Planet Fitness, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Planet Fitness, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:06:48 EST.

Filings

10-K filed on 2024-02-29

Planet Fitness, Inc. filed an 10-K at 2024-02-29 16:06:48 EST
Accession Number: 0001637207-24-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy Planet Fitness recognizes the importance of developing, implementing, and maintaining cybersecurity measures designed to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Managing Material Risks & Integrated Risk Management Planet Fitness has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. Our risk management team works closely with our information technology ( IT ) department to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. These risks are captured and prioritized in a risk register. Engaging Third-parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity threats, Planet Fitness engages with a range of external experts, including cybersecurity assessors, consultants, legal advisors and auditors in evaluating and testing our risk management systems. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on security enhancements. Oversee Third-party Risk Because we are aware of the risks associated with third-party service providers, Planet Fitness implements processes to oversee and manage these risks. We conduct security assessments of third-party providers before engagement and maintain ongoing monitoring to oversee compliance with our cybersecurity standards. Monitor Cybersecurity Incidents The Vice President of IT Security and Sr. Director of Security implement and oversees processes for the monitoring of our information systems. This includes the deployment of security measures and system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, we have implemented an incident response plan, which includes actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. 40 Table o f Contents Risks from Cybersecurity Threats As of the date of this report, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition, but we cannot provide assurance that we will not be materially affected in the future by such risks or any future material incidents. For more information, see Item 1A. Risk Factors. Governance The Board of Directors emphasizes and supports the management of risks associated with cybersecurity threats. The Board maintains a collaborative relationship with IT leadership to promote effective governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence. Board of Directors Oversight The Audit Committee is central to the Board s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with diverse expertise including, risk management, technology, and finance. Management s Role Managing Risk The Vice President of IT Security and the Chief Information Officer ( CIO ) play a pivotal role in informing the Audit Committee on cybersecurity risks. These individuals have over two decades of professional experience in various roles across multiple industries involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and managing multiple industry and regulatory compliance environments. Both individuals previously held positions similar to their current roles at other large publicly traded organizations, including global retail e-commerce and mobile-commerce brands. They provide comprehensive briefings to the Audit Committee on a regular basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics, including: Current cybersecurity landscape and emerging threats Status of ongoing cybersecurity initiatives and strategies Incident reports and learnings from any cybersecurity events and Compliance with regulatory requirements and industry standards. In addition to our scheduled meetings, the Audit Committee, CIO and interim CEO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. The Audit Committee conducts an annual review of our cybersecurity posture and the effectiveness of our risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. Reporting to Board of Directors The VP of IT Security, in his capacity, regularly informs the CIO, Chief Financial Officer ( CFO ) and other executive team leaders of aspects related to cybersecurity risks and incidents. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Board of Directors where appropriate.

Company Information