RCI Hospitality Holdings, Inc. Reports Cybersecurity Incident – Company Responds and Assesses Impact

HOUSTON, TX, April 10, 2026 – RCI Hospitality Holdings, Inc. (NASDAQ: RICK), a prominent operator in the hospitality and entertainment sector, has disclosed a cybersecurity incident involving its wholly-owned subsidiary, RCI Internet Services, Inc. The company detailed the event in its latest Form 8-K filing with the Securities and Exchange Commission.

Key Points from the Report

• Incident Discovery: RCI Internet Services, Inc. detected a cybersecurity event on March 23, 2026, which had commenced on March 19, 2026.
• Nature of Incident: The incident involved a potential insecure direct object reference vulnerability on the company’s Internet Information Services (IIS) web server.
• Business Impact: RCI Hospitality Holdings states that business operations were not impacted by the incident.
• Response Actions: Upon detection, RCI acted promptly to investigate and respond, engaging third-party cybersecurity experts to assist. The investigation concluded on April 7, 2026, and remediation measures, including technical security enhancements, were implemented immediately.
• Regulatory and Legal Response: The company has started the process of notifying affected parties and applicable regulatory entities, as required.
• Insurance Coverage: RCI maintains a comprehensive cybersecurity insurance policy designed to cover costs related to incident response, investigation, remediation, regulatory actions, business interruption, and legal proceedings, subject to policy deductibles, exclusions, and limits.
• Financial Impact: As of the date of the filing, RCI believes the cybersecurity incident will not have a material adverse effect on its business operations. However, the company expects to incur expenses in fiscal 2026 directly and indirectly related to the event.
• Forward-Looking Statements: The report contains forward-looking statements regarding the potential impact and scope of the cybersecurity incident, insurance coverage expectations, and ongoing investigations. These statements are subject to risks and uncertainties as the company continues its assessment and remediation processes.

Important Considerations for Shareholders

• Potential Share Price Sensitivity: The disclosure of a cybersecurity incident—even if operations were not interrupted—can be a price-sensitive event for investors. Data breaches and cyberattacks may affect a company’s reputation, invite regulatory scrutiny, and lead to unforeseen expenses or litigation.
• Ongoing Investigation: RCI is still investigating the full scope of the incident. Should additional information emerge, it could alter the company’s assessment of the impact, including potential legal, reputational, or financial consequences.
• Expenses and Insurance: The company’s statement that it will “incur expenses in the fiscal year directly and indirectly related to the event” points to potential hits to profit margins. While insurance coverage is in place, the extent of coverage (and any exclusions) could affect the net financial outcome.
• Regulatory and Legal Risks: The report notes the possibility of regulatory inquiries or litigation related to the incident. Such actions could become material if regulators or litigants seek significant penalties or damages.
• No Immediate Material Adverse Effect: As of now, the company does not expect the incident to be material to its operations. However, the situation is subject to change pending ongoing investigation results.

Additional Details from the Filing

• Subsidiary Involved: The incident specifically affected RCI Internet Services, Inc., a subsidiary of RCI Hospitality Holdings, Inc.
• Remediation Efforts: The company acted quickly to enhance technical security, indicating a proactive cybersecurity stance. Details on specific measures or affected data have not yet been disclosed.
• Policy Coverage: The company’s cyber insurance covers “incident response, investigatory and remediation expense, potential regulatory action, business interruption, and costs associated with investigating, defending, and resolving legal proceedings.”
• Forward-Looking Risks: The company cautions that forward-looking statements are subject to risks, including further discoveries in the investigation, impacts on stakeholder relationships, regulatory and legal proceedings, and remediation costs. Investors are directed to review the “Risk Factors” section in RCI’s latest 10-K and 10-Q filings for more information.
• Signatory: The filing was signed by Travis Reese, Interim President and Chief Executive Officer, on April 10, 2026.

Conclusion

This cybersecurity incident is a noteworthy development for shareholders and potential investors. While RCI Hospitality Holdings, Inc. has stated that its business operations were not impacted and that the financial effect is not expected to be material at this time, the evolving nature of the investigation, potential for regulatory or legal action, and possible future disclosures could all influence the company’s financial results and share price.

Disclaimer: This article is for informational purposes only and does not constitute investment advice. The information is based on the company’s public SEC filing as of April 10, 2026. Forward-looking statements are subject to risks and uncertainties; actual outcomes may differ materially. Investors are encouraged to review all official filings and consult with a financial advisor before making investment decisions.

View RCI HOSPITALITY HOLDINGS, INC. Historical chart here