WINMARK CORP - (WINA)

10-K Filing Date: February 28, 2024
ITEM 1C: CYBERSECURITY

We deploy several processes for assessing, identifying and managing material risks from cybersecurity threats. These processes include, but are not limited to, security assessments, physical access restrictions, internal and external penetration testing, endpoint detection and response, and employee security awareness programs and training.

Our cybersecurity processes have been integrated into our overall risk management processes, and we engage assistance from third parties as we deem necessary or appropriate. We believe that we have processes in place to oversee and identify risks from cybersecurity threats associated with our use of third-party services providers to our business. See Item 1A: Risk Factors for further discussion regarding data security risks.

Our Information Technology team, under the direction of the Chief Financial Officer and with the assistance of industry-leading third parties with over 20 years of expertise, is tasked with monitoring cybersecurity and operational risks related to information security and system disruption. They have many years of experience in various technology-related functions including security, auditing, compliance and systems. Our Executive Leadership team is briefed regularly on information security, including discussion of processes such as those listed above to monitor the prevention, detection, mitigation and remediation of cybersecurity incidents.

Our Board of Directors is charged with providing oversight of our risk management process. Specifically, the Audit Committee is primarily responsible for overseeing the risk management function, including risks from cybersecurity threats. Periodically, the Audit Committee reviews risk assessments, including cybersecurity risks, prepared by management and/or third-party providers.

There have been no previous cybersecurity incidents which have materially affected us to date, including our business strategy, results of operations or financial condition. However, any future potential risks from cybersecurity threats, including but not limited to exploitation of vulnerabilities, ransomware, denial of service, or other similar threats may materially affect us, including our execution of business strategy, reputation, results of operations and/or financial condition.