European Wax Center, Inc. - (EWCZ)

10-K Filing Date: March 06, 2024
Item 1C. Cybersecurity.

Our Board of Directors (the “Board”) recognizes the critical importance of maintaining the trust and confidence of our guests, business partners, associates and other stakeholders, and the processes implemented to address the risks related to cybersecurity threats are an important part of our overall risk management efforts. More specifically, we seek to address cybersecurity risks by focusing on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Our cybersecurity program focuses on the following key areas:

Governance/Board-Level Oversight: Our Audit Committee is briefed on cybersecurity risks as a standing agenda item at each regularly-scheduled quarterly meeting. The Chief Information Officer ("CIO") reports quarterly to the Audit Committee and such report typically addresses an overall assessment of our compliance with our cybersecurity policies and includes topics such as risk management and control decisions, updates on our cybersecurity roadmap and self-assessment, training results, security threats, incidents (if any) and responses, and recommendations for changes and updates to our policies and procedures.
Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, 24x7 monitoring by a third party security operations center, and antimalware functionality and access controls, which are periodically evaluated through vulnerability assessments and cybersecurity threat intelligence.
Business Continuity and Disaster Recovery: We have established and maintain comprehensive business continuity, incident response and recovery plans that address our response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis.
Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
Education and Awareness: We provide regular, mandatory training for our associates regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats, and to communicate our information security policies, standards, processes and practices.

We engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are shared with executive management and, as needed, the Audit Committee and the Board. We adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.

Operational responsibility for assessing and implementing our processes and procedures related to cybersecurity risk is led by our CIO. The CIO leads a team of internal full-time associates and external consultants and vendors that manage all aspects of our risk management tools. The CIO reports directly to the Chief Administrative Officer and General Counsel (“CAO”), who manages legal and insurance coverage matters related to cybersecurity risks. Additionally, our Chief Financial Officer and relevant associates on her staff are involved in the management of cybersecurity threats in relation to our internal controls environment, and, in the event of an incident, relevant investor relations needs. Our policies and procedures provide that the Chief Executive Officer, the Audit Committee, and the Board are to be informed in a prompt, timely manner in the event of any material cybersecurity event.

Our CIO has Bachelor of Science degrees in Information Technology and Business Administration and Science and has served in various roles in information technology for over 30 years, including nearly 20 years in roles directly related to implementing and managing cybersecurity measures.

39

 

For additional information on cybersecurity risks, see the section titled “Risk Factors” included elsewhere in this Annual Report on Form 10-K.

Back SEC Filing