Black Rock Coffee Bar, Inc. 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 4, 2026

Black Rock Coffee Bar, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 06:09:03 EST.

Filings

10-K filed on 2026-03-04

Black Rock Coffee Bar, Inc. filed a 10-K at 2026-03-04 06:09:03 EST
Accession Number: 0001628280-26-014380

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We rely on information technology systems and networks to manage critical business processes, including payment processing, supply chain operations, and marketing activities. To protect these systems and associated data, we maintain a comprehensive cybersecurity risk management program designed to identify, assess, and manage material risks from cybersecurity threats. This program addresses risks to our computer networks, third-party hosted services, communications systems, hardware and software, and sensitive data, including intellectual property, confidential business information, and customer data. Our cybersecurity risk management program is integrated into our overall enterprise risk management framework and includes policies such as our Incident Response Policy and Cybersecurity Incident Reporting Policy. We identify and assess cybersecurity threats through internal monitoring, automated tools, threat intelligence subscriptions, vulnerability scans, penetration testing, and periodic risk assessments. Based on these assessments, we implement and maintain technical, physical, and organizational measures designed to prevent, detect, respond to, and recover from cybersecurity incidents. These measures include encryption of sensitive data, network security controls, access management, asset tracking, and employee security training. We utilize third-party service providers for critical functions such as cloud hosting, payment processing, and application support. Depending on the nature of the services provided and the sensitivity of the data involved, our vendor management process includes reviewing cybersecurity practices, imposing contractual obligations, conducting vulnerability assessments, requiring providers to complete security questionnaires, periodic reassessments during engagement, and ongoing monitoring through external security firms. We also collect compliance documentation and reports annually to ensure adherence to our standards. As part of our broader risk management efforts, we maintain a Business Continuity Plan and Disaster Recovery Plan that outline strategies to maintain critical operations during disruptions and restore IT systems and data in the event of a major incident. These plans include defined recovery time objectives, recovery point objectives, and tested protocols for swift restoration. We also maintain cyber insurance coverage intended to mitigate certain costs associated with cybersecurity incidents. While we have not identified any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition, cybersecurity threats continue to evolve, and we cannot guarantee that future incidents will not have a material impact. Potential impacts could include increased costs for remediation and security measures, operational disruptions, reputational harm, and limitations on insurance recovery. Governance Oversight of cybersecurity risk is provided by the Audit Committee of our Board of Directors , which reviews and discusses cybersecurity risks and mitigation strategies as part of its enterprise risk oversight responsibilities. The Audit Committee receives quarterly updates on cybersecurity matters and is informed promptly of any material developments between meetings. Our Chief Information Officer , Derek Tonn, leads the implementation of our cybersecurity program. Mr. Tonn has extensive experience in information technology and cybersecurity, having previously served as our Senior Vice President of IT and Analytics, where he oversaw the creation of our data and cybersecurity program. He is responsible for hiring appropriate personnel, integrating cybersecurity risk considerations into our overall risk management strategy, approving budgets, and overseeing incident response processes. We also engage external consultants to assist with annual enterprise risk assessments and to validate the design and effectiveness of our cybersecurity controls. Our incident response processes are designed to escalate significant cybersecurity incidents to senior management and the Audit Committee in accordance with our Cybersecurity Incident Reporting Policy. These processes include classification, escalation, and communication protocols and are periodically tested and updated. Employees receive regular security training, including phishing simulations and awareness campaigns, to reinforce best practices.

Company Information