Dave & Buster's Entertainment, Inc. 10-K Cybersecurity GRC - 2024-04-02

Page last updated on April 11, 2024

Dave & Buster’s Entertainment, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-02 16:20:09 EDT.

Filings

10-K filed on 2024-04-02

Dave & Buster’s Entertainment, Inc. filed an 10-K at 2024-04-02 16:20:09 EDT
Accession Number: 0001628280-24-014369

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy The Company has developed and implemented a cybersecurity program (the Program ) designed to identify, assess, and mitigate material cybersecurity related risks. The Company s program leverages recognized frameworks and standards, including National Institute of Standards and Technology Cyber Security Framework , the Center for Internet Security Critical Security Controls, and the Payment Card Industry Data Security Standards, to assess, organize, and improve our program. As part of the Program, the Company maintains various safeguards to help protect the confidentiality, integrity, and availability of its information systems and data, including: layered technical controls designed to help detect, prevent, and mitigate cybersecurity threats to Company assets utilization of a third-party managed detection and response service provider to monitor for cybersecurity threats, ingest threat-intelligence, and coordinate incident response efforts policies, procedures, and standards that are utilized to outline the Company s expectations, guidelines and best practices for managing cybersecurity risks cybersecurity training and education for our employees practices for monitoring cybersecurity risks of key third-party service providers and incident response plans that provide a framework for the Company s response to cybersecurity incidents. From time to time, the Company engages third-party subject matter experts and consultants to conduct evaluations of our program and security controls, whether through penetration testing, assessments, or consulting on best practices to address new challenges. Results are used to identify and assess risks as well as drive priorities and initiatives to improve the overall Program. The Company also engages third-party experts and consultants, when deemed appropriate, to assist with responding to cybersecurity incidents, such as external legal counsel and forensic specialists. In addition, assessing, identifying, and managing cybersecurity-related risks are integrated into our overall enterprise risk management ( ERM ) process. Cybersecurity risks are included in the risk universe that the ERM function evaluates, with input from information security subject matter experts at the Company, to assess top risks to the enterprise. The ERM process provides input into our strategic planning process, such as development of action plans to address and mitigate identified risks. By integrating cybersecurity risk into the overall ERM process in this manner, the Company is better equipped to identify, assess, and manage material cybersecurity risks . During the period of this Annual Report, the business strategy, results of operations and financial condition of the Company have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Risks Related to Information Technology and Cybersecurity at Item 1A Risk Factors. Governance The Company s Information Systems organization, which is led by the Chief Information Officer ( CIO ), is responsible for implementing and maintaining the Company s Program and related risk management. The Company’s current CIO has formal education in information technology and extensive work experience gained from over 20 years in various technology leadership roles. As leader of the Company’s information systems and technology function, the CIO receives regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation. The team responsible for developing and executing its cybersecurity policies is comprised of individuals with either formal education and degrees in information technology or cybersecurity, or significant experience working in information technology and cybersecurity, including relevant industry experience in security related industries. Our Board considers cybersecurity risk as part of its risk management oversight function. The Audit Committee assists the Board in its oversight of cybersecurity risks and receives regular updates from the CIO and other Company management on cybersecurity matters at least annually. The Audit Committee reports findings and recommendations, as appropriate, to the full Board for consideration. The Audit Committee also receives information about cybersecurity risks as part of the Company s ERM program and reporting. In addition, any cybersecurity incident assessed as being, or potentially becoming, material is escalated for further assessment and then reported to designated members of our senior management and, if necessary, the Audit Committee. 22 Table of Contents

Company Information