MARATHON DIGITAL HOLDINGS, INC. - (MARA)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

Information Security Program

The mission of our information security organization is to design, implement, and maintain an information security program that protects our systems, services, and data against unauthorized access, disclosure, modification, damage, and loss. The information security organization is comprised of internal and external security and technology professionals. We continue to make investments in information security resources to mature, expand, and adapt our capabilities to address emerging cybersecurity risks and threats. The information security organization is overseen by the Information Security Advisory Team, further detailed under the caption “Cybersecurity Governance” below.
Cybersecurity Risk Management and Strategy
Cybersecurity risk management is one component of our information security program that guides continuous improvement to, and evaluates the confidentiality, integrity, and availability of our critical systems, data, and operations.

Our approach to controls and risk management is based on guidance from the National Institute of Standards and Technology (“NIST”) and the CryptoCurrency Security Standard (“CCSS”). This does not mean that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST and CCSS as a guide to help us identify, assess, and manage cybersecurity controls and risks relevant to our business.
Our cybersecurity risk management program includes:

Identifying cybersecurity risks that could impact our facilities, third-party vendors/partners, operations, critical systems, information, and broader enterprise IT environment. Risks are informed by threat intelligence, current and historical adversarial activity, and industry specify threats;

Performing a cybersecurity risk assessment to evaluate our readiness if the risks were to materialize; and

Ensuring risk is addressed and tracking any necessary remediation through an action plan.

While we face a number of ongoing cybersecurity risks in connection with our business, such risks have not materially affected us to date, including our business strategy, results of operations, or financial condition.
35

Cybersecurity Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated the oversight of cybersecurity and other information technology risks to the Board’s Audit Committee. As part of this oversight, we created the Information Security Advisory Team (the “Task Force”). The Task Force is comprised of senior managers and executives from multiple departments within the Company, including the IT, finance, legal and operations departments. The Task Force oversees our information security program and our strategy, including management’s implementation of cybersecurity risk management.
The Task Force meets at least quarterly to discuss matters involving cybersecurity risks.
The Task Force ultimately provides information to our Audit Committee regarding its activities, including those related to cybersecurity risks. The Audit Committee also receives a briefing and continuing education from a member of the Task Force relating to our cyber risk management program at least annually. The Task Force is responsible for notifying the Audit Committee of material cybersecurity incidents.