Pinstripes Holdings, Inc. - (PNST)

10-K Filing Date: June 28, 2024
Item 1C. Cybersecurity
In the ordinary course of our business, we collect, store and transmit sensitive information, including intellectual property, proprietary business information and personal information, in connection with business operations. Additionally, we leverage our third-party service providers to collect, use, store and transmit confidential, sensitive, proprietary and personal information. The secure maintenance of this information and our information technology (IT) systems is important to our operations and business strategy.
We are committed to protecting the confidentiality, integrity and availability of our information systems from cybersecurity threats. We recognize that cybersecurity is a dynamic and evolving area of risk that requires ongoing assessment, management and oversight. The Company works with third-party providers to assess, identify, manage and mitigate material cybersecurity threats, as well as to respond to and recover from cybersecurity incidents.
Cybersecurity Risk Management and Strategy
As part of our overall risk management program, we have increased our attention to cybersecurity. We deploy both physical and technical safeguards, including but not limited to firewalls, anti-malware functionality and access controls. We have implemented processes designed to assess, identify and manage risks from potential unauthorized occurrences on or through our IT systems that may result in adverse effects on our systems and the data residing therein.
Our primary source of cybersecurity risk relates to security of our third-party service providers, whose activities and scale may present more desirable targets. We manage cybersecurity risk through a variety of tactics, including (i) the structure of our systems and platforms, (ii) the contractual terms with our third-party service providers, (iii) compliance with applicable regulations and continuous improvement around best practices, (iv) mitigating user error and human vulnerabilities through training and guidance and (v) the placement of cybersecurity insurance policies. We also negotiate with our third-party service providers about a variety of monitoring, testing, and reporting provisions so that we can work with them to better address vulnerabilities. This may include sharing SOC 1 or 2 Type 2 audit reports and confirmation that third-party service providers are adhering to applicable laws.
As a restaurant, we are subject to Payment Card Industry Data Security Standards (“PCI-DSS”) and we take steps to make sure that we are compliant with those standards. We also continue to monitor evolving laws and regulations related to security and privacy and look for opportunities to improve our systems based on evolving best practices in the IT industry.
These processes and systems are managed and monitored internally by our VP of Technology and include mechanisms, controls, technologies, systems and other processes designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable IT environment.
We have not encountered any cybersecurity threats or experienced previous cybersecurity incidents that have materially affected or that we believe are reasonably likely to materially affect us, including our day-to-day operations,
46


business strategy, results of operations or our financial condition. Additional information on cybersecurity risks we face can be found in “Risk Factors”, which should be read in conjunction with the foregoing information.
Governance
The Board, in coordination with the Audit Committee, oversees the Company’s cybersecurity program and risk management strategy. The Board has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. The Audit Committee receives periodic updates on cybersecurity, including immediate notification of any material cybersecurity events, information technology matters and related risk exposures from management. The Board receives updates from management and the Audit Committee on cybersecurity risks.
Our CEO, CFO, VP of Technology and Director of IT play a primary role in informing the Audit Committee on cybersecurity risks. Our VP of Technology has over 19 years of experience in the technology space including oversight of cybersecurity, and our Director of IT has over four years of experience with the Company, which includes managing cybersecurity. These individuals monitor activity and potential risks related to the day-to-day operations of the business, including reviewing results from third-party service providers. They will provide briefings to the Audit Committee on a periodic basis regarding cybersecurity matters, incident reporting, risk mitigation and any regulatory compliance.