FALSE000093541900009354192026-04-072026-04-07
United States
Securities and Exchange Commission
Washington, D.C. 20549
FORM 8-K
Current Report
Pursuant to Section 13 or 15(d) of
The Securities Exchange Act of 1934
Date of Report (Date of earliest event reported): April 7, 2026
RCI HOSPITALITY HOLDINGS, INC.
(Exact Name of Registrant as Specified in Its Charter)
| | | | | | | | |
| Texas | 001-13992 | 76-0458229 |
(State or Other Jurisdiction of Incorporation) | (Commission File Number) | (IRS Employer Identification No.) |
10737 Cutten Road
Houston, Texas 77066
(Address of Principal Executive Offices, Including Zip Code)
(281) 397-6730
(Issuer’s Telephone Number, Including Area Code)
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
| | | | | |
| o | Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425) |
| |
| o | Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a -12) |
| |
| o | Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d -2(b)) |
| |
| o | Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e -4(c)) |
Securities registered pursuant to Section 12(b) of the Act:
| | | | | | | | | | | | | | |
| Title of each class | | Trading Symbol(s) | | Name of each exchange on which registered |
| Common stock, $0.01 par value | | RICK | | The Nasdaq Global Market |
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).
Emerging growth company o
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. o
ITEM 8.01 OTHER EVENTS
RCI Internet Services, Inc., a subsidiary of RCI Hospitality Holdings, Inc., (the “Company”), recently discovered on March 23, 2026 that it sustained a cybersecurity incident starting March 19, 2026. The incident did not impact the business operations of the Company.
Upon detecting the incident, the Company promptly took steps to investigate and respond with the assistance of third-party cybersecurity firms. As the investigation concluded on April 7, 2026, the Company learned that a potential insecure direct object reference vulnerability was present on its internet information services (“IIS”) web server. To remediate, the Company promptly enhanced its technical security posture, including expanding the use of multifactor authentication and disabling external access to the IIS. As a result of this incident, the Company believes that certain personal information, including names and contact information, dates of birth, social security numbers, and driver’s license numbers, with respect to numerous independent contractors was accessed without authorization. To the Company’s knowledge, the unauthorized actor has not publicly disseminated the data. None of our customer information or financial systems were accessed. The Company is continuing to review the impacted data and will provide the required notifications to affected parties and applicable regulatory entities.
As of the date of this filing, the Company believes that the incident will not have a material adverse effect on its business operations. The Company continues to investigate the incident and will incur expenses in the fiscal year directly and indirectly related to the event. The Company maintains a comprehensive cybersecurity insurance policy, which covers costs associated with the incident response, investigatory and remediation expense, potential regulatory action, business interruption, and costs associated with investigating, defending, and resolving legal proceedings related to the incident, subject to deductibles, exclusions and limits.
Forward-Looking Statements.
The information included in this Item 8.01 contains forward-looking statements within the meaning of U.S. Private Securities Litigation Reform Act of 1995, including, without limitation, statements regarding the extent and potential impact of the cybersecurity incident, the means by which the unauthorized third-party accessed the internal IT system, the nature of data that may have been copied, the notification of affected parties and applicable regulatory agencies, the potential effect on our financial condition and results of operations, and the expected cybersecurity insurance policy coverage. The forward-looking statements in this Form 8-K are subject to risks and uncertainties that could cause actual results and events to differ materially from those anticipated in these forward-looking statements.
Factors that might cause actual results to differ materially from those anticipated in forward-looking statements include, but are not limited to, our ongoing assessment of the impacts of the cybersecurity incident, including the potential discovery of additional information related to the incident in connection with our ongoing investigation or otherwise; our ability to remediate the cybersecurity incident; the impact of the cybersecurity incident on our relationships with employers, employees, independent contractors and governmental regulators; the legal, reputational, and financial risks resulting from the cybersecurity incident, including as may arise from any potential regulatory inquiries and/or litigation to which we may become subject in connection with the incident; remediation and other additional costs that we may incur in connection with the investigation and remediation of the incident; and the risks and uncertainties discussed in our other periodic filings with the Securities and Exchange Commission (“SEC”), including our Annual Report on Form 10-K for the fiscal year ended September 30, 2025 and other Quarterly Reports on Form 10-Q and Current Reports on Form 8-K filed with the SEC, available at www.sec.gov, under the caption “Risk Factors” and elsewhere. The Company does not undertake any obligation to update any forward-looking statements to reflect new information or events or circumstances occurring after the date of this Form 8-K, except as may be required by applicable law.
ITEM 9.01 FINANCIAL STATEMENTS AND EXHIBITS
(d) Exhibits
| | | | | | | | |
| Exhibit Number | | Description |
| | | |
| 104 | | Cover Page Interactive Data File (embedded within the Inline XBRL document) |
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
| | | | | | | | |
| RCI HOSPITALITY HOLDINGS, INC. |
| | |
Date: April 10, 2026 | By: | /s/ Travis Reese |
| | Travis Reese |
| | Interim President and Chief Executive Officer |