MONARCH CASINO & RESORT INC 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

MONARCH CASINO & RESORT INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 19:20:10 EST.

Filings

10-K filed on 2026-02-24

MONARCH CASINO & RESORT INC filed a 10-K at 2026-02-24 19:20:10 EST
Accession Number: 0001104659-26-018717

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Maintaining and improving our cybersecurity capabilities is a high priority for our business. The security of our digital assets is essential to safeguarding our critical infrastructure, protecting the confidentiality and integrity of sensitive information, maintaining business continuity, and fostering trust with our stakeholders. We have designed and assessed our cybersecurity risk management program based on the Center for Internet Security Critical Security Controls guidelines. We also align our program to meet regulatory requirements, including gaming regulatory requirements, financial reporting requirements and internal controls requirements, among others. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use industry standard frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. We use an overall risk management process by coordinating with other departments such as human resources, legal, finance, accounting, and business operations. As part of our cybersecurity risk management program, we regularly perform risk assessments to help identify material cybersecurity risks, including vulnerability analysis, industry-specific risks, and required regulatory adherence. Our strategy seeks to be in line with our business objectives, staying abreast of evolving cyber threats, and complying with regulatory standards. We also use external third-party service providers, where appropriate, to assess, test or otherwise assist us with aspects of our cybersecurity program. Our cybersecurity risk management program includes (1) a security team led by our Chief Information Officer that is principally responsible for managing our cybersecurity risk assessment processes, our security controls, our response to cybersecurity incidents; (2) a cybersecurity incident response plan that that outlines specific procedures for identifying, containing, and remediating cyber incidents, combined with regular testing of this plan to monitor effectiveness, with adjustments made as necessary; (3) backups of essential data and systems; and (4) a third-party risk management process for service providers, suppliers and vendors. On the technical front, we deploy a variety of safeguards to protect our systems. These include firewalls, intrusion detection and prevention systems, data encryption, and strict access controls. Regular updates and patches are applied to software and firmware to mitigate known vulnerabilities and strengthen our security posture. Recognizing the critical role of human factors in cybersecurity, we implement education and awareness programs for our team members. These programs are designed to promote safe online practices and encourage prompt incident reporting. Additionally, we conduct phishing simulations and other exercises to measure and improve our team members' ability to recognize and respond to cyber threats effectively. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incident attempts, which have materially affected us, including our operations, business strategy, results of operations, or financial condition. Cybersecurity Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee of our Board of Directors oversight of cybersecurity and other information technology risks. The Audit Committee oversees management's implementation of our cybersecurity risk management program. The Audit Committee typically receives quarterly reports from our Chief Information Officer on our cybersecurity risks and the implementation of our cybersecurity risk management program. Our Board of Directors' practice has historically been to sit in on quarterly Audit Committee meetings and thereby receives and can participate in the quarterly presentations on cybersecurity matters from our Chief Information Officer. Our Chief Information officer is responsible for day-to-day assessment and management of cybersecurity risks and threats through internal assessment tools as well as third-party control tests, and for audits and evaluation against industry standards and regulations. Our Chief Information Officer leads a team with specific assignments in these cybersecurity risk management areas. Our Chief Information Officer has over twenty-five years leading IT and Cybersecurity teams and continually improve his expertise through cybersecurity classes and collaboration with cybersecurity professionals in hospitality industry. From time to time, our Chief Information Officer meets with a group of senior management to address certain cybersecurity matters. This group typically includes, the Chief Executive Officer, the Corporate Director of Internal Audit and the Executive Vice President of Finance.

Company Information