National Vision Holdings, Inc. 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 4, 2026

National Vision Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 06:07:47 EST.

Filings

10-K filed on 2026-03-04

National Vision Holdings, Inc. filed a 10-K at 2026-03-04 06:07:47 EST
Accession Number: 0001628280-26-014379

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have developed processes for assessing, identifying and managing material risks from cybersecurity threats. Our enterprise risk assessment and management system incorporates risks from cybersecurity threats alongside other risks to the Company. We also have a management-level risk management council that supports our processes to assess and manage cybersecurity and other risks. Our information security team oversees and implements security controls designed to minimize the risk or impact of any compromise or unauthorized disclosure of our or our customers' confidential and sensitive data, including protected health information and PII. These controls include endpoint protection and response software (anti-virus), network intrusion detection devices, a vulnerability management program, IT and third-party risk management programs, and multifactor authentication. We provide annual security awareness training for corporate and store associates, and we administer periodic phishing testing and training to associates who have access to a company email address. The security of the National Vision network is monitored by a Security Operations Center ("SOC"), which works with our information security team with the aim of preventing, detecting, and responding to cybersecurity attacks. We also maintain an incident response plan which, among other things, is designed to outline the response actions to an incident, mitigate the impact of an incident, assist in restoring normal business operations, and comply with applicable regulatory obligations arising from an incident. Our risk management processes also address cybersecurity threat risks associated with our use of third-party vendors. Our Chief Technology Officer ("CTO") collaborates with our information security and legal teams to conduct periodic tabletop exercises to test our data security and incident response procedures. Periodically, we engage specialized third parties to assist in conducting these exercises. We also conduct third-party HIPAA security risk assessments to identify and catalog potential security risks to health data. In the last three fiscal years, we have not experienced a material information security incident, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business, including our business strategy, results of operations, or financial condition. Further discussion of the potential impacts on our business from cybersecurity incidents is provided in "Item 1A. Risk Factors - We rely heavily on our information technology systems, as well as those of our vendors, for our business to effectively operate and to safeguard sensitive and confidential information; any significant failure, inadequacy, interruption or security incident could adversely affect our business, financial condition and operations," the sophistication of cyber threats continues to increase, and the actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. As such, no matter how well our controls are designed or implemented, we cannot assure that we will be able to anticipate all security incidents, and we may not be able to implement effective preventive measures against such security incidents in a timely manner. Governance Our CTO oversees our cybersecurity program and is responsible for assessing and managing our material risks from cybersecurity threats. Our CTO has served in this role at the Company since September 2025 and brings more than 30 years of industry experience in various senior roles involving managing global information technology and providing technology services in the areas of application development, infrastructure, data, and technology strategy, and specializing in Agentic AI, cloud solutions, enterprise software, and technology strategy. The Vice President of Information Technology Infrastructure collaborates with the CTO and a supporting team to maintain and update the Company's technology infrastructure and corresponding safety measures. Our VP of Information Technology Infrastructure has served in this role at the Company for over eight years, has over 25 years of experience in information technology systems and holds a bachelor of science degree in computer information systems. Our CTO is informed about, and monitors the prevention, detection, mitigation and remediation of, cybersecurity incidents through the management of and participation in the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. When a cybersecurity incident occurs or we identify a vulnerability, we have cross-functional teams that are responsible for leading the initial assessment of priority and severity, and external experts may also be engaged as appropriate. The Audit Committee of our Board, pursuant to its charter, oversees our enterprise risk management process, which includes risks from cybersecurity threats. The Audit Committee regularly receives reports from management with respect to risks from cybersecurity threats and quarterly reviews cybersecurity and data security risks and mitigation strategies, along with program assessments, planned improvements and the status of information technology initiatives with the CTO. These risks and mitigation strategies are also periodically reviewed by the entire Board .

Company Information