Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - LEE
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
ITEM 1A. RISK FACTORS
The Company has established processes to assess, identify, and manage material risks arising from cybersecurity threats (as defined in Item 106(a) of Regulation S-K). These processes are integrated into the Company's' overall risk management system. Material Effects of Cybersecurity Threats
The incident had a significant negative impact on our 2025 operating results. Various revenue lines were impacted, certain operating expenses were higher than they were prior to the incident, and many projects underway were significantly delayed. 
The risks described below could materially and adversely affect our business, financial condition and results of operations. We could also be affected by additional risks that apply to all companies operating in the U.S., as well as other risks that are not presently known to us or that we currently consider to be immaterial. These Risk Factors should be carefully reviewed in conjunction with Management's Discussion and Analysis of Financial Condition and Results of Operations in Item 7 and our Financial Statements and Supplementary Data in Item 8 of this Report. For ease of review, the risk factors generally have been grouped into categories, but many of the risks described in a given category relate to multiple categories.
Risks Related to our Business and Operations
Our advertising revenues may decline due to weakness in the retail sector.
A significant portion of our revenue is derived from advertising and a decline in the financial or economic conditions of our advertisers could alter discretionary spending by those advertisers. Our publications' and websites' advertisers are primarily retail businesses, which have been challenged in recent years by increased competition from online retailers. This trend has reduced and may continue to reduce advertising revenue from the brick-and-mortar retail sector. Specifically, advertising revenues may worsen if advertisers reduce their budgets, shift their spending priorities, are forced to consolidate, or cease operations.
Our ability to generate revenue is highly sensitive to the strength of the economies in which we operate and the demographics of the local communities we serve.
Our advertising and marketing services revenues and subscription revenues depend upon a number of factors, including the size and demographic characteristics of the local population; the general local economic conditions; and the economic condition of the retail segments in the communities that our publications serve. In the case of an economic downturn in a market, our publications, revenues, and profitability in that market could be adversely affected. Our advertising and marketing services revenues could also be affected by negative trends in the general economy that affect consumer spending. The advertisers in our newspapers, other publications, and related websites are primarily retail businesses that can be significantly affected by regional or national economic downturns and other developments. Declines in the U.S. economy could also significantly affect key advertising revenue categories, such as help wanted, real estate, and automotive.
Uncertainty and adverse changes in the general economic conditions of markets in which we participate and increases in costs of raw materials, energy, labor and other factors may negatively affect our business.
Our business and the companies with which we do business are subject to risks and uncertainties caused by factors beyond our control. Such factors include economic pressures related to high inflation, rising interest rates, economic weakness or recession, as well as geopolitical and public health events such as the wars in Ukraine and Israel, pandemics, and workforce expectations.
In the past, these and other similar conditions and events have resulted in, and could lead to, a tightening of credit and capital markets, lower levels of liquidity, lower consumer and business spending, unemployment, declines in real estate values, increases in employee-related costs, and other adverse economic conditions. These changes may negatively affect the sales of our products, increase exposure to losses from bad debts, increase the cost and decrease the availability of financing, or increase costs associated with publishing and distributing our publications. In addition, printing and distribution costs, including the costs of paper and ink, are a significant expense for us. We expect increases in these costs in the near-term from various factors, including increases in the cost of raw materials, energy, labor, transportation, and distribution, due to inflation and other adverse factors on the economy.
If we fail to maintain an effective system of internal control over financial reporting, we may not be able to accurately or timely report our financial results.If we fail to maintain an effective system of internal control over financial reporting, we may not be able to accurately or timely report our financial results. As a result, current and potential stockholders could lose confidence in our financial reporting, which would harm the business and trading price of our common stock.
As a public company, we are required to maintain effective internal controls for financial reporting and disclosure controls and procedures. In the past, our testing has revealed and in the future may reveal deficiencies in our
4
internal controls over financial reporting that are deemed to be material weaknesses. In the event we identify significant deficiencies or material weaknesses in our internal controls that we cannot remediate in a timely manner, the market price of our stock could decline if investors and others lose confidence in the reliability of our financial statements and we could be subject to sanctions or investigations by the SEC, Nasdaq, or other applicable regulatory authorities.
The collectability of accounts receivable under adverse economic conditions could deteriorate to a greater extent than provided for in our financial statements and in our projections of future results.
Adverse economic conditions in the U.S. may increase our exposure to losses resulting from financial distress, insolvency, and the potential bankruptcy of our advertising and marketing services customers. Our accounts receivable is stated at net estimated realizable value, and our allowance for credit losses has been determined based on several factors, including receivable agings, significant individual credit risk accounts, and historical experience. If such collectability estimates prove inaccurate, adjustments to future operating results could occur.
The value of our intangible assets may become further impaired, depending upon future operating results.
At September 28, 2025, the carrying value of our goodwill was $323.9 million, the carrying value of mastheads was $3.9 million, and the carrying value of our amortizable intangible assets was $48.0 million.At September 29, 2024, the carrying value of our goodwill was $328.0 million, the carrying value of mastheads was $10.9 million, and the carrying value of our amortizable intangible assets was $59.2 million. The indefinite-lived assets (goodwill and mastheads) are subject to annual impairment testing and more frequent testing upon the occurrence of certain events or significant changes in our circumstances that indicate all or a portion of their carrying values may no longer be recoverable, in which case a non-cash charge to earnings may be necessary in the relevant period. We may subsequently experience market pressures which could cause future cash flows to decline below our current expectations, or volatile equity markets could negatively impact market factors used in the impairment analysis, including earnings multiples, discount rates, and long-term growth rates. Any future evaluations requiring an asset impairment charge for goodwill or other intangible assets would adversely affect future reported results of operations and stockholders’ equity.
For further information on goodwill and intangible assets, see Note 4 — Goodwill and other intangible assets.
Attracting and retaining highly qualified personnel is difficult and costly, but the failure to do so could negatively affect our operations.
Our businesses depend on the efforts, abilities, and talents of our executive team and other highly qualified employees who possess substantial business, information technology, and operational knowledge. The market for such personnel, including technology-related, product and software development, data science, and digital marketing and sales roles is very competitive, and we cannot ensure success in retaining these employees or hiring and training replacement employees in a timely and cost-effective manner, particularly as we continue to focus on our digital products and services. The market for such personnel, including technology-related, product and software development, data science, and digital marketing and sales roles is very competitive, and we cannot ensure success in retaining these employees or hiring and training replacement employees in a timely and cost-effective manner, particularly as we continue to focus on our digital products and services. These risks have been exacerbated by recent labor constraints, a trend of increasing employee turnover, and inflationary pressures on employee wages and benefits. These risks have been exacerbated by recent labor constraints, a trend of increasing employee turnover, and inflationary pressures on employee wages and benefits.
Natural disasters, extreme weather conditions, public health emergencies or other catastrophic events could negatively affect our business, financial condition, and results of operations.
Natural disasters and extreme weather conditions, such as hurricanes, derecho windstorms, floods, earthquakes, wildfires; acts of terrorism or violence, including active-shooter situations; and public health issues, including pandemics and quarantines, could negatively affect our operations and financial performance. Such events could result in physical damage to our properties, disruptions to our IT systems, temporary or long-term disruption in the supply of products from our suppliers, and delays in the delivery of goods to our printing facilities. Public health issues, whether occurring in the U.S. or Canada, could disrupt our operations, the operations of suppliers, or have an adverse impact on consumer spending and confidence levels.
5
Risks Related to our Common Stock
We have no current plans to pay cash dividends on our common stock; as a result, you may not receive any return on investment unless you sell your common stock for a price greater than that which you paid for it.
We have no current plans to pay dividends on our common stock. Any future determination to pay dividends will be made at the discretion of our board of directors, subject to applicable laws, and will depend on a number of factors, including our financial condition, results of operations, capital requirements, contractual, legal, tax and regulatory restrictions, general business conditions and other factors that our board of directors may deem relevant. As a result, you may not receive any return on an investment in our common stock unless you sell your common stock for a price greater than that which you paid for it.
Provisions of our certificate of incorporation and by-laws may delay or prevent a takeover, which may not be in the best interest of our stockholders.
Provisions of Delaware law and our certificate of incorporation and our second amended and restated by-laws (the “by-laws”) could make the acquisition of our Company and the removal of incumbent officers and directors more difficult. Such provisions include restrictions as to when and by whom special meetings of our stockholders may be called. Further, our certificate of incorporation authorizes the issuance of up to 500,000 shares of serial convertible preferred stock and, if, as previously disclosed, certain proposed amendments to the Company’s amended and restated certificate of incorporation (the “Charter Amendments”) are approved by our stockholders at a special meeting of stockholders and effectuated by our board of directors, the Company would be authorized to issue up to an additional 20,000,000 shares of our common stock, 20,000,000 shares of convertible non-voting common stock, and 10,500,000 shares of “blank check” preferred stock with such rights, preferences, privileges and restrictions as may be determined from time to time by our board of directors in its sole discretion, and such preferred stock may be designated rights that could adversely affect the voting power or other rights of the holders of our common stock. Such Charter Amendments to the extent any shares of capital stock are ultimately issued by the Company may also have the effect of diluting equity ownership.
As a Delaware corporation, we are subject to the provisions of Section 203 of the Delaware General Corporation Law (the “DGCL”). In general, the statute prohibits a publicly-held Delaware corporation from engaging in a “business combination” with an “interested stockholder” for a period of three years after the date that the person became an interested stockholder unless, subject to certain exceptions, the business combination or the transaction in which the person became an interested stockholder is approved in a prescribed manner. These provisions may have the effect of delaying, deferring or preventing a change in control of our Company without further action by the stockholders.
Equity ownership may become diluted if we conduct the proposed rights offering or another potential equity financing transaction.
On November 10, 2025, we filed a registration statement with respect to the proposed rights offering of up to $50.0 million for general corporate purposes, including capital expenditures and working capital, as well as other activities necessary for our operations, such as investments in technology with respect to advertising strategies, audience outreach, our internal operations, and digital products. If we consummate the proposed rights offering or any other potential equity financing transaction, and existing common stockholders as of the record date do not participate, such non-participating holders will experience dilution in equity ownership. The proposed rights offering will be commenced only following the effectiveness of the registration statement relating to the proposed rights offering and will be made only by means of a prospectus.
The stockholder rights plan, or “poison pill,” includes terms and conditions that could discourage a takeover or other transaction that stockholders may consider favorable.
On March 28, 2024, our board of directors adopted the stockholder rights plan, pursuant to which each holder of record of voting common stock received one preferred share purchase right (a “Right”) for each share of voting common stock outstanding as of April 8, 2024. Each Right entitles the registered holder to purchase from the Company one one-thousandth of a share of Series C Participating Convertible Preferred Stock, without par value (the “Preferred Shares”), of the Company at a price of $90.00 per one one-thousandth of a Preferred Share represented by a Right, subject to adjustment. The stockholder rights plan was adopted in response to
6
stockholder activism concerns and is intended to protect us and our stockholders from efforts by a single stockholder or group of stockholders to obtain control of the Company without paying a control premium through a number of recognized stockholder protections. Generally, the stockholder rights plan works by causing substantial dilution to any person or group (other than specified exempt persons) that acquires 10% or more of the shares of our voting common stock without the approval of our board of directors. As a result, the overall effect of the stockholder rights plan may be to render more difficult or discourage a merger, tender or exchange offer or other business combination involving us that is not approved by our board of directors even if the offer may be considered beneficial by some stockholders.
Risk Related to Competition from Digital Media and Artificial Intelligence
Our operating revenue may be materially adversely affected if we do not successfully respond to the shift in newspaper readership and advertising expenditures away from traditional print media and towards digital media. Significant capital investments may be needed to respond to this shift.
Currently, a primary source of revenue is from advertising and marketing services, which accounts for 45% of our 2025 revenue. Subscription revenue accounts for 46% of our 2025 revenue. The media publishing industry has experienced rapid evolution in consumer demands and expectations due to advances in technology, which have led to a proliferation of delivery methods for news and information. The number of consumers who access online services through devices other than personal computers, such as tablets and mobile devices, has increased dramatically in recent years and likely will continue to increase. The media publishing industry also continues to be affected by demographic shifts, with older generations preferring more traditional print newspaper delivery and younger generations consuming news through digital media. Also, the revenues generated by media publishing companies have been affected significantly by the shift in advertising expenditures towards digital media.
The future revenue performance of our digital business depends to a significant degree upon the growth, development, and management of our subscriber and advertising audiences. The growth of our digital business over the long term depends on various factors, including, among other things, the ability to:
•Continue to increase digital audiences;
•Attract advertisers to our digital platforms;
•Tailor our products to efficiently and effectively deliver content and advertising on mobile devices;
•Maintain or increase the advertising rates on our digital platforms;
•Exploit new and existing technologies to distinguish our products and services from those of competitors and develop new content, products and services;
•Invest funds and resources in digital opportunities;
•Partner with, or use services from, providers that can assist us in effectively growing our digital business; and
•Create digital content and platforms that attract and engage audiences in our markets.
If we are unable to grow our digital audience, distinguish our products and services from those of our competitors or develop compelling new products and services that engage users across multiple platforms, then our business, financial condition, and results of operations may be adversely affected. Responding to the changes described above may require us to make significant capital investments and incur significant research and development costs related to building, maintaining, and evolving our technology infrastructure, and our ability to make the level of investments required may be limited.
7
We compete with a large number of companies in the local media industry, including digital media businesses and, if we are unable to compete effectively, our advertising and subscription revenues may decline.
We compete for audiences and advertising revenue with newspapers; digital media such as web-based digital platforms (e.We compete for audiences and advertising revenue with newspapers and other media such as web-based digital platforms (e. g., Alphabet, Amazon, Meta, X, TikTok etc.), streaming services, podcasts; and traditional media platforms including magazines, broadcast, cable and satellite television, radio, direct mail, and billboards. As use of the Internet and mobile devices increases, we lose revenue from classified advertising and subscribers to free Internet sites containing abbreviated versions of our publications. Some of our current and potential competitors have greater financial and other resources than we have. Some of our current and potential competitors have greater financial and other resources than we have. If we fail to compete effectively with competing newspapers and other media, our results of operations may be materially adversely affected.
We face significant competition from alternative providers of news, information, and entertainment services, some of which provide their products subscription-free. The rapid changes in technologies, platforms and business models and corresponding changes in consumer and customer behavior, may adversely affect our revenue streams if consumers or customers migrate to alternative mediums or providers. In addition, the number of choices available to consumers for content consumption has increased and may adversely impact demand for, and the price consumers are willing to pay for our products and services. In addition, the use of AI by bad actors presents increasingly complex and sophisticated security threats to our confidential subscriber, employee, and Company data, and we must make additional efforts to maintain network security. As the availability of free content grows so does a consumer trend toward subscription fatigue, which in turn, may negatively affect our circulation, subscription, and advertising revenue and increase subscriber acquisition and retention costs. For example, consumer preferences change frequently and are difficult to predict, and when faced with a multitude of choices, consumers may place greater value on the convenience and price of products and services than they do on their source, quality, or reliability.
Generative AI technology's continued growth, development, and evolution is shifting the landscape among our competitors to adopt AI technology as a tool to create and deliver content to customers as well as act as a stand-alone competitor and such evolutions of AI technology may negatively impact our ability to attract, engage, and retain audience and subscribers, maintain and grow other revenue streams, and other risks.
Recent advances and continued rapid development in generative AI technology may significantly alter the market for our products and services and shift our competitor's focus to adopting AI more quickly. The use of AI both as a tool for our competitors and stand-alone competition, may also affect our ability to monetize our digital audiences. In order to compete effectively, we must differentiate and distinguish our brands and our products and services, respond to and develop new technologies, distribution channels and platforms, products and services, and anticipate and consistently respond to changes in consumer and customer needs, preferences and behaviors.
In addition, online traffic and product and service purchases are also driven by internet search results, referrals from social media and other platforms and visibility on digital marketplace platforms and in mobile app stores. Search engine results and digital marketplace and mobile app store rankings are based on algorithms that are changed frequently, and social media and other platforms may also vary their emphasis on what content to highlight for users. Use of AI in search engines could result in decreased viewership and engagement with our media content. Any failure to successfully manage and adapt to these changes across our businesses, including those affecting how our content, apps, products, and services are discovered, prioritized, displayed, and monetized, could impede our ability to compete effectively by significantly decreasing traffic to our offerings, lowering advertiser interest in those offerings, increasing costs if free traffic is replaced with paid traffic and lowering advertising revenue and subscriptions.
Generative Artificial Intelligence (AI), as a rapidly developing technology, subjects us to risks involving security, protection of intellectual property, ethical concerns, brand trust, reputational harm, legal liability, and the maintenance and growth of revenue streams.
The safe and responsible integration of AI functionality as it rapidly evolves presents emerging ethical and legal challenges, and the use of such technologies may result in diminished brand trust and reputational harm.8Table of ContentsThe safe and responsible integration of AI functionality as it rapidly evolves presents emerging ethical and legal challenges, and the use of such technologies may result in diminished brand trust and reputational harm. Our competitors are integrating AI into their business practices which may result in competitive harm and the need to allocate significant resources to protect intellectual property. To responsibly remain competitive, we must develop and maintain our digital platform and ethically integrate new AI functionality in accordance with evolving compliance requirements. Developments in the AI field will simultaneously increase both competition and liability risks while also altering the market for our services. In addition, the use of AI by bad actors presents
8
increasingly complex and sophisticated security threats to our confidential subscriber, employee, and Company data, and we must make additional efforts to maintain network security.
Risks Related to Our Indebtedness and Liquidity
Our indebtedness could materially and adversely affect our business or financial condition.
Our current indebtedness, and any future debt incurred, could have significant consequences on our future operations, including making it more difficult to satisfy our debt obligations and meet our operational goals. Our entire outstanding indebtedness is encompassed in a 25-year term loan ("Term Loan") with BH Finance LLC, a Nebraska limited liability company affiliated with Berkshire Hathaway, Inc. ("BH Finance"), which was part of a broader comprehensive refinancing of all of our then-outstanding debt, including a Credit Agreement, dated January 29, 2020 (collectively, the "2020 Refinancing").
At its inception, the aggregate principal amount and applicable interest rate of the Term Loan was $576.0 million and 9% annual rate, respectively, the proceeds of which were used to refinance our then-outstanding debt and fund the acquisition of BH Media and Buffalo News. The Term Loan is collateralized by all Company assets. As of September 28, 2025, the Term Note has an aggregate principal outstanding amount of $455.5 million. Our ability to make scheduled payments depends on our financial condition and operating performance, which are subject to prevailing economic and competitive conditions and to certain financial, business, competitive, legislative, regulatory, and other factors beyond our control. We may be unable to maintain a level of cash flow sufficient to permit us to pay the principal and interest on our debt.
If our cash flow and capital resources are insufficient to fund our debt obligations, we could face liquidity issues and be forced to reduce or delay investments, acquisitions, and capital expenditures or sell assets or operations, seek additional capital or restructure or refinance our indebtedness. We cannot assure investors we would be able to take any of these alternative actions, such actions would be permitted under the terms of the Credit Agreement, and, even if successful, that such actions would permit us to meet our scheduled debt service obligations.
In addition, the 2020 Refinancing terms impose operating and financial restrictions, including restrictions on incurring additional indebtedness, creating certain liens, making certain investments or acquisitions, issuing dividends, repurchasing shares of Company stock, and engaging in other capital transactions. A failure to satisfy out debt service obligations on the Term Loan could give rise to default. Moreover, these restrictions limit our flexibility in planning for or reacting to changes in our business, the economy, in general, and the economies in which we operate, which, in turn increases our vulnerability to adverse financial consequences related to such changes.
A failure to satisfy our debt service obligations on the Term Loan could give rise to default and, in turn, the right of our lender to accelerate our indebtedness, making all principal and interest becoming due and payable.
Certain actions, including our ability to incur additional indebtedness, require the consent of our lender which, if not provided, would limit our ability to take advantage of future opportunities.
The terms of the 2020 Refinancing limit our ability to take certain actions without requisite lender approval and modification of the loan agreements. These limitations include restrictions on incurring additional indebtedness, creating certain liens, making certain investments or acquisitions, issuing dividends, repurchasing shares of Company stock, and engaging in other capital transactions. While we have an established relationship with BH Finance, whose priorities and interests are familiar to us, there is no assurance BH Finance will approve or consent to our activities, even if the activities are in the best interests of our stockholders. If we are unable to secure the required consent of BH Finance (including with respect to the proposed rights offering and other strategic or financing transactions), our ability to take advantage of future opportunities, including acquisition or financing opportunities, could be restricted.
9
Risks Related to Cybersecurity
Our business, operating results, and reputation may be negatively impacted, and we may be subject to legal and regulatory claims if there is a loss, destruction, disclosure, misappropriation, or alteration of or unauthorized access to data owned or maintained by us, or if we are the subject of a significant data breach or cyberattack.
We rely on our information technology and communications systems to manage our business data, including communications, news and advertising content, digital products, order entry, fulfillment and other business processes. These technologies and systems also help us manage many of our internal controls over financial reporting, disclosure controls and procedures and financial systems. Attempts to compromise information technology and communications systems occur regularly across many industries and sectors, and we may be vulnerable to security breaches resulting from accidental events (such as human error) or deliberate attacks. Moreover, the techniques used to attempt attacks and the perpetrators of such attacks are constantly expanding. We face threats both from use of malicious code (such as malware, viruses, and ransomware), employee theft or misuse, advanced persistent threats, and phishing and denial-of-service attacks. We have complied with all applicable legal requirements relating to this activity. The Company has complied with all applicable legal requirements relating to this activity. As cyberattacks become increasingly sophisticated, and as tools and resources become more readily available to malicious third parties, we will incur increased costs to secure its technology environment and there can be no guarantee that our and our third-party vendors’ actions, security measures and controls designed to prevent, detect or respond to security breaches, to limit access to data, to prevent destruction, alteration, or exfiltration of data, or to limit the negative impact from such attacks, can provide absolute security against compromise. As cyberattacks become increasingly sophisticated, and as tools and resources become more readily available to malicious third parties, the Company will incur increased costs to secure its technology environment and there can be no guarantee that the Company’s and our third-party vendors’ actions, security measures and controls designed to prevent, detect or respond to security breaches, to limit access to data, to prevent destruction, alteration, or exfiltration of data, or to limit the negative impact from such attacks, can provide absolute security against compromise. As a result, our business data, communications, news and advertising content, digital products, order entry, fulfillment and other business processes may be lost, destroyed, disclosed, misappropriated, altered or accessed without consent and various controls, automated procedures and financial systems could be compromised.
A significant security breach or other successful attack could result in significant remediation costs, including repairing system damage, engaging third-party experts, deploying additional personnel or vendor support, training employees, and compensation or incentives offered to third parties whose data has been compromised. These incidents may also lead to lost revenues resulting from a loss in competitive advantage due to the unauthorized disclosure, alteration, destruction or use of business data, the failure to retain or attract customers, the disruption of critical business processes or systems, and the diversion of management’s attention and resources. Moreover, such incidents may result in adverse media coverage, which may harm our reputation. These incidents may also lead to legal claims or proceedings, including regulatory investigations and actions and private lawsuits, and related legal fees, as well as potential settlements, judgments and fines. We maintain insurance, but the coverage and limits of our insurance policies may not be adequate to reimburse us for losses caused by security breaches.
On February 3, 2025, we experienced a cybersecurity incident that disrupted certain IT systems and resulted in unauthorized access to certain files (the “Cyber Incident”). The Cyber Incident had a significant negative impact on our 2025 operating results. Various revenue lines were impacted, certain operating expenses were higher than they were prior to the incident, and many projects underway were significantly delayed. For further discussion of how the Cyber Incident materially affected our business, see "Material Effects of Cybersecurity Threats under Item 1C — Cybersecurity" of this Annual Report.
Our possession and use of personal information and the use of payment cards by our customers present risks and expenses that could harm our business. Unauthorized access to or disclosure or manipulation of such data, whether through breach of our network security or otherwise, could expose us to liabilities and costly litigation and damage our reputation.
Our online systems store and process confidential subscriber and other sensitive data, such as names, email addresses, addresses, and other personal information. Therefore, maintaining our network security is critical. Additionally, we depend on the security of our third-party service providers. Unauthorized use of or inappropriate access to our, or our third-party service providers’ networks, computer systems and services could potentially jeopardize the security of confidential information, including payment card (credit or debit) information, of our customers. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and often are not recognized until launched against a target, we or our third-party service providers may be unable to anticipate these techniques or to implement adequate preventative measures. A party that is able to circumvent our security measures could misappropriate our
10
proprietary information or the information of our customers or users, cause interruption in our operations, or damage our computers or those of our customers or users. As a result of any such breaches, customers or users may assert claims of liability against us and these activities may subject us to legal claims, adversely impact our reputation, and interfere with our ability to provide our products and services, all of which may have an adverse effect on our business, financial condition and results of operations. As a result of any such breaches, customers or users may assert claims of liability against us and these activities may subject us to legal claims, adversely 11Table of Contentsimpact our reputation, and interfere with our ability to provide our products and services, all of which may have an adverse effect on our business, financial condition and results of operations. The coverage and limits of our insurance policies may not be adequate to reimburse us for losses caused by security breaches.
A significant number of our customers authorize us to bill their payment card accounts directly for all amounts charged by us. These customers provide payment card information and other personally identifiable information which, depending on the particular payment plan, may be maintained to facilitate future payment card transactions. Under payment card rules and our contracts with our card processors, if there is a breach of payment card information that we store, we could be liable to the banks that issue the payment cards for their related expenses and penalties. In addition, if we fail to follow payment card industry data security standards, even if there is no compromise of customer information, we could incur significant fines or lose our ability to give our customers the option of using payment cards. If we were unable to accept payment cards, our business would be seriously harmed.
There can be no assurance that any security measures we, or our third-party service providers, take will be effective in preventing a data breach. We may need to expend significant resources to protect against security breaches or to address problems caused by breaches. If an actual or perceived breach of our security occurs, the perception of the effectiveness of our security measures could be harmed and we could lose customers or users. Failure to protect confidential customer data or to provide customers with adequate notice of our privacy policies could also subject us to liabilities imposed by United States federal and state regulatory agencies or courts. We could also be subject to evolving state laws that impose data breach notification requirements, specific data security obligations, or other consumer privacy-related requirements. Our failure to comply with any of these laws or regulations may have an adverse effect on our business, financial condition and results of operations.
On February 3, 2025, we experienced a Cyber Incident that disrupted certain IT systems and resulted in unauthorized access to certain files. The Cyber Incident had a significant negative impact on our 2025 operating results. Various revenue lines were impacted, certain operating expenses were higher than they were prior to the incident, and many projects underway were significantly delayed. For further discussion concerning ongoing litigation related to the Cyber Incident, see "Note 19, Commitments and Contingencies," to the consolidated financial statements included in Item 8 of Part II of this Annual Report.
11
ITEM 1B. UNRESOLVED STAFF COMMENTS
None.
ITEM 1C. CYBERSECURITY
RISK MANAGEMENT AND STRATEGY
Processes for Assessing, Identifying, and Managing Cybersecurity Risks
•The addition of an experienced Chief Information Security Officer ("CISO") with over 25 years of experience to lead the IT Cybersecurity and Compliance team.
•Yearly risk assessment designed to help identify material cybersecurity risks to our information systems (as defined in Item 106(a) of Regulation S-K) and data.
•A security incident response team that is responsible for managing our cybersecurity risk, security controls, response, and reporting cybersecurity incidents (as defined in Item 106(a) of Regulation S-K).
•A cyber and data security incident response plan with policies and procedures for identifying, managing, and recovering from cybersecurity incidents, including escalating tiers of notification and reporting depending on an incident's nature and severity.
•The use of third-party service providers, where appropriate, to manage, assess, test, and assist with aspects of our security controls, such as:
◦24/7 Security Operations Center Managed Services ("SOC") to monitor our cyber environment, correlate logs from all technology assets to identify potential signs of compromise and perform threat hunt exercises.
◦Enterprise-grade email security system managed services.
◦Perform penetration tests, vulnerability assessments, and vulnerability scans of our customer-facing sites, among others.
◦Prevention of denial-of-service attacks
•Cybersecurity insurance designed to reduce the risk of loss resulting from cybersecurity incidents.
•Policies and procedures related to cybersecurity matters, including but not limited to Acceptable Standards of Use of Technology Systems, Confidential/Sensitive Information and Credit Card Handling Policy, encryption standards, antivirus protection, wireless and remote access, multi-factor authentication, access and change control, and physical security.
•Employee cybersecurity awareness by performing ongoing phishing exercises, and mandatory privacy and cybersecurity training (including spear phishing and other awareness training) for employees.
On February 3, 2025, we experienced a systems outage caused by a cybersecurity attack by threat actors who unlawfully accessed our network, encrypted critical applications, and exfiltrated certain files (herein defined as the "Cyber Incident"). Upon discovery, we promptly activated our incident response plan, engaging both internal teams and third-party cybersecurity experts.
During the year ended September 28, 2025, we incurred $10.5 million loss of cash flows related to the Cyber Incident. Approximately $3.7 million of this was incurred expenses that are recognized in "Restructuring and Other" in the Consolidated Statements of (Loss) Income and Comprehensive (Loss) Income. We have filed insurance claims for the remaining $6.8 million to cover business interruption and other costs. The Cyber
12
Incident remains under legal and forensic investigation, including evaluation of the extent and potential risk related to unauthorized access to sensitive data.
For a description of the risks related to cybersecurity that may materially affect us and how they may do so, see the “Risk Factors—Risks Related to Cybersecurity” section of this Report.
GOVERNANCE
Board of Directors Oversight
The Board of Directors plays a crucial role in overseeing our management of cybersecurity risks. The Audit and Risk Management Committee is specifically tasked with this responsibility, and it regularly reports to our Board regarding its activities, including those related to cybersecurity risk management. Our Board also receives periodic briefings from management on our cybersecurity risk management program, including presentations on cybersecurity topics from our Chief Information Officer, internal information security team, and third-party experts. Our Board also receives periodic briefings from management on our cybersecurity risk management program, including presentations on cybersecurity topics from our Chief Transformation Officer, Chief Information Officer, internal information security team, and third-party experts.
These briefings cover the current threat landscape, ongoing cybersecurity initiatives, and our response to significant incidents. These briefings cover the current threat landscape, ongoing cybersecurity initiatives, and the Company's response to significant incidents.
Management’s Role in Cybersecurity Risk Management
Management is actively involved in assessing and managing material risks from cybersecurity threats. The following processes are in place:
•Responsible Positions/Committees: The Chief Information Officer, and Chief Information Security Officer are responsible for assessing and managing cybersecurity risks. The individuals in these roles possess extensive expertise in cybersecurity. Specifically, the Chief Information Officer has over 25 years in Information Technology across multiple industries, and the Chief Information Security Officer has over 25 years in Security, Risk, Audit, and Compliance across various sectors, including both public and private.
•Monitoring and Response Processes: We have established processes to inform and monitor cybersecurity incidents for prevention, detection, and resolution using a 24/7 third-party SOC Managed Service. The SOC is responsible for providing alerts, updates, and remediation services as needed by monitoring all technology assets for potential signs of compromise and conducting threat hunt exercises.
•Reporting to the Board: Information about cybersecurity risks is regularly reported to the Board of Directors or its relevant committee. This reporting includes updates on our cybersecurity risk profile, significant incidents, and the effectiveness of mitigation strategies. This reporting includes updates on the Company's cybersecurity risk profile, significant incidents, and the effectiveness of mitigation strategies.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| NX | 20 hours ago |
| FSFG | 20 hours ago |
| EDSA | 20 hours ago |
| PRKA | 20 hours ago |
| ODRS | 21 hours ago |
| AMAT | 21 hours ago |
| JOUT | 23 hours ago |
| CIEN | 23 hours ago |
| PFX | 1 day, 7 hours ago |
| CMP | 1 day, 17 hours ago |
| FWDI | 1 day, 21 hours ago |
| NGVC | 1 day, 21 hours ago |
| MITK | 1 day, 21 hours ago |
| HPQ | 2 days, 20 hours ago |
| DLHC | 2 days, 20 hours ago |
| ASYS | 2 days, 21 hours ago |
| GNVR | 3 days, 2 hours ago |
| REVG | 3 days, 6 hours ago |
| GENC | 3 days, 21 hours ago |
| TSBK | 3 days, 23 hours ago |
| SGU | 4 days, 19 hours ago |
| SRXH | 1 week ago |
| JANL | 1 week ago |
| COO | 1 week ago |
| HRL | 1 week ago |
| NOTV | 1 week, 1 day ago |
| AZTA | 1 week, 1 day ago |
| XRPN | 1 week, 1 day ago |
| RGCO | 1 week, 2 days ago |
| HNNA | 1 week, 2 days ago |
| PAPL | 1 week, 2 days ago |
| VSTS | 1 week, 4 days ago |
| SLP | 1 week, 4 days ago |
| JCTC | 1 week, 4 days ago |
| ABQQ | 1 week, 4 days ago |
| ESE | 1 week, 4 days ago |
| CNBX | 1 week, 5 days ago |
| SNEX | 2 weeks ago |
| TMRC | 2 weeks ago |
| ALTX | 2 weeks ago |
| DBMM | 2 weeks ago |
| LEDS | 2 weeks, 1 day ago |
| LEXX | 2 weeks, 2 days ago |
| JJSF | 2 weeks, 2 days ago |
| UTI | 2 weeks, 2 days ago |
| IMKTA | 2 weeks, 2 days ago |
| MOG-A | 2 weeks, 3 days ago |
| LEE | 2 weeks, 3 days ago |
| CFFN | 2 weeks, 3 days ago |
| CENT | 2 weeks, 3 days ago |
