BASSETT FURNITURE INDUSTRIES INC 10-K Cybersecurity GRC - 2026-02-05

Page last updated on February 5, 2026

BASSETT FURNITURE INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-05 15:57:22 EST.

Company Summary

Bassett Furniture is U.S.A's leading furniture portal with stores in more than 50 cities. They also develop mobile applications to help control certain furniture.

Filings

10-K filed on 2026-02-05

BASSETT FURNITURE INDUSTRIES INC filed a 10-K at 2026-02-05 15:57:22 EST
Accession Number: 0001437749-26-003189

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company maintains an information security program designed in alignment with the ISO/IEC 27001 and ISO/IEC 27002 standards to address risks arising from cybersecurity threats. The program consists of documented policies, standards, and procedures that define the design, implementation, operation, and maintenance of security controls. The maturity and effectiveness of the information security program are evaluated biennially by an independent third party. 9 A risk assessment is conducted annually. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others. Specific controls used by the Company include, endpoint threat detection and response (EDR), identity and access management (IAM), multi-factor authentication (MFA), firewalls and intrusion detection and prevention systems, vulnerability and patch management, and ongoing employee information security awareness and training programs. An internal information security audit program is maintained to help ensure that these controls remain operational and effective. Third-party security firms are used by the Company in different capacities to provide or operate some of these controls and technology systems. Third parties are also used to conduct assessments, such as vulnerability scans and penetration testing of the Company and its systems. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services. The Company has a written incident response plan ("IRP") and conducts tabletop exercises to enhance incident response preparedness. Disaster recovery plans are used to prepare for the potential for a disruption in technology we rely on. Employees undergo security awareness training, including phishing simulation training, when hired and periodically throughout the year. The Company's executive leadership team meets regularly to address enterprise risks, and cybersecurity is a risk category addressed by that group. In addition to assessing major risks, management identifies and monitors such risks. At least annually, the Company's executive leadership reviews with the Board of Directors the major risks identified in the enterprise risk management process, as well as the steps identified to mitigate such risks. Each of the business and functional leaders responsible for the management of these identified risks also regularly discuss with the Board changes in assessment of these risks and mitigation plans. The Company (or third parties it relies on) may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement appropriate controls if we do not recognize or if we underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. And events, when detected by security tools or third parties, may not always be immediately understood or acted upon. In fiscal 2024, the Company activated its incident response plan to address a cybersecurity incident that was resolved without material impact to the Company. The Company is not aware of any additional cybersecurity threats or incidents to date that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. Additionally, in Item 1A Risk Factors under the heading of "Risks Related to Electronic Data Processing and Digital Information," forward-looking cybersecurity threats that could have a material impact on the Company are discussed. That section of Item 1A should be read in conjunction with this Item 1C. Governance The Chief Information Officer ("CIO") holds primary oversight responsibility for the team managing the development, operation, and maintenance of our information security program. This team also has responsibility to maintain and enhance the Company's written cyber security incident response plan, which identifies incident severity classifications and serves as a trigger for escalation for the response team. With over 25 years of experience across diverse IT technologies, the CIO brings extensive expertise to the role. The CIO is also a member of the Company's executive leadership team, meeting regularly with the CEO, CFO, and other senior leaders. The CIO directly reports to the Board at least annually, addressing cybersecurity risks and strategy, and attends Board meetings to discuss cybersecurity matters as needed. The Audit Committee provides oversight of the information security program. The CIO reports to the Audit Committee annually on cybersecurity risks and related internal controls and attends quarterly meetings to provide updates and address any questions regarding cybersecurity and information technology systems. 10
Item 1C. Governance The Chief Information Officer ("CIO") holds primary oversight responsibility for the team managing the development, operation, and maintenance of our information security program. This team also has responsibility to maintain and enhance the Company's written cyber security incident response plan, which identifies incident severity classifications and serves as a trigger for escalation for the response team. With over 25 years of experience across diverse IT technologies, the CIO brings extensive expertise to the role. The CIO is also a member of the Company's executive leadership team, meeting regularly with the CEO, CFO, and other senior leaders. The CIO directly reports to the Board at least annually, addressing cybersecurity risks and strategy, and attends Board meetings to discuss cybersecurity matters as needed. The Audit Committee provides oversight of the information security program. The CIO reports to the Audit Committee annually on cybersecurity risks and related internal controls and attends quarterly meetings to provide updates and address any questions regarding cybersecurity and information technology systems. 10

Company Information