal course of our business. Although prior cybersecurity incidents have not had a material adverse effect on our business, financial condition, results of operations, or cash flows, there can be no assurance that we will not suffer a material loss in the future. For a description of the risks from cybersecurity threats that may materially affect the Company, see our risk factors under Item 1A. Risk Factors, including Significant disruptions of information technology systems, breaches of data security and other incidents could materially adversely affect our business, results of operations and financial condition.