Grayscale Bitcoin Trust - (GBTC)
10-K Filing Date: February 23, 2024
Item 1C.
Cybersecurity
To prevent, detect and respond to information security threats, the Sponsor maintains a cyber risk management program. The program is supervised by an in-house dedicated Chief Information Security Officer (“CISO”) with over 15 years of experience in financial services risk management, whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The Enterprise Risk Committee (“ERC”), which includes members of management of the Sponsor, receives regular reports from the CISO on, among other things, the Sponsor’s cyber risks and threats, the status of projects to strengthen the Sponsor’s information security systems, assessments of the Sponsor’s security program and the emerging threat landscape.
The CISO updates the ERC and the Board quarterly. These regular reports include the Sponsor’s performance preparing for, preventing, detecting, responding to, and recovering from, cyber incidents. The CISO also promptly informs and updates the ERC and the Board of the Sponsor about any information security incidents that may pose a material risk to the Sponsor. The Sponsor contracts an independent third party to conduct a full cyber risk assessment annually, and the results of those assessments are reported to the ERC and the Board. Material outcomes from any penetration testing, vulnerability scanning, and business continuity or disaster recovery testing are additionally reported to the ERC and Board.
The Sponsor’s Security Awareness Program includes training that reinforces the Sponsor’s Information Security policies, standards, and practices, and the expectation that employees will comply with these policies. The Security Awareness Program engages personnel through training on how to identify potential cybersecurity risks and protect the Sponsor’s resources and information. This training is mandatory for all employees upon onboarding at the firm and again annually, and it is supplemented by firmwide training and testing initiatives, including periodic phishing tests.
77
The Sponsor administers a Third-Party Risk Management Program at the firm to identify, assess and oversee the risk associated with service providers and third parties involved in the supply chain. Third parties are risk-rated and must adhere to additional security diligence requirements administered with oversight from the CISO according to risk, including cybersecurity diligence questionnaires, evidence validation, SOC report reviews, and/or on-site assessments. Material changes to the program, new, or worsening security risks associated with third parties are reported to the ERC at least quarterly.
Cybersecurity Breaches:
There have not been any breaches at the Sponsor or the Trust during the year ended December 31, 2023. However, even though we take steps to employ reasonable cybersecurity efforts, not every cybersecurity incident can be prevented or detected. Therefore, while we believe there are currently no risks from any potential cybersecurity threat or cybersecurity incident that are reasonably likely to have a material effect on our results of operations or financial condition, the likelihood or severity of such risks are difficult to predict.