Xponential Fitness, Inc. 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

Xponential Fitness, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:56:57 EDT.

Filings

10-K filed on 2025-03-14

Xponential Fitness, Inc. filed a 10-K at 2025-03-14 16:56:57 EDT
Accession Number: 0000950170-25-039541

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber security. Risk Management and Strategy We continue to develop and implement a framework designed to safeguard our organization’s digital assets from threats and vulnerabilities as part of our overall risk management system. It involves a systematic approach of identifying, assessing, and mitigating risks associated with our technology systems, data, and operations. Key components of this include: - Vulnerability assessments - initiating regular evaluations to identify potential weaknesses in our systems. - Security controls and policies - establishing robust security measures and formal company-wide policies. - Employee training - training programs to ensure all employees are equipped to prevent and respond to cyber threats effectively. - Incident response plan - designing and implementing a well-defined plan for addressing cybersecurity incidents. - Continuous monitoring - establishing mechanisms for proactive monitoring of our environment to detect and respond to anomalies. To ensure alignment with industry best practices we engage consultants or other third parties in conducting periodic assessments and testing of our policies, standards, processes, and practices. Material risks are those that have the potential to cause substantial harm or financial loss. Our approach involves a targeted strategy to protect critical data, systems, and infrastructure against cybersecurity challenges including cyber threats, data breaches, or regulatory compliance issues. Third-party risk mitigation in cybersecurity is a crucial aspect of safeguarding our digital assets and ensuring data integrity and privacy. We monitor and manage the potential vulnerabilities and security gaps that can arise when working with external vendors, partners, or suppliers who have access to sensitive information or systems. We assess the cybersecurity practices of our third parties by evaluating their compliance with security standards. Evaluating third-party compliance helps us mitigate the risks of data breaches or security incidents originating from external sources, ultimately safeguarding our reputation, legal compliance, and overall cybersecurity posture. We believe that the risks from cybersecurity threats, including as a result of any previous cybersecurity events, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business, results of operations, cash flows and financial condition. Governance The audit committee of our board of directors has primary responsibility for overseeing our risk management process relating to cybersecurity, which includes risks arising from cybersecurity threats. The Chief Technology Officer works together with our board of directors, audit committee, and members of executive management (“Cybersecurity Team”) to set the strategic digital landscape. The Cybersecurity Team provides strategic guidance and oversight to ensure our cybersecurity posture is robust and aligned with our overall objectives. The Cybersecurity Team does this by establishing cybersecurity policies and setting risk tolerance levels, approving budgets for security initiatives, and ensuring compliance with relevant regulations and standards. The Cybersecurity Team engages in regular and ad hoc discussions regarding incident response strategies to assess the preparedness for cyber threats and continually evaluates our incident response plans. The Incident Response Team (“IRT”) is led by the Senior Vice President of Information Technology, who is the overall incident response coordinator. The IRT, under the guidance of the Chief Technology Officer, assesses risk and materiality of an incident and engages members of Cybersecurity Team as needed. 61 Through ongoing communications with these teams, the Chief Technology Officer and the Cybersecurity Team are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the board of directors and the audit committee when appropriate . Our Chief Technology Officer’s experience includes various roles in information technology, data analytics, and information security at both public and private companies. Members of the Cybersecurity Team each hold undergraduate and, in some cases, graduate degrees in their respective fields, and each have experience managing risk at the Company or at similar companies, and assessing cybersecurity threats.

Company Information