BAB, INC. 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

BAB, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 12:50:34 EST.

Filings

10-K filed on 2026-02-24

BAB, INC. filed a 10-K at 2026-02-24 12:50:34 EST
Accession Number: 0001437749-26-005227

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company's Audit Committee, composed of two independent members of Board of Directors, has oversight responsibility for the Company's cybersecurity risk management. Day-to-day oversight of cybersecurity matters is managed by the Company's Chief Financial Officer, ("CFO") and the Chief Operating Officer, ("COO"). The CFO reports to the Audit Committee prior to each quarterly and annual Form 10-Q and 10-K filing, regarding cybersecurity matters, including updates on cybersecurity risks, controls, and procedures. The CFO also provides the Audit Committee with information regarding the Company's cybersecurity insurance coverage and obtains Audit Committee approval for any material changes to such coverage. In addition, the CFO informs the Audit Committee of any proposed changes to third-party information technology ("IT") service providers or consultants. The Audit Committee reviews and approves any changes in IT providers and is promptly notified of any cybersecurity threats or incidents. At BAB, Inc. we recognize the importance of safeguarding our systems, data and assets, even though the nature of our business results in a relatively low exposure to cybersecurity risk. The CFO has over 30 years of experience in risk management and working with computer systems across multiple industries, including evaluating operational risks, overseeing internal controls, and coordinating with third-party providers. The COO has several years of experience in IT operations within the company. Together, the CFO and COO are familiar with the Company's information systems, operational environment, and internal policies and procedures related to safeguarding critical data and assets. The Company's cybersecurity risk management program consists of a combination of technical, administrative, and physical safeguards designed to identify, assess, and mitigate cybersecurity risks. As part of this process, the CFO regularly engages with outside IT consultants to assist in monitoring systems, assessing cybersecurity risks, and maintaining appropriate security controls. - 7 - The Company's cybersecurity infrastructure includes a combination of technical, administrative and physical safeguards designed to mitigate cybersecurity risks. As part of our risk management process, the CFO also regularly engages with the outside IT consultants to review and minimize the Company's cybersecurity risk. The Company's cybersecurity infrastructure includes network firewall protection with intrusion detection, virus protection, and other subscription-based security services that are regularly updated. Remote access to the Company's network is protected through end-to-end encryption using a secure virtual private network (VPN). All Company computers, including those used by remote personnel, are protected by antivirus and endpoint security software provided and maintained by an outside IT consultant. The software continuously monitors for potential threats and updates automatically. Additional services are used to filter emails and reduce phishing and spam risks. Employees receive training designed to promote awareness of cybersecurity risks, including guidance to avoid opening suspicious emails or unexpected attachments. Sensitive files are password-protected and accessible only to authorized personnel and are maintained on separate drives. The Company maintains regular data backups and redundancy protocols designed to minimize downtime in the event of a cybersecurity incident. The Company also maintains cybersecurity insurance coverage to help mitigate potential financial impacts associated with a cybersecurity event. While no system is entirely immune from cybersecurity threats, and despite the Company's relatively low risk profile, a cybersecurity incident could adversely affect the Company's business, result in reputational harm, increase operating costs, or expose the Company to litigation. To date, the Company has not experienced any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, its business, operations, or financial condition. In the event of a cybersecurity incident, the CFO and/or COO will promptly report the matter to the Audit Committee, including information regarding the nature of the incident, remediation efforts, and actions taken to reduce the risk of future incidents.

Company Information