KinderCare Learning Companies, Inc. 10-K Cybersecurity GRC - 2025-03-21

Page last updated on March 21, 2025

KinderCare Learning Companies, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-21 16:15:38 EDT.

Filings

10-K filed on 2025-03-21

KinderCare Learning Companies, Inc. filed a 10-K at 2025-03-21 16:15:38 EDT
Accession Number: 0000950170-25-043210

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the importance of developing, implementing and maintaining cybersecurity measures designed to safeguard our information systems and protect the confidentiality, integrity and availability of our data. Risk management and strategy In the ordinary course of our business, we and our third-party service providers collect, maintain and transmit sensitive data on our networks and systems, including confidential business information such as child, parent and employee personal information. The secure maintenance of this information is critical to our business and reputation. In addition, we are heavily dependent on the functioning of our information technology infrastructure to carry out our business processes. While we have adopted administrative, technical and physical safeguards to protect such systems and data, our systems and those of third-party service providers may be vulnerable to a cyber-attack. We have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. Those processes include frameworks to respond to and assess internal and external threats to the security, confidentiality, and integrity of our data and information systems, along with other material risks to our operations, which we review with our IT leadership, information security steering committee, and Audit Committee at least twice annually or whenever there are material changes to our systems or operations. 37 Our IT department is tasked with evaluating and addressing cybersecurity risks in alignment with our business objectives and operational needs. We have processes to detect potential vulnerabilities and anomalies through technical safeguards. As part of our risk management process, we conduct regular IT security audits to assess and respond to internal and external security threats and engage outside providers to conduct periodic internal and external penetration testing. We rely on third parties, including cloud vendors and consultants, for various business functions. Many of our third-party service providers have access to our information systems and data, and we rely on such third parties for the continuous operation of our business operations. We oversee third-party service providers by conducting vendor diligence. Vendors are generally assessed for risk based on the nature of their service, access to data and systems and supply chain risk and, based on that assessment, we conduct diligence that may include completing security questionnaires, onsite evaluation, and scans or other technical evaluations. Governance Our Board of Directors has established oversight mechanisms to manage risks from cybersecurity threats. Our Audit Committee has primary responsibility for oversight of cybersecurity, including the responsibility to review and discuss with management and the Company’s auditors, as appropriate, management risks relating to data privacy, technology and information security, including cyber security and back-up of information systems , and the steps the Company has taken to monitor and control such exposures and the responsibility to confer with management and the Company’s auditors the adequacy and effectiveness of the Company’s information and cyber security policies and the internal controls regarding information security. The Audit Committee, or the Board of Directors as a whole, is briefed on any material cybersecurity incidents that may adversely affect the Company and on cybersecurity risks in general at least twice each year . At the management level, our cybersecurity program is managed by our Head of Information Security & Compliance who reports to our Chief Information Officer . Our Head of Information Security & Compliance has over 30 years of IT security experience. Our Head of Information Security & Compliance and IT Department implement processes around security monitoring and vulnerability testing. Our Head of Information Security & Compliance reports at least twice annually to the Audit Committee and such reporting will include topics such as our risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses and recommendations for changes and updates to policies and procedures. Although we have experienced cybersecurity incidents in the past, as of the date of this report, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. Despite our continuing efforts, we cannot guarantee that our cybersecurity safeguards will prevent breaches or breakdowns of our or our third-party service providers’ information technology systems, particularly in the face of continually evolving cybersecurity threats and increasingly sophisticated threat actors. A cybersecurity incident may materially affect our business, results of operations or financial condition, including where such an incident results in reputational, competitive or business harm or damage to our Company, loss of intellectual property rights, significant costs or the Company being subject to government investigations, litigation, fines or damages. For more information, see “We rely significantly on the use of information technology, as well as those of our third-party service providers. Any significant failure, inadequacy, interruption or data security incident of our information technology systems, or those of our third-party service providers, could disrupt our business operations, which could have a material adverse effect on our business, prospects, results of operations, financial condition and/ or cash flows.” under Item 1A. Risk Factors.

Company Information