Vestis Corp 10-K Cybersecurity GRC - 2025-12-02

Page last updated on December 2, 2025

Vestis Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-12-02 07:06:03 EST.

Filings

10-K filed on 2025-12-02

Vestis Corp filed a 10-K at 2025-12-02 07:06:03 EST
Accession Number: 0001628280-25-054597

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Cybersecurity risk management is a critical component of the Company's overall risk management. The Company proactively addresses cybersecurity risk through a comprehensive cybersecurity program to identify, protect, respond to, and manage any reasonably foreseeable cybersecurity risks, threats and incidents. The Company's cybersecurity risk management program is aligned with the International Standards Organization (ISO 27001:2022) and mapped to National Institute of Standards Special Publication 800-53 Revision 5 (NIST 800-53). The Company's cybersecurity program is integrated into the Company's overarching enterprise risk management program. The Company's Chief Information Security Officer (CISO) is responsible for developing and managing the Company's cybersecurity program and reporting on cybersecurity matters to management, the Audit Committee and the Company's Board of Directors. The CISO has over twenty years of cybersecurity and technology experience, originating with cryptography and security experience as a military officer and progressing through senior management roles at prominent global audit and technology consulting corporations. The CISO is supervised by the Company's Chief Information Officer. The Company has established and maintains a cross-functional Cyber Governance Committee that is responsible for helping the CISO prioritize and manage evolving cyber risks and reports to the Company's Chief Information Officer. The Cyber Governance Committee, which oversees the Company's governance and oversight of information security, meets quarterly and interfaces with other functional areas within the Company, including, but not limited to, legal, internal audit, accounting, risk management, human resources, as well as external third-party partners. The CISO serves as the chair of the Cyber Governance Committee. The CISO also provides response and oversight during any significant cybersecurity incidents and informs the Cyber Governance Committee of all cybersecurity incidents that have been identified by the Company to date. The Company engages third parties to assist with the monitoring components of the security infrastructure that we have deployed. As required, the Company engages consultants and third parties to assist with penetration testing, tabletop incident response exercises, or other activities necessary to comply with various standards and certifications that are necessary for the Company's business operations. The Company provides regular awareness training to its employees and consultants using its collaboration platforms to help identify, avoid, and mitigate cybersecurity threats, as well as targeted security training for key departments that routinely process, store or handle sensitive data types. Where service providers are materially utilized, the company obtains SOC1 or SOC2 reports and complies with complementary user entity controls to keep those attestations valid. Where needed, the Company requires appropriate certifications and contractually requires adherence to data privacy and security requirements from its vendors. The Company operates technologies that are exposed to the internet, and although robust cybersecurity programs, technologies, and safeguards are deployed to help protect the Company's operations and assets, the Company, by nature, is exposed to material cybersecurity attacks that are either generally targeted at companies that operate on the internet, or the Company, by nature, remains exposed to attacks that are specifically directed at the Company's technology systems exposed to the internet. Governance The Company's Board of Directors recognizes the importance of cybersecurity and has ultimate oversight of the Company's cybersecurity risk management program. As reflected in the Audit Committee's charter, the Audit Committee of the Company's Board of Directors has been delegated certain cybersecurity oversight responsibility and, among other things, monitors the Company's cybersecurity risk profile, receives periodic updates from management on all matters related to cybersecurity and reports to the full Board of Directors. The CISO presents quarterly updates to the Audit Committee on the Company's cyber risks and threats, status of projects to strengthen the Company's information security systems, and emerging threats. During the normal course of business, the Company has experienced and expects to continue to experience cyber-based attacks and other attempts to compromise its information systems. Based on the information that the Company had as of the end of the fiscal year covered by this Annual Report on Form 10-K, the Company does not believe that it has experienced any cybersecurity incidents that have materially affected the Company. However, the sophistication of cyber threats continues to increase, and the preventative actions the Company has taken and continues to take to reduce the risk of cyber incidents and protect its systems and information may not successfully protect against all cyber incidents. For more information on how cybersecurity risk may materially affect the Company's business strategy, results of operations, or financial condition, please refer to Item 1A, "Risk Factors."

Company Information