NATHANS FAMOUS, INC. - (NATH)
10-K Filing Date: June 12, 2024
Cybersecurity.
Risk management and strategy
The Company is committed to securing our information technology systems, including accounting software, point-of-sale software, and back-of-house software, against cybersecurity threats and protecting the privacy of the data of our customers’, employees’, franchisees’, licensees’ and other business partners. However, as described in “Item 1A. Risk Factors –Cyberattacks and breaches could cause operational disruptions, fraud or theft of sensitive information” of this Form 10-K, we recognize that cybersecurity threats are an ongoing concern in today’s digital world and that, despite devoting resources to secure our information technology systems, cybersecurity incidents can occur and, if so, could negatively impact our brand, business, results of operations and financial condition. Cybersecurity threats include any potential unauthorized occurrence on or conducted through our information technology systems or information technology systems of a third party that we utilize in our business that may result in adverse effects on the confidentiality, integrity or access to our information technology systems.
We maintain technology and cybersecurity programs and follow the guidelines of the National Institute of Standards and Technology Cybersecurity Framework to help manage information security risk within the Company. The objectives of our programs are to protect the confidentiality, integrity, use and availability of the Company’s data; to protect against unauthorized access to the Company’s data, the Company’s network and information technology applications; and to maintain recovery plans regarding the Company’s informational technology. Our programs fall under the oversight of our Information Technology manager.
To supplement our internal controls and processes and to meet these objectives, the Company engages third-party consultants who work closely with the Company’s Information Technology manager to collectively manage our cybersecurity, information technology and data privacy programs, as well as perform application security reviews and penetration tests. The Company’s senior management team, including its Chief Executive Officer and its Chief Financial Officer, reviews the assessments performed by its third-party consultants and determines the plans to be executed in collaboration with the Information Technology manager.
Our information technology infrastructure includes firewalls, and intrusion detection tools, as well as multi-factor authentication to provide a multi-layered approach to protecting our information technology systems from unauthorized access, use, disclosure, disruption, or destruction.
We obtain System and Organizational Controls (“SOC”) 1 or SOC 2 reports on an annual basis from vendors that host our significant financial applications to aid in our assessment of information security risk amongst our relationships with the host vendors. We also perform quarterly access reviews for these systems that are subject to SOX oversight.
The Company has been certified as compliant with the Payment Card Industry Security Standard intended to ensure that the processing, storing and transmission of credit card information in the Company’s point-of-sale software in our Company-owned restaurants is maintained in a secure manner.
Over 98% of our restaurants are operated by franchisees who themselves are at risk of potential cybersecurity threats. There is no connectivity between the Company’s network and the networks on which our franchisees and licensees operate. Furthermore, there is no interface between the Company-owned restaurants point-of-sale system and the Company’s network and no interface between the Company’s primary manufacturer, Smithfield Foods, Inc. and the Company’s network.
The Company routinely leads training exercises, at least annually, for its employees to reinforce the risk from common tactics and scams like email phishing campaigns to defend against potential business email and network compromise.
We have developed an incident response plan outlining immediate response actions, including internal and external communication protocols. The incident response plan is reviewed regularly by our third-party consultants in collaboration with our Information Technology manager evaluating our capabilities and our readiness. Under the plan, we have identified a management group comprised of our Chief Executive Officer, Chief Financial Officer, Corporate Controller and Information Technology manager. The plan provides that any cybersecurity incident will be reviewed by this group to determine whether any such incident is material for securities laws purposes and whether public disclosure is required, following consultation with outside counsel, the Audit Committee and/or Board of Directors.
We maintain cyber risk insurance coverage that is intended to mitigate the financial impact of cybersecurity and data privacy incidents experienced by the Company. There can be no assurance that our cyber insurance policies will be sufficient in scope or amount to cover the costs and expenses related to any future cybersecurity incidents.
Governance
The full Board of Directors has overall responsibility for risk oversight, including cybersecurity matters. It is supported by the Audit Committee, which reports to the full Board of Directors. The Audit Committee receives updates from management on the cybersecurity landscape and cybersecurity risks impacting the Company. At least annually, the Board of Directors receives a cybersecurity update as part of our Company’s risk management program. Such updates are designed to ensure that the Company’s senior management team remain informed about and can monitor the prevention, detection, mitigation, and remediation of potential cybersecurity incidents.
At a management level, our cybersecurity program is led by our Information Technology manager, who reports to the Chief Financial Officer. Our Information Technology manager is supported by our third-party consultants. With over 25 years of Company experience, our Information Technology manager along with the support of our third-party consultants, is equipped to help navigate the landscape of cybersecurity risks and challenges.
While cybersecurity threats have not materially affected our business strategy, results of operations or financial condition, future incidents may interrupt our operations and could materially adversely affect our business, results of operations and financial condition.
|