Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

ITEM 16K.

CYBERSECURITY

Risk Management and Strategy

We have developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of our systems and information. To protect our systems and information from cybersecurity threats, we use a variety of security tools and techniques designed to prevent, detect, investigate, contain, escalate, and recover from identified vulnerabilities and security incidents.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies and reporting channels that apply across the enterprise risk management program. Our Internal Audit & Risk team is principally responsible for facilitating our enterprise risk management program, in consultation with multiple functions at Bullish and reporting to the Audit Committee.

Our cybersecurity risk management program includes:

●

an Information Security Policy that articulates our information security practices and procedures to maintain confidence in our business and to protect the confidentiality, integrity, and availability of the information we handle;

●

a dedicated Chief Information Security Officer responsible for executing on relevant internal and external requirements and identifying appropriate technical and organizational measures to deliver information security in compliance with those requirements (in consultation with our Data Protection Officer who is responsible for advising on legal obligations with regard to personal data privacy);

●

a Security Governance, Risk, and Compliance team, led by our Chief Information Security Officer, principally responsible for driving our cybersecurity risk management program, including a formal information security risk assessment on an annual basis; our risk remediations, prioritizations, and security safeguards; and risk awareness or education programs for employees relating to cybersecurity;

●

the use of both internal and external resources, such as assessors, consultants, and auditors, where appropriate, to assess, test, or otherwise assist with aspects of our security controls;

●

an external audit of our systems and environments, including an external penetration test, on an annual basis;

●

a cybersecurity incident response plan that includes procedures for assessing, responding to, remediating, resolving, and conducting post-analysis of cybersecurity incidents;

●

cybersecurity training of our incident response personnel and senior management;

●

various monitoring and detection tools, including a bug bounty program, to assist us in regularly identifying, assessing, prioritizing, and mitigating vulnerabilities in our products and services;

●

a vendor assessment program designed to identify and mitigate cybersecurity risks associated with our use of third-party service providers; and

●

contractual obligations on third-party vendors to report security incidents, risk identification, or other security-related issues promptly to Bullish.

We and certain of our third-party service providers have been subject to cyberattacks and security incidents in the past due to, for example, computer malware, viruses, computer hacking, credential stuffing, and phishing attacks. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. However, because of our prominence, we believe that we are a particularly attractive target for such attacks, and we expect to continue to experience cyberattacks and security incidents in the future. See “Item 3.D. Risks Inherent in the Digital Asset Industry - Cyberattacks and security breaches, or those impacting our customers or third parties, could adversely impact our brand and reputation and our business, operating results and financial condition.”

Cybersecurity Risk Management Processes Integrated [Text Block]

We have developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of our systems and information. To protect our systems and information from cybersecurity threats, we use a variety of security tools and techniques designed to prevent, detect, investigate, contain, escalate, and recover from identified vulnerabilities and security incidents.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

We and certain of our third-party service providers have been subject to cyberattacks and security incidents in the past due to, for example, computer malware, viruses, computer hacking, credential stuffing, and phishing attacks. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. However, because of our prominence, we believe that we are a particularly attractive target for such attacks, and we expect to continue to experience cyberattacks and security incidents in the future. See “Item 3.D. Risks Inherent in the Digital Asset Industry - Cyberattacks and security breaches, or those impacting our customers or third parties, could adversely impact our brand and reputation and our business, operating results and financial condition.”

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of our cybersecurity program.

Cybersecurity Risk Role of Management [Text Block]

Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Our management team, including the Chief Information Security Officer, is responsible for assessing and managing material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Chief Information Security Officer has over 25 years of experience in executive leadership across multiple industries in the areas of information security, digital transformation, and enterprise risk management.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The Audit Committee receives quarterly updates from management on our cybersecurity program, including related trends or metrics. The Audit Committee also receives annual updates from our Chief Information Security Officer regarding the state of our cybersecurity, including key issues, priorities, and challenges.