{"url_path":"/sec/sqns/10-k/2026/item-16k","section_key":"item-16k","section_title":"Item 16K Cybersecurity","topic":"sec","document":{"doc_type":"20-F","doc_date":"2026-05-11","source_url":"https://www.sec.gov/Archives/edgar/data/1383395/0001383395-26-000082-index.html","accession_number":"0001383395-26-000082","cik":"0001383395","ticker":"SQNS","issuer_name":"SEQUANS COMMUNICATIONS","edgar_url":"https://www.sec.gov/Archives/edgar/data/1383395/0001383395-26-000082-index.html","primary_entity_key":"0001383395","primary_entity_name":"SEQUANS COMMUNICATIONS"},"word_count":946,"has_tables":true,"body_markdown":"Item 16K. Cybersecurity\n\nCybersecurity Risk Management and Strategy\n\nWe recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Form 20-F, Part II, Item 16K(a). These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks.\n\nWe also maintain an incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Form 20-F, Part II, Item 16K(a), as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.\n\nWe have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage material risks, as well as to test and improve our incident response plan. Our approach includes, among other things:\n\n•conducting regular network and endpoint monitoring designed to identify threat risks on our information systems, as such term is defined in Form 20-F, Part II, Item 16K(a);\n\n102\n\n•performing RBAC (role based access control) to groups of employees by isolating assets of each group, applying minimal rights for each group and ensuring that assets are not accessible from public network but only via a VPN;\n\n•conducting regular, annual third-party penetration testing of our critical infrastructure to independently validate security controls and identify areas for continued focus and improvement;\n\n•implementing disaster recovery procedures and multiple site redundancy;\n\n•introduction in 2023 of new tools, applications, policies and cyber procedures based on a transition to Microsoft 365 for mails, files sharing and communication of essential assets and to Teams with Microsoft 365 Standard Security providing a baseline protection profile that protects against spam, phishing, and malware threats;\n\n•as part of a strategic transition to the Microsoft 365 security suite, we have a project planned for 2026 to implement an Extended Detection and Response (XDR) solution to move beyond basic open source tooling and enhance our ability to proactively detect and respond to sophisticated threats;\n\n•enforcement of Multi-Factor Authentication (MFA) is now mandatory across all critical information systems to strengthen access security, alongside a unification of credential management in 2025 and early 2026 through a Single Sign-On (SSO) solution; and\n\n• mandatory cybersecurity awareness training for all new arrivals and existing employees, including regular refresher courses and simulated phishing exercises, to embed a security-first culture.\n\nThese approaches vary in maturity across the business and we work to continually improve them.\n\nOur process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations.\n\nAs part of the above approach and processes, we regularly engage with auditors to help identify areas for continued focus, improvement and/or compliance.\n\nIn our risk factors, we describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. See our risk factor disclosures at Item 3D of this Annual Report on Form 20-F.\n\nIn the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements of which there were none.\n\nCybersecurity Governance\n\nCybersecurity is an important part of our risk management processes and an area of increasing focus for the Company's board of directors (the “Board”) and management.\n\nAs part of our entire Board’s operational risk management responsibilities, the Board provides oversight of risks from cybersecurity threats. The Audit Committee has been designated with the responsibility to regularly review the Company’s processes and procedures around managing cybersecurity threat risks and cybersecurity incidents. At least semi-annually, the Audit Committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks.\n\nOur cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Director of Information Systems (DIS), who has over 36 years of work experience in various roles in computer science and enterprise/solution/software architecture.\n\nThroughout his career, our DIS has served in pivotal roles in our and other companies, including as Chief Information Officer, overseeing strategic initiatives and driving technological advancements. Notably, he led the implementation of security solutions for a public university with over 75,000 students and 3,000 teachers, ensuring robust protection of sensitive data. His expertise spans enterprise and systems architecture, software engineering, database management, and end-user computing, aligning closely with the multifaceted demands of modern cybersecurity. He has navigated complex regulatory landscapes, ensuring compliance with industry standards and regulatory requirements. His academic background as a lecturer, reinforced by practical experience, includes a Bachelor of Science and Master of Science degrees in Engineering from the French École Nationale Supérieure d'Electrotechnique, d'Electronique, d'Informatique, d'Hydraulique et des Télécommunications\n\n103\n\n(ENSEEIHT), providing a strong foundation for addressing the evolving challenges of information security and cybersecurity strategy.\n\nThese members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above.\n\n104\n\nPART III"}