Gryphon Digital Mining, Inc. - (GRYP)
10-K Filing Date: April 01, 2024
Information Security Program
The mission of our information security organization is to design, implement, and maintain an information security program that protects our systems, services, and data against unauthorized access, disclosure, modification, damage, and loss. The information security organization is comprised of internal and external security and technology professionals. We continue to make investments in information security resources to mature, expand, and adapt our capabilities to address emerging cybersecurity risks and threats.
38
Cybersecurity Risk Management and Strategy
Cybersecurity risk management is one component of our information security program that guides continuous improvement to, and evaluates the confidentiality, integrity, and availability of our critical systems, data, and operations.
Our approach to controls and risk management is based on guidance from the National Institute of Standards and Technology (“NIST”) and the Crypto Currency Security Standard (“CCSS”). This does not mean that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST and CCSS as a guide to help us identify, assess, and manage cybersecurity controls and risks relevant to our business.
Our cybersecurity risk management program includes:
● | Identifying cybersecurity risks that could impact our facilities, third-party vendors/partners, operations, critical systems, information, and broader enterprise IT environment. Risks are informed by threat intelligence, current and historical adversarial activity, and industry specify threats; |
● | Performing a cybersecurity risk assessment to evaluate our readiness if the risks were to materialize; and |
● | Ensuring risk is addressed and tracking any necessary remediation through an action plan. |
While we face a number of ongoing cybersecurity risks in connection with our business, such risks have not materially affected us to date, including our business strategy, results of operations, or financial condition.
Cybersecurity Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated the oversight of cybersecurity and other information technology risks to the Board’s Audit Committee. As part of this oversight, we created the Information Security Advisory Team (the “Task Force”). The Task Force is comprised of senior managers and executives from multiple departments within the Company, including the IT, finance, legal and operations departments. The Task Force oversees our information security program and our strategy, including management’s implementation of cybersecurity risk management. The Task Force meets at least quarterly to discuss matters involving cybersecurity risks.
The Task Force ultimately provides information to our Audit Committee regarding its activities, including those related to cybersecurity risks. The Audit Committee also receives a briefing and continuing education from a member of the Task Force relating to our cyber risk management program at least annually. The Task Force is responsible for notifying the Audit Committee of material cybersecurity incidents.
Cybersecurity Incidents
The cryptocurrency earned from the Sphere 3D’s mining operations is held in a wallet, in which the Company holds the cryptographic key information and maintains the internal recordkeeping of the cryptocurrency. The Company’s contractual arrangements state that Sphere 3D retains legal ownership of the cryptocurrency; has the right to sell, pledge, or transfer the cryptocurrency; and benefits from the rewards and bears the risks associated with the ownership, including as a result of any cryptocurrency price fluctuations. Sphere 3D also bears the risk of loss as a result of fraud or theft unless the loss was caused by the Company’s gross negligence or the Company’s willful misconduct. The Company does not use any of the cryptocurrency resulting from the Sphere 3D MSA as collateral for any of the Company’s loans or other financing arrangements, nor does it lend, or pledge cryptocurrency held for Sphere.
A threat actor representing to be the Sphere 3D CFO inserted themselves into an email exchange between the Sphere 3D CFO and the Company’s CEO, which also included Sphere 3D’s CEO, regarding the transfer of Sphere 3D’s BTC from the Company’s wallet to Sphere 3D’s wallet. The threat actor requested that the BTC be transferred to an alternate wallet. As a result, 26 BTC, with a value of approximately $560,000 at the time, was transferred to a wallet controlled by the threat actor. Via counsel, Gryphon engaged with US Federal law enforcement to recover the BTC. Despite these attempts by law enforcement to recover the BTC, recovery was not possible. Gryphon subsequently wired the commensurate amount in USD to Sphere 3D to make them whole for the stolen BTC. Gryphon also engaged a nationally recognized third-party firm to perform a forensic analysis. The analysis revealed that the threat actor did not enter the email exchange via Gryphon’s IT systems. Sphere 3D made a claim with its insurance carrier. If Sphere 3D is reimbursed by its insurance carrier, the Company would request reimbursement from Sphere 3D. The Company has also subsequently modified its control systems to protect against any future attempted incursions. During the quarter ended June 30, 2023, the Company made a payment to Sphere 3D for $560,000, which was classified as a general and administrative expense on Gryphon’s condensed consolidated statement of operations.