Arhaus, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Arhaus, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 06:12:03 EST.

Filings

10-K filed on 2026-02-26

Arhaus, Inc. filed a 10-K at 2026-02-26 06:12:03 EST
Accession Number: 0001875444-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Cybersecurity is a critical priority and is integrated into our enterprise risk management framework. The Company maintains a risk-based, multi-dimensional cybersecurity program, guided by the National Institute of Standards and Technology Cybersecurity Framework 2.0 ("NIST CSF"). This program is designed to assess, identify, and manage material risks from potential threats to our data, systems, and networks, as well as those of our primary third-party suppliers. We consult with outside advisors and experts to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company's risk environment. We deploy a suite of physical, administrative, and technological safeguards to protect our information systems, including personal data (employee, client, consumer and business partner), intellectual property, and confidential business information. These protections are designed to maintain the confidentiality, integrity, and availability of all information housed within our network infrastructure. Key processes include: - Risk-Based Controls: We continuously improve our cybersecurity program's maturity, risk management framework, policies, procedures, and governance. Security controls are selected based on likelihood and severity of risk, impact on the Company and stakeholders, feasibility and cost, and operational impact. - Incident Response Plan and Testing: We maintain a written incident response plan and dedicated teams to respond to incidents. Cross-functional teams assess priority and severity, and external experts may be consulted. Regular tabletop breach exercises, penetration tests, and simulations are conducted to improve our response capabilities. - Education and Training: Our employees undergo cybersecurity awareness training and regular phishing awareness campaigns that are based upon and designed to emulate real-world contemporary threats. We work with external partners to develop and deliver education and training to mitigate cybersecurity risks. - Third-Party Risk Management: Targeted cybersecurity assessments of suppliers are executed, evaluating their risk profiles and using a rating mechanism to identify vulnerabilities. Cybersecurity risks associated with third-party service providers including suppliers, software and cloud-based service providers are considered during contracting and vendor selection. The Company (or the third parties it relies on) may not be able to fully, continuously, or effectively design and implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine whether and how to implement certain security controls and it is possible that we may not implement the necessary controls if we are unable to recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate cybersecurity risks. Cybersecurity events, when detected by security tools or third parties, may not always be identified immediately or addressed in the manner intended by our cybersecurity incident response plan. Cybersecurity Program Maturity and Continuous Improvement We regularly assess our information security program against the NIST CSF and benchmark our maturity against leading practices in the retail sector. Impact of Cybersecurity Risks Based on the information available as of the date of this Form 10-K, we have no reason to believe any risks from cybersecurity threats, including previous incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information, see Item 1A, "Risk Factors" in this Form 10-K. Cybersecurity Governance The Company's cybersecurity risk management and strategy processes are led by our Chief Information Officer ("CIO"), Chief Information Security Officer ("CISO") and a dedicated cybersecurity team with experience across multiple industries in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and managing multiple industry and regulatory compliance environments. Cybersecurity and data privacy are priority matters as part of our management of risks. Our principal objectives are to protect our information technology equipment, networks, systems, and personal data (employee, client, consumer and business partner), as well as our intellectual property and confidential business information. In support of these objectives, our Information Security Team ("IST"), a function that spans our organization, has designed a strategy using the NIST CSF to mitigate cybersecurity risks that could result in the unauthorized access to and disruption of systems, as well as unauthorized access to and acquisition and manipulation of data. In addition, our IST regularly meets with its business partners on cyber risk education and mitigation through communication of our projects and standards. Our CISO, who reports to our CIO, is responsible for implementing the NIST CSF. Cybersecurity is an important part of our overall risk management processes and the Technology Committee ("Committee") of our Board of Directors has primary oversight responsibility for cybersecurity and other technology risks. The Committee reviews and discusses with management our cybersecurity, privacy and data security programs, the status of projects to strengthen internal systems and any significant cybersecurity incidents. The Committee also reviews with management the implementation and effectiveness of the Company's controls to monitor and mitigate cybersecurity risks. In addition, our Board of Directors receives periodic updates regarding our cybersecurity program.

Company Information