Xponential Fitness, Inc. - (XPOF)

10-K Filing Date: March 02, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

We have developed a framework designed to safeguard our organization's digital assets from threats and vulnerabilities. It involves a systematic approach of identifying, assessing, and mitigating risks associated with our technology systems, data, and operations. Key components of this include assessments of vulnerabilities, establishing security controls and policies, training employees, and having a well-defined incident response plan. Regular testing, compliance adherence, resource allocation, and continuous monitoring are also crucial to keeping our environment secure. We take a proactive approach, aiming to mitigate risk, protect sensitive information, and ensure the resilience of our digital infrastructure from cyber threats. We engage consultants or other third parties in conducting periodic assessments and testing of our policies, standards, processes, and practices.

Material risks are those that have the potential to cause substantial harm or financial loss. Our approach involves a targeted strategy to protect critical data, systems, and infrastructure against cybersecurity challenges including cyber threats, data breaches, or regulatory compliance issues.

Third-party risk mitigation in cybersecurity is a crucial aspect of safeguarding our digital assets and ensuring data integrity and privacy. We monitor and manage the potential vulnerabilities and security gaps that can arise when working with external vendors, partners, or suppliers who have access to sensitive information or systems. We assess the cybersecurity practices of our third parties by evaluating their compliance with security standards. Evaluating third-party compliance helps us mitigate the risks of data breaches or security incidents originating from external sources, ultimately safeguarding our reputation, legal compliance, and overall cybersecurity posture.

We believe that the risks from cybersecurity threats, including as a result of any previous cybersecurity events, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business, results of operations, cash flows and financial condition.

Governance

The audit committee of our board of directors has primary responsibility for overseeing our risk management process relating to cybersecurity, which includes risks arising from cybersecurity threats.

The Vice President of Information Technology works together with our board of directors, audit committee, and members of executive management (“Cybersecurity Team”) to set the strategic digital landscape. The Cybersecurity Team provides strategic guidance and oversight to ensure our cybersecurity posture is robust and aligned with our overall objectives. The Cybersecurity Team does this by establishing cybersecurity policies and setting risk tolerance levels, approving budgets for security initiatives, and ensuring compliance with relevant regulations and standards. The Cybersecurity Team engages in regular discussions regarding incident response strategies to assess the preparedness for cyber threats and continually evaluates our incident response plans. The Incident Response Team (“IRT”) is led by the Vice President of Information Technology, who is the overall incident response coordinator. The IRT works together with our President to assess risk and materiality of an incident and engage members of Cybersecurity Team as needed.

Through ongoing communications with these teams, the Vice President of Information Technology and the Cybersecurity Team are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the board of directors and the audit committee when appropriate.

Our Vice President of Information Technology’s experience includes various roles in information technology and information security for over 15 years. Members of the Cybersecurity Team each hold undergraduate and, in some cases, graduate degrees in their respective fields, and each have experience managing risk at the Company or at similar companies, and assessing cybersecurity threats.

59