Page last updated on April 11, 2024
FORD MOTOR CREDIT CO LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-06 19:36:22 EST.
Filings
10-K filed on 2024-02-06
FORD MOTOR CREDIT CO LLC filed an 10-K at 2024-02-06 19:36:22 EST
Accession Number: 0000038009-24-000016
Item 1C. Cybersecurity.
While no organization can eliminate cybersecurity risk entirely, we devote significant resources to our security program that we believe is reasonably designed to mitigate our cybersecurity and information technology risk. Our efforts focus on protecting and enhancing the security of our information systems, software, networks, and other assets. These efforts are designed to protect against, and mitigate the effects of, among other things, cybersecurity incidents where unauthorized parties attempt to access confidential, sensitive, or personal information; potentially hold such information for ransom; destroy data; disrupt or degrade service or our operations; sabotage systems; or otherwise cause harm to Ford and Ford Credit, our customers, suppliers, or dealers, or other key stakeholders. We employ capabilities, processes, and other security measures we believe are designed to reduce and mitigate these risks, and have requirements for our suppliers to do the same. Data safeguard practices of suppliers who process Personally Identifiable Information on our behalf are reviewed annually for compliance with our policies and applicable regulations. Despite having thorough due diligence, onboarding, and cybersecurity assessment processes in place for our suppliers, there can be no assurance that we can prevent the risk of any compromise or failure in the information systems, software, networks, and other assets owned or controlled by our suppliers. When we do become aware that a supplier’s cybersecurity has been compromised, we attempt to mitigate the risk to the Company, including, if appropriate and feasible, by terminating the supplier’s connection to our information systems. Notwithstanding our efforts to mitigate any such risk, there can be no assurance that the compromise or failure of supplier information systems, technology assets, or cybersecurity programs would not have an adverse effect on the security of the Company’s information systems.
In an effort to effectively prevent, detect, and respond to cybersecurity threats, we employ a multi-layered cybersecurity risk management program supervised by Ford’s Chief Information Security Officer, whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, architecture, and processes. The team provides cybersecurity services for Ford and its affiliates, including Ford Credit. The services provided to Ford Credit and its affiliates are governed by appropriate service agreements with Ford. Local regional teams and designated responsible individuals work with the enterprise-wide team to provide cybersecurity-related services in compliance with local requirements. The team’s responsibility includes identifying, considering, and assessing potentially material cybersecurity incidents on an ongoing basis, establishing processes designed to prevent and monitor potential cybersecurity risks, implementing mitigation and remedial measures, and maintaining the cybersecurity program. To do so, the program leverages both internal and external techniques and expertise. Internally, among other things, we perform penetration tests, internal tests/code reviews, and simulations using cybersecurity professionals (often referred to as “white hackers” or a “Red Team”) to assess vulnerabilities in our information systems and evaluate our cyber defense capabilities. We also perform phishing and social engineering simulations with, and provide cybersecurity training for, personnel with Company email and access to Company assets. On a monthly basis, we disseminate security awareness newsletters to employees to highlight emerging or urgent cybersecurity threats and best practices. Externally, we monitor notifications from the U.S. Computer Emergency Readiness Team (“CERT”) and various Information Sharing and Analysis Centers (each an “ISAC”); review customer, media, and third-party cybersecurity reports; and offer bounties to responsible third-parties who notify us of vulnerabilities they are able to detect in our cyber defenses (commonly referred to as a “Bug Bounty”). Our capabilities, processes, and other security measures also include, without limitation:
- Security Information and Event Management (“SIEM”) software, which provides a threat detection, compliance, and security incident management system;
- Endpoint Detection and Response (“EDR”) software, which monitors for malicious activities on external-facing endpoints (e.g., Windows workstations, servers, MAC clients, and Linux endpoints);
- Cloud monitoring, running on primary public and private cloud environments; and
- Disaster recovery and incident response plans, including a ransomware response plan.
We invest in enhancing our cybersecurity capabilities and strengthening our partnerships with appropriate business partners, service partners, and government and law enforcement agencies to understand the range of cybersecurity risks in the operating environment, enhance defenses, and improve resiliency against cybersecurity threats. Additionally, Ford is a member of the Financial Services and Information Technology ISACs and both a founding member and board member of the Automotive ISAC. Ford’s membership with these industry cybersecurity groups assists in the efforts to protect Ford and Ford Credit against both enterprise and in-vehicle security risks.
Ford and Ford Credit’s global cybersecurity incident response is overseen by Ford’s Chief Information Security Officer. Ford’s Chief Information Security Officer has served in that role for over 6 years and has over a decade of engineering and operations expertise with cybersecurity technologies and services. He was appointed in 2022 by the Ford Credit Board as Ford Credit’s “Qualified Individual” under the Federal Trade Commission Safeguards Rule, and is responsible for overseeing and implementing Ford Credit’s information security program and enforcing it. Ford Credit’s Chief Technology Officer is Ford Credit’s senior member responsible for direction and oversight of the Qualified Individual. Ford’s Chief Information Security Officer also reports to Ford Motor Company’s Chief Enterprise Technology Officer, who has spent over two decades leading digital and technology organizations at both enterprise software companies and Fortune 50 enterprises. Ford’s Chief Enterprise Technology Officer reports directly to Ford’s Chief Executive Officer.
When a cybersecurity threat or incident is identified, our policy is to review and triage the threat or incident, and to then manage it to conclusion in accordance with our cybersecurity incident response processes. When a cybersecurity incident is determined to be significant, it is addressed by management committees using processes that leverage subject-matter expertise from across Ford and Ford Credit. Further, we engage third-party advisors, from time to time, as part of our incident management processes. All cybersecurity incidents that are identified as reasonably having the potential to be highly significant to Ford and Ford Credit are brought to the attention of Ford’s Chief Enterprise Technology Officer and General Counsel by Ford’s Chief Information Security Officer as part of the Company’s cybersecurity incident response processes.
Cybersecurity risk management is an integral part of Ford Credit’s overall enterprise risk management program. As part of its enterprise risk management efforts, the Ford Credit Board meets with senior management to assess and respond to critical business risks. Critical enterprise risks are assessed by senior management annually and discussed with the Ford Credit Board. Once identified, each of the risks viewed as most significant is assigned an executive risk owner who is responsible to oversee risk assessment, develop and implement mitigation plans, and provide regular updates to the Board (and/or Board committee assigned to the risk). Cybersecurity threats have been and continue to be identified as one of the Company’s top risks, with Ford Credit’s Chief Technology Officer assigned as the executive risk owner. Ford Credit’s Board is responsible for the oversight of cybersecurity and information technology risks, and Ford Credit’s preparedness for these risks.
As part of its oversight responsibilities, the Ford Credit Board receives annual cybersecurity updates from Ford’s Chief Information Security Officer. The annual review includes oversight of cybersecurity practices, cyber risks, and risk management processes, such as updates to Ford Credit’s cybersecurity programs and mitigation strategies, and other cybersecurity developments. In addition, Ford Credit’s Compliance Committee reviews at least annually Ford Credit’s cybersecurity programs, and the Ford Credit Audit Committee receives updates on Ford Credit’s cybersecurity initiatives and information technology internal controls. In addition to these regular updates, as part of Ford Credit’s incident response processes, Ford Credit’s Chief Technology Officer, in collaboration with Ford Credit’s Qualified Individual and Chief Compliance Officer, provides updates on certain cybersecurity incidents to Ford Credit’s Compliance Committee and, in some cases, the Ford Credit Board of Directors. In the event Ford Credit determines it has experienced a material cybersecurity incident, Ford Credit’s Audit Committee and Chief Compliance Officer are notified about the incident in advance of filing a Current Report on Form 8-K.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite the capabilities, processes, and other security measures we employ that we believe are designed to detect, reduce, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the risks of incidents, and such preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks. Moreover, we, our suppliers, and our dealers are the target of cybersecurity incidents, and such threats are continuing and evolving, which may cause cybersecurity incidents to be more difficult to detect for periods of time. Our networks and Ford’s in-vehicle systems, sharing similar architectures, could also be impacted by, or a cybersecurity incident may result from, the negligence or misconduct of insiders or third parties who have access to these networks and systems. A cybersecurity incident could harm our reputation, cause customers to lose trust in our security measures, and/or subject us to regulatory actions or litigation, which may result in fines, penalties, judgments, or injunctions, and a cybersecurity incident involving us or one of our suppliers could impact our business strategy, results of operations, financial condition, or our reputation. For additional information, see “Operational information systems, security systems, vehicles, and services could be affected by cybersecurity incidents, ransomware attacks, and other disruptions and impact Ford and Ford Credit as well as their suppliers and dealers” on page 15.
Company Information
| Name | FORD MOTOR CREDIT CO LLC |
| CIK | 0000038009 |
| SIC Description | Miscellaneous Business Credit Institution |
| Ticker | |
| Website | |
| Category | Non-accelerated filer |
| Fiscal Year End | December 30 |