BAB, INC. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

BAB, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 14:45:29 EST.

Filings

10-K filed on 2025-02-26

BAB, INC. filed a 10-K at 2025-02-26 14:45:29 EST
Accession Number: 0001437749-25-005215

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Audit Committee, composed of two independent Board of Director members, has oversight responsibility for the Company’s cyber-security risk. The internal members of management that oversee cybersecurity is the Chief Financial Officer, (“CFO”) and the Director of Franchise Operations/Staff Attorney, (“DFO”). The CFO reports to the Audit Committee prior to each quarterly and annual 10-Q and 10-K filing, respectively, on any current cyber changes, procedures and any identified risks. The CFO provides the Audit Committee any cyber insurance information and will obtain approval for any changes in cyber insurance coverage. The CFO will also provide the Audit Committee any information on any possible third-party information technology, (“IT”) service and consultant changes. The Audit Committee will review and approve any change in IT service providers. The Audit Committee will be immediately notified of any cyber security threats or incidents. At BAB, Inc. we recognize the importance of safeguarding our systems, data and assets, even in an environment where the risk of cyber incidents is minimal due to the nature of our business. The CFO has over 30 years of experience in risk management and working with computer systems across various industries, providing strong oversight of the cybersecurity efforts. The DFO has several years of experience in IT operations within the company. The internal management team of the CFO and DFO are both familiar and knowledgeable of the company’s computer systems and operations and they are familiar with the company’s policies, procedures and accountability for safeguarding critical data and assets. Cybersecurity tools as listed below aid in mitigating cybersecurity risk. -7- Our cybersecurity infrastructure includes a combination of technical, administrative and physical safeguards designed to mitigate cybersecurity risks. As part of our risk management process, the CFO also regularly engages with the outside IT consultants to review and minimize the Company’s cyber risk. The Company has a firewall that protects the whole network, including intrusion protection, virus protection and other subscription-based protection that updates regularly. For those with remote access there is end-to-end encryption with a secure VPN to access the server. All computers, including those in office and any remote user’s computers have an antivirus software from a company that specializes in cybersecurity that has been installed and maintained by an outside IT consultant. The software is updating and reviewing any cyber threats on a continual basis. Additional services provide email filters to minimize phishing and spam emails. Employees are trained to not open suspicious emails and to never open attachments unless they are expecting an attachment from that Company or individual. Sensitive files are password protected and accessible by only select individuals. These files are maintained on a separate drive. Computer files are backed up and redundancy protocols are in place so that minimal downtime would occur in the event of a cyber breach. The Company also maintains cyber insurance coverage to ensure that the Company is adequately prepared in the event of an unforeseen cyber incident. No system is entirely immune to cyber threats and although our risk is low, the impact of a cybersecurity incident could impact our business, cause reputational harm, subject us to increased operating costs and/or expose us to litigation. To date, we have had no cybersecurity incidents that have materially impacted, or are reasonably likely to materially impact our operations or financial condition. Should an incident occur, the CFO and/or DFO will immediately report the incident to the Audit Committee with all details. The communication will identify what steps are currently being taken to resolve the incident, and what actions are being taken to prevent any further security incidents from occurring.

Company Information