IonQ, Inc. - (IONQ)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.

Cybersecurity Risk Management and Strategy

We recognize the importance of identifying and managing cybersecurity risks and have integrated cybersecurity risk management into our overall risk management processes. We have implemented processes to identify, assess, detect, evaluate, and mitigate ongoing security threats to our information technology systems and data as well as those of third parties upon which we rely.

We conduct periodic and ad-hoc risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.

As part of our risk management process, we conduct application security and vulnerability assessments, undergo third-party penetration testing, maintain ongoing risk assessments, and monitor various third-party risk feeds. Our risk management processes also assess third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners. In evaluating our response to our application security assessments, penetration tests, and risk feeds, our team collaborates with technical and business stakeholders to further analyze the risk to the company, and form detection, mitigation and remediation strategies to enhance our current security program. Our security program is aligned to the National Institute of Standards and Technology Cybersecurity Framework Special Publication (NIST) 800-53 standard, and we have passed a SOC 2 type 1 audit. Although we refer to such frameworks in developing our cybersecurity risk management approaches, our use of them as guides is not intended to suggest that we meet any particular technical standards, specifications, or requirements set forth therein.

We maintain an incident response plan which includes, among other areas, prioritization guidelines, data collection and evidence handling, communication channels and partners, and if required, law enforcement engagement. We maintain relationships with both local and national law enforcement agencies. We evaluate security incidents on a scale of severity to determine the appropriate incident handling protocols.

We require all employees to undertake data protection and security training at least annually. We provide specialized training to targeted groups of employees depending on their role and the larger threat landscape. We are briefed regularly by national law enforcement, and work with external consulting firms on custom training and evaluations.

While we have experienced cybersecurity incidents in the past, to date, none have materially affected the Company or our financial position, results of operations, or cash flows. We continue to invest in the cybersecurity and resiliency of our systems and networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. Additional information about cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors,” under the heading “If our information technology systems, data, or physical facilities, or those of third parties upon which we rely, are or were compromised, we could experience adverse business consequences resulting from such compromise,” which should be read in conjunction with the information contained within Item 1C, Cybersecurity.

49


 

Cybersecurity Governance

The Company’s Board of Directors oversees the overall risk management process, including cybersecurity risks, directly and through its committees. Our Audit Committee is responsible for the oversight of cybersecurity risks, including our assessment of potential vulnerabilities and threats, evaluation of incidents, and monitoring of the implementation of key actions and/or projects to further enhance our ability to detect and manage ongoing security threats. Key members of management, including our security officer, provide updates to our Audit Committee on at least a semi annual basis. In addition to committee updates, our security officer also meets with the full Board of Directors at least annually to discuss the Company’s overall risk profile and associated ongoing mitigation efforts. The briefings provided to our Audit Committee and Board of Directors include updates on the Company’s key cyber risks and threats, the status of projects to strengthen our information security systems and incident readiness programs, assessments of the information security program and our key assets, as well as the emerging threat landscape.

Our security officer, who reports to our VP of Engineering, and is a member of the senior leadership team, collaborates closely with key members of management including our Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, VP of Engineering, and SVP of Product to continuously monitor and evaluate our ongoing risk profile and mitigation strategies. Our security officer also provides ad hoc updates to management on cybersecurity-related news and events and discusses any updates to our cybersecurity risk management and strategy programs as a result of these matters. Our security officer collaborates closely and regularly with our external consulting firm who provides a fractional Chief Information Security Officer (“CISO”), which includes a cybersecurity expert with recognized expertise and many years of experience.

The Company’s overall risks and assessments are monitored via a cross functional team composed of members of senior management, security, legal, and financial reporting. A partnership exists between these aforementioned individuals and departments so that identified issues are addressed in a timely manner and incidents are escalated to the appropriate parties as required.