MARCUS CORP - (MCS)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.
Cybersecurity Governance
We are committed to protecting our intellectual property, customer and employee data, and the information technology systems critical to keeping our customers, employees, contractors and others aligned and allowing our operations to function properly. Our Board of Directors and its committees are involved on an ongoing basis in the oversight of our material enterprise-related risks, including cybersecurity risks. Our processes for oversight of cybersecurity-related risks are fully integrated into our overall enterprise risk management program, which is led by our General Counsel. We assign a member of our executive management team to report material information to our Board of Directors regarding each of our most significant enterprise risks. We have identified a separate risk for enterprise cybersecurity. The Audit Committee, in connection with the Chief Information Officer, provides primary oversight for cybersecurity risk for the company.
The information security operations team within our information technology function reports to our Chief Information Officer, who regularly updates our Board of Directors and the Audit Committee. The function is governed by various policies on different aspects of cybersecurity. Our Board of Directors and the Audit Committee, as applicable, then
19

reviews such information, including management’s proposed mitigation strategies and plans, to monitor our progress on mitigating the risks.
Our Chief Information Officer and General Counsel meet regularly with the Board of Directors and its committees to review relevant areas including:
Key metrics of the information security/cybersecurity program;
The purchase of cybersecurity risk insurance to mitigate exposure to the company;
Monitoring and testing of backup and disaster recovery process;
Cybersecurity incident response and remediation procedures; and
Metrics of the company’s training and compliance program on information security and awareness of cyber risk.
In addition, we have a management Cybersecurity Committee, which functions as a steering committee, to provide oversight and strategic direction for the cybersecurity program. The Cybersecurity Committee is comprised of our Chief Information Officer & Theatres Chief Information Technology Officer (“CIO”), Hotels Chief Information Technology Officer, Vice President of Information Security, General Counsel, and Chief Financial Officer. The Cybersecurity Committee meets quarterly to review the cybersecurity program, including risks and the status of key initiatives.
Our CIO has served in various roles in information technology for over 35 years. Our Hotels Chief Information Technology Officer holds an undergraduate degree in business administration and a master’s degree in management of information systems and has served in various roles in information technology for over 30 years. Our Vice President of Information Security has served in various roles in information technology and information security for over 15 years, and has attained the professional certifications of PCI-ISA and PCI-DSS. Our General Counsel and Chief Financial Officer each hold undergraduate and graduate degrees in their respective fields, and each have significant experience managing risks at the company and at similar companies, including risks arising from cybersecurity threats.
Cybersecurity Risk Management Strategy
In addition to our Cybersecurity Committee, an information security operations team is in place, which monitors the environment for cybersecurity incidents on a continuous basis. We have also established incident response plans to assess and manage cybersecurity incidents. These plans, which are tested at least annually, include escalation procedures based on the nature and severity of the incident. The most critical incidents, which could be material to the company, are escalated to the Cybersecurity Committee. The Cybersecurity Committee, in coordination with internal and external advisors and legal counsel, is responsible for determining the materiality of cybersecurity incidents and coordinating any necessary disclosures. A materiality decision framework, which includes both quantitative and qualitative factors, is in place to guide the materiality decision. Critical cybersecurity incidents which are determined to be material are escalated to the Audit Committee, and when appropriate, to the Board of Directors.
We provide regular, mandatory training for personnel regarding cybersecurity threats as a means to equip our personnel with effective knowledge, tools, and awareness to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. The personnel training occurs at the time of hiring and at least once annually thereafter. The Cybersecurity Committee, along with other members of executive management, practices the incident response process through an annual tabletop exercise facilitated by external consultants.
We engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing, disaster recovery testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee and the Board of Directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.
A third-party risk management program is in place to address the risks posed by third parties. Through this program, the company evaluates the type of data that is shared with the third party and gains an understanding of the third
20

party’s cybersecurity risk profile. Higher risk third parties complete a vendor security self-assessment designed to provide a deeper level of understanding of the third party’s risks and controls. Based on the results of this assessment, the entity may be added to our third-party monitoring solution, which provides updates and alerts related to the company’s externally facing security posture.
Cybersecurity Threats
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to affect the company, including its business strategy, results of operations or financial condition.