Soluna Holdings, Inc - (SLNH)

10-K Filing Date: April 01, 2024
Item 1C: Cybersecurity

 

We proactively approach cybersecurity through a systemized thorough process established by our internal Management and IT teams as well as external IT providers.

 

28
 

 

These processes are specifically designed to adapt to the evolving cybersecurity environment, enabling us to respond swiftly and effectively to new and emerging threats. Our cybersecurity initiative incorporates elements from multiple industry benchmarks, including frameworks from the National Institute of Standards and Technology (NIST) and the Center for Internet Security.

 

We regularly assess the threat landscape and take a holistic view of cybersecurity risks with a layered cybersecurity strategy based on prevention, detection, and mitigation. Our internal IT team works closely with our external IT management provider to comprehensively evaluate cybersecurity risks. They focus on monitoring, identifying, and addressing significant cybersecurity issues in real-time by employing advanced software monitoring platforms for effective mitigation and management. In addition, we have several avenues to gather risk intelligence and potential threats identified by various services and capabilities to adjust our security strategy.

 

We also have Company-wide policies and procedures concerning cybersecurity and technology standards, including a Resource and Data Recovery policy. In addition, we have other policies related to endpoint and network protection, encryption standards, malware/ransomware protection, multi-factor authentication, operational security, and confidential information. These policies go through an internal review process and are approved by appropriate members of management.

 

Our board of directors has ultimate oversight of our strategic and business risk management and, as such, has oversight responsibilities for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks. Management is responsible for identifying, assessing, and managing material cybersecurity risks on an ongoing basis, establishing and updating processes to ensure such potential risks are monitored, putting in place appropriate mitigation measures, and will be providing regular reports on cybersecurity trends and risks, and should they arise, any material incidents with our board of directors.

 

The Company’s Chief Technology Officer (“CTO”) and Director of Information Technology (IT) are responsible for developing and implementing our information security program. Our CTO is an Executive Sponsor of the Cyber Security Program and has over a decade of experience in the Defense sector working directly with technology-driven Operational Security.

 

We have invested in IT security, encompassing various strategies such as enhanced end-user training, implementing layered defense systems, identifying and safeguarding critical assets, bolstering monitoring and alert capabilities, and consulting with expert advisors. On the management front, our IT security team diligently oversees alert systems and routinely convenes to evaluate current threat levels, analyze trends, and strategize effective remediation methods.

 

In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party vendors and service providers. The internal business owners of the hosted applications are required to review user access at least annually and provide a System and Organization Controls (“SOC”) 1 or SOC 2 report from the vendor. If a third-party vendor is unable to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis.

 

The Director of IT regularly oversees the Company’s cybersecurity program. This comprehensive review includes examining management’s initiatives to identify and detect potential threats, outlining planned responses and recovery strategies for potential incidents, evaluating recent improvements made to the Company’s security detection and response capabilities, and assessing management’s advancement along the cybersecurity strategic roadmap. The internal IT team also subscribes to various threat intelligence services to evaluate our security strategy or defense mechanism against such threats.

 

Upon detection of a cybersecurity incident and initial intake and validation by our CTO and IT Director, our response team evaluates the cybersecurity incident, and, depending on the severity, escalates the incident to management and a cross-functional working group. Any incident assessed as potentially being or potentially becoming material is immediately escalated for further assessment and reported to executive management. Determination of what resources are needed to address the incident, prioritizing of response activities, forming of action plans, and notification of external parties as needed are then undertaken by executive management and the cross-functional working group, led by our CTO and IT Director. We consult with outside counsel as appropriate, including on materiality analysis and disclosure matters, and our executive management makes the final materiality and disclosure determinations, among other compliance decisions.

 

Notwithstanding these measures, we face a number of cybersecurity risks in connection with our business, and no cybersecurity process, however thorough, can alleviate all of these risks, which if an event to occur, could have a material adverse effect on our business, financial condition and results of operations. For fiscal years 2023 and 2022, we have not suffered a material breach or a reportable incident, and cybersecurity risks (including breach of third parties with whom we work) have not materially affected us, including our business strategy, results of operations or financial condition.