Riot Platforms, Inc. - (RIOT)
10-K Filing Date: February 22, 2024
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These material risks are managed across Riot, our subsidiaries, and third-party contractors, and monitoring such risks and threats is integrated into our overall risk management program. Our risk management program is comprised of, among other things, policies that are designed to identify, assess, manage, and mitigate cybersecurity risk, and is based on applicable laws and regulations, informed by industry standards and best practices.
We conduct risk assessments to evaluate the effectiveness of our systems and processes in addressing threats and to identify opportunities for enhancements. Additionally, we conduct privacy and cybersecurity reviews, as well as annual employee training, and monitor emerging laws and regulations related to information security and data protection. We utilize third party tools and techniques to test and enhance our security controls, perform annual cybersecurity framework assessments, conduct ongoing penetration testing of our systems, and benchmark against industry practices. Our internal audit function provides independent assessment on the overall operations of our cybersecurity program and the supporting frameworks.
In support of our risk management program, we have adopted an Information Security Policy (the “Info-Sec Policy”) and an Incident Response Plan (the “Response Plan”) that establish administrative, physical, and technical controls and procedures to protect the integrity, confidentiality, and accessibility of sensitive data that may exist throughout the Company as well as processes to assess, identify, manage, and report cybersecurity risks and incidents. Our Info-Sec Policy applies to all persons working for the Company, as well as any third parties working with Riot in any capacity. Violation of our Info-Sec Policy may result in revocation of access privileges, and disciplinary action up to and including termination of employment or service relations for third parties.
Our cybersecurity team analyzes all third-party vendors for compliance with our internal Info-Sec Policy in order to help us assess potential risks associated with their security controls. We also generally require third parties to, among other things, maintain security controls to protect our confidential information or data, and to notify us promptly, but in any case, no later than twenty-four (24) hours after the occurrence of any data breach or cybersecurity incident that may impact our data. After coordinating a response to any third-party cybersecurity incident, the incident response team reviews service providers’ compliance with the privacy and data security requirements of our Info-Sec Policy, obtains written assurance of corrective actions, as appropriate, and considers whether additional measures need to be taken to protect the Company.
Our cybersecurity team engages and utilizes third-party services as it monitors and actively responds to cybersecurity threats. We utilize an Endpoint Detection and Response (EDR) platform, an anti-virus application, through which incoming electronic communications are filtered, and an email security platform which seeks out identifiers in communications that disguise, impersonate, or otherwise misrepresent the source of the communication. Any such communications are then subject to quarantine or removal depending on the severity of issue. Additionally, we use a Security Information and Event Management (SIEM) system, which allows us to store logs off the system of record to prevent log tampering and provides the cybersecurity team functionality to build alerts on specific use cases that are important and unique to our business. If our applications fail or our software does not successfully block a malicious electronic communication, employees are required to notify an immediate supervisor or the cybersecurity team promptly, but in no circumstances later than twenty-four (24) hours after such occurrence.
Our board of directors has ultimate oversight of our strategic and business risk management and, as such, has oversight responsibilities for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks. Management is responsible for identifying, assessing, and managing material cybersecurity risks on an ongoing basis, establishing and updating processes to ensure such potential risks are monitored, putting in place appropriate mitigation measures, and providing regular reports on cybersecurity trends and risks, and should they arise, any material incidents with our board of directors.
28
Our Chief Financial Officer is responsible for our cybersecurity program, and our Manager of Cybersecurity is our incident response team leader. In this position, our Manager of Cybersecurity oversees our cybersecurity team, and guides our incident response team, which is comprised of members from across our organization, including cybersecurity, IT support, mining operations, software engineering, compliance and legal, as well as contractors and other partners, as they support our cybersecurity functions. Our Manager of Cybersecurity has nearly two decades of experience in cybersecurity management and policy, achieved through job training, higher education, and military experience, and possesses a background in security and alignment of information technology solutions.
Our Response Plan, developed by management and our cybersecurity team, and IT support team, serves as a Company-wide guide to facilitate coordinated, prompt, and systematic responses to any cybersecurity incidents and utilizes four interconnecting phases: (1) Preparation; (2) Detection and Analysis; (3) Containment, Eradication, and Recovery; and (4) Post-Incident Activity.
Upon detection of a cybersecurity incident and initial intake and validation by our cybersecurity team, our incident response team triages and evaluates the cybersecurity incident, and, depending on the severity, escalates the incident to management and a cross-functional working group. Any incident assessed as potentially being or potentially becoming material is immediately escalated for further assessment and reported to executive management. Determination of what resources are needed to address the incident, prioritizing of response activities, forming of action plans, and notification of external parties as needed are then undertaken by executive management and the cross-functional working group, led by our Chief Financial Officer and Manager of Cybersecurity. We consult with outside counsel as appropriate, including on materiality analysis and disclosure matters, and our executive management makes the final materiality and disclosure determinations, among other compliance decisions.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, despite our efforts, we may not be successful in eliminating all risks from cybersecurity threats and can provide no assurances that undetected cybersecurity incidents have not occurred. See Part I, Item 1A. “Risk Factors” of this Annual Report for more information regarding the cybersecurity risks we face.