RAVE RESTAURANT GROUP, INC. 10-K Cybersecurity GRC - 2025-09-25

Page last updated on September 25, 2025

RAVE RESTAURANT GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-09-25 09:01:06 EDT.

Filings

10-K filed on 2025-09-25

RAVE RESTAURANT GROUP, INC. filed a 10-K at 2025-09-25 09:01:06 EDT
Accession Number: 0001140361-25-036080

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. The Company recognizes the critical importance of maintaining the safety and security of our systems and data and has a holistic process for overseeing and managing cybersecurity and related risks. The Company believes that cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our business strategy, results of operations or financial condition. 6 Index Cybersecurity Risk Management and Strategy Personnel The Company has an information security program and procedures in place to protect, identify, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats. The Company uses various security tools that help prevent, identify, investigate, resolve and recover from identified vulnerabilities and security incidents to protect our information systems and data from cybersecurity threats. This framework is implemented and overseen by management’s information security department which is led by the Information Technology (“IT”) Support Associate Director and overseen by the Company’s IT Steering Committee. The IT Support Associate Director has over twenty years of experience in technology management and cybersecurity. The IT Steering Committee is comprised of the Company’s two Associate IT Directors, the CEO, and CFO and convenes quarterly to review IT control policies and procedures are properly followed and any new employees were properly onboarded in compliance with security procedures. Third-Party Engagement The Company employs third-party risk security vendors to identify, mitigate, and remediate cybersecurity risks; however, we rely on the third parties we use to implement security programs commensurate with their risks, and we cannot ensure in all circumstances that their efforts will be successful. The Company employs a third-party vendor to securely host the Company’s data in a cloud-based storage system. The third-party vendor conducts quarterly vulnerability scans on both the hosted data environment and the Company’s corporate data network. Scans of the Company’s firewall are conducted regularly by the third-party vendor. Any necessary remediation would also be provided by the third-party vendor after the scan, but none has been required. The Company uses multiple third-party developed software to continually monitor technology systems for viruses, malicious software, executable harmful files, and other cybersecurity risks. The Company requires the annual submission of SOC 1 security certificates from our third-party vendors which have access to our financial and sales data. The Company also maintains cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity related incidents. The Company recognizes that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, each employee is required to complete information security and data privacy training to build awareness of cybersecurity risks to the organization. The Company has engaged a third-party vendor to periodically send each employee an email that mimics a potentially harmful phishing attempt each month and to report to management the results of the phishing security test. Governance The Board of Directors are acutely aware of the critical nature of managing risks associated with cybersecurity threats. Each quarterly meeting, management presents a cybersecurity update which includes results of testing by third-party vendors and any suspected cybersecurity incidents to the entire Board of Directors. Management would report any material cybersecurity breach immediately to the full Board of Directors. The Company has a written policy for the employee reporting of any cybersecurity suspected incidents. The Audit Committee of the Board has the primary responsibility to oversee effective governance in managing risks associated with cybersecurity threats. Our Audit Committee is composed of members with diverse expertise, including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.

Company Information