PETMED EXPRESS INC 10-K Cybersecurity GRC - 2025-10-14

Page last updated on October 14, 2025

PETMED EXPRESS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-10-14 16:27:15 EDT.

Filings

10-K filed on 2025-10-14

PETMED EXPRESS INC filed a 10-K at 2025-10-14 16:27:15 EDT
Accession Number: 0001040130-25-000072

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY PetMed Express, Inc. (“PetMeds”) and PetCareRx maintains an enterprise-wide cybersecurity program designed to identify, assess, manage, and mitigate information security risks across the organization. Our program encompasses 22 governance, policy, prevention, detection, incident response, and recovery mechanisms in alignment with industry standards. Cybersecurity Risk Management and Oversight Our cybersecurity risk management program is built to protect our systems, data, and customers from a wide range of cyber threats. This includes internal protocols and controls, as well as third-party oversight. Our cybersecurity practices are guided by the National Institute of Standards and Technology (NIST) CSF (Cyber Security Framework), and categorizes cybersecurity tasks into five key functions: identify, protect, detect, respond, and recover. This functional orientation helps organizations make informed decisions about reducing cyberattacks. Oversight of cybersecurity risk is formally overseen by the Audit Committee of our Board of Directors. The Audit Committee receives regular briefings from management on cybersecurity topics, including strategy, threats, incident trends, remediation activities, and updates on material developments, as appropriate. Incident Detection and Response We have implemented an Incident Response Policy and detailed procedures that govern how potential cybersecurity events are identified, escalated, investigated, contained, and remediated. The objectives of our incident response program include: - Timely investigation and validation of incidents - Minimization of data loss or service disruption - Evidence preservation in accordance with legal and regulatory requirements - Restoration of affected systems and services - Post-incident review and implementation of corrective actions - Notification to affected parties and regulators, where appropriate These procedures are tested and exercised periodically to ensure preparedness and adaptability. Security Measures and Monitoring We deploy a layered defense model using widely adopted technologies and internal solutions for threat monitoring, detection, and response. Our efforts include: - Regular system scans, vulnerability assessments, and penetration testing - Ongoing compliance with the Payment Card Industry Data Security Standard (PCI DSS) - Deployment of endpoint detection and response (EDR) tools and real-time monitoring solutions - Secure development practices and controls embedded within our digital transformation initiatives As we modernize our digital platforms and phase out legacy systems, we are embedding advanced security practices into our infrastructure. This includes improving controls around identity management, access, encryption, and software development life cycles. Third-Party and Vendor Risk Management Our vendor and partner management processes include security due diligence, contractually required safeguards, and-in relevant cases-direct review of their cybersecurity practices. We require certain vendors with access to sensitive systems or data to undergo security training or meet specific security certification requirements. Training and Awareness Cybersecurity awareness is a foundational element of our risk management approach. We conduct recurring cybersecurity training for employees across the company, with tailored modules that address evolving threat vectors such as phishing, ransomware, and social engineering. Additional targeted training is provided to users in high-risk roles. Cybersecurity Incidents We maintain an active process to detect and respond to cybersecurity incidents. While we have experienced routine threats and minor incidents in the normal course of operations, to date, we have not identified any cybersecurity incidents that have materially impacted our business, operations, or financial results. 23 Nevertheless, we recognize that cybersecurity risks are dynamic and continually evolving. We cannot guarantee that future events will not have a material impact. For more information on cybersecurity-related risks, see Item 1A, “Risk Factors”, including the risk titled: “Our failure or the failure of third-party service providers to protect our websites, networks, and systems against cybersecurity incidents, or otherwise to protect our confidential information, could damage our reputation and brands and substantially harm our business, financial condition, and results of operations.”

Company Information