NATHANS FAMOUS, INC. 10-K Cybersecurity GRC - 2025-06-10

Page last updated on June 10, 2025

NATHANS FAMOUS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-06-10 07:01:07 EDT.

Filings

10-K filed on 2025-06-10

NATHANS FAMOUS, INC. filed a 10-K at 2025-06-10 07:01:07 EDT
Accession Number: 0001437749-25-019916

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk management and strategy The Company is committed to securing our information technology systems, including accounting software, point-of-sale software, and back-of-house software, against cybersecurity threats and protecting the privacy of the data of our customers’, employees’, franchisees’, licensees’ and other business partners. However, as described in “Item 1A. Risk Factors - Cyberattacks and breaches could cause operational disruptions, fraud or theft of sensitive information " of this Form 10-K, we recognize that cybersecurity threats are an ongoing concern in today’s digital world and that, despite devoting resources to secure our information technology systems, cybersecurity incidents can occur and, if so, could negatively impact our brand, business, results of operations and financial condition. Cybersecurity threats include any potential unauthorized occurrence on or conducted through our information technology systems or information technology systems of a third party that we utilize in our business that may result in adverse effects on the confidentiality, integrity or access to our information technology systems. Our cybersecurity risk management program includes a cybersecurity incident response plan. We design and assess our program primarily following the guidelines of the National Institute of Standards and Technology and Payment Card Industry Data Security Standard. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use these frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. The objectives of our programs are to protect the confidentiality, integrity, use and availability of the Company’s data; to protect against unauthorized access to the Company’s data, the Company’s network and information technology applications; and to maintain disaster recovery plans to prepare for and respond to the potential for a disruption in the Company’s informational technology. Our programs fall under the oversight of our Information Technology manager. To supplement our internal controls and processes and to meet these objectives, the Company engages third-party consultants who work closely with the Company’s Information Technology manager to collectively manage our cybersecurity, information technology and data privacy programs, as well as perform application security reviews, scans and penetration tests. The Company’s senior management team, including its Chief Executive Officer and its Chief Financial Officer, reviews the assessments performed by its third-party consultants and determines the plans to be executed in collaboration with the Information Technology manager. Our information technology infrastructure includes firewalls, modern endpoint protections, intrusion detection tools and alerts, as well as multi-factor authentication to provide a multi-layered approach to protecting our information technology systems from unauthorized access, use, disclosure, disruption, or destruction. Such applications are regularly monitored and reviewed for adequacy and potential enhancements. We obtain System and Organizational Controls (“SOC”) 1 or SOC 2 reports on an annual basis from vendors that host our significant financial applications to aid in our assessment of information security risk amongst our relationships with the host vendors. We also perform quarterly access reviews for these systems that are subject to Sarbanes-Oxley oversight. Over 98% of our restaurants are operated by franchisees who themselves are at risk of potential cybersecurity threats. There is no connectivity between the Company’s network and the networks on which our franchisees and licensees operate. Furthermore, there is no interface between the Company-owned restaurants point-of-sale system and the Company’s network and no interface between the Company’s primary manufacturer, Smithfield Foods, Inc. and the Company’s network. 35 The Company routinely leads training exercises, at least annually, for its employees to reinforce the risk from common tactics and scams like email phishing campaigns, as well as more sophisticated descendants (i.e. spear phishing and smishing) to defend against potential business email and network compromise. We have developed an incident response plan outlining immediate response actions, including internal and external communication protocols. The incident response plan is reviewed regularly by our third-party consultants in collaboration with our Information Technology manager evaluating our capabilities and our readiness. Under the plan, we have identified a management group comprised of our Chief Executive Officer, Chief Financial Officer, Corporate Controller and Information Technology manager. The plan provides that any cybersecurity incident will be reviewed by this group to determine whether any such incident is material for securities laws purposes and whether public disclosure is required, following consultation with outside counsel, the Audit Committee and/or Board of Directors. We maintain cyber risk insurance coverage that is intended to mitigate the financial impact of cybersecurity and data privacy incidents experienced by the Company. There can be no assurance that our cyber insurance policies will be sufficient in scope or amount to cover the costs and expenses related to any future cybersecurity incidents and it does not remedy the reputational and future business impacts. Governance The full Board of Directors has overall responsibility for risk oversight, including cybersecurity matters. It is supported by the Audit Committee, which reports to the full Board of Directors. The Audit Committee receives updates from management, as necessary, on the cybersecurity landscape and cybersecurity risks impacting the Company. At least annually, the Board of Directors receives a cybersecurity update as part of our Company’s risk management program. Such updates are designed to ensure that the Company’s senior management team remain informed about and can monitor the prevention, detection, mitigation, and remediation of potential cybersecurity incidents. At a management level, our cybersecurity program is led by our Information Technology manager, who reports to the Chief Financial Officer. Our Information Technology manager is supported by our third-party consultants. Our Information Technology manager along with the support of our third-party consultants, is equipped to help navigate the landscape of cybersecurity risks and challenges and to implement and to manage a comprehensive security strategy. While cybersecurity threats have not materially affected our business strategy, results of operations or financial condition, future incidents may interrupt our operations and could materially adversely affect our business, results of operations and financial condition. 36

Company Information