GROUP 1 AUTOMOTIVE INC 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

GROUP 1 AUTOMOTIVE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 17:05:53 EST.

Filings

10-K filed on 2024-02-14

GROUP 1 AUTOMOTIVE INC filed an 10-K at 2024-02-14 17:05:53 EST
Accession Number: 0001031203-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks In the ordinary course of business, our information systems on which we run our business operations and store confidential or proprietary data, such as PII about our customers and our employees, are subject to potential cyber-attack. The techniques used by cyber attackers change frequently and may be difficult to detect for long periods of time. See Risk Factors for additional information about the risks to our business associated with a breach or compromise to our information technology ( IT ) systems. We have implemented security measures that are designed to detect and protect against cyberattacks. In particular, we seek to assess, identify and manage cybersecurity risks through the processes described below: Risk Assessment: A multi-layered system designed to protect and monitor data and cybersecurity risk has been implemented. Regular assessments and testing of our cybersecurity safeguards are conducted by independent third-party cybersecurity experts. Our internal audit department additionally conducts regular audits to assess management s processes and controls employed to identify and manage material cybersecurity risks. We use a variety of layered applications to alert us to suspicious activity. Incident Identification and Response: A security information and event management process ( SIEM ) has been implemented to help promptly identify cybersecurity incidents. In the event of any breach or cybersecurity incident, we have an incident response plan within our SIEM that is designed to provide for action to contain the incident, mitigate the impact, and restore normal operations efficiently. We conduct annual reviews of our cyber incident response plan. Cybersecurity Training and Awareness: Cybersecurity awareness among our employees is promoted with regular training and awareness programs. Employees who access our systems are required to undergo annual cybersecurity training and, each year, employees are required to test their understanding of our cybersecurity policies. Further, our employees that handle personally identifiable information are required to undergo training, including phishing exercises and awareness programs on the appropriate management, use and protection of that information. Access Controls: We have endeavored to implement physical access controls to prevent access to endpoints that may leave Company data vulnerable to attack. We have also sought to implement systems to prevent encrypted information from bypassing certain Company-defined information control mechanisms and have also sought to purge or wipe information from certain Company-defined endpoints after consecutive, unsuccessful logon attempts or other indicators of unauthorized access. Finally, we have implemented encrypted virtual private networks in an effort to enhance the integrity of remote connections and have endeavored to protect wireless access points to our systems using authentication of users and/or devices. Segmented networks and user access controls are used to limit unauthorized access to sensitive information and systems. Employees are required to use multi factor authentication and regularly update their passwords. Encryption and Data Protection: Encryption methods are used to protect sensitive data in transit and at rest. This includes the encryption of customer data, financial information, and other confidential data. We also have a program in place to monitor our retained data by identifying PII and ensuring it is not stored outside of approved locations and systems. We have endeavored to use strong, up-to-date encryption algorithms and to regularly update and patch systems in an effort to guard against vulnerabilities. Similarly, we have sought to manage encryption keys with use of a secure key management system and rotation of keys after use. We have implemented secure protocols, including, e.g., HTTPS for web traffic and SFTP for file transfers. Processes designed to monitor for cybersecurity incidents are also intended to protect our data. Our cybersecurity safeguards, including those provided by third parties, are designed to monitor for unauthorized access. These services are designed to monitor for both internal and external threats. Finally, we have implemented encrypted virtual private networks for remote connections. The above cybersecurity risk management processes are integrated into the Company s overall enterprise risk management program. Cybersecurity risks are understood to be significant business risks, and as such, are considered as an important component of our enterprise-wide risk management approach. 22 Impact of Risks from Cybersecurity Threats As of the date of this Report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Processes designed to monitor for cybersecurity incidents are also intended to protect our data. Our cybersecurity safeguards, including those provided by third parties, are designed to monitor for unauthorized access, extraction, and deletion of certain sensitive data, large quantities of data, and other anomalous network traffic. These services are designed to monitor for both internal and external threats. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our IT systems could have significant consequences to our business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See Risk Factors for additional information about the risks to our business associated with a breach or compromise to our IT systems. Board of Directors Oversight of Risks from Cybersecurity Threats The Board of Directors oversees risks from cybersecurity threats. The Board of Directors delegates oversight of our operations risk, including quarterly reviews of cybersecurity and data protection, to the Finance/Risk Management Committee, and delegates compliance with cybersecurity policies to the Audit Committee. Both the Finance/Risk Management Committee and the Audit Committee report to the full Board of Directors on cybersecurity matters. Additionally, on an annual basis, management reviews results from tests of key cybersecurity systems with the full Board of Directors and the steps taken to mitigate new cybersecurity risks which have been identified. The Finance/Risk Management Committee oversees the formal process to identify risks company-wide, allocate them to the appropriate committee of the Board of Directors, and ensure that risk mitigation activities are being followed. At each of its meetings, the Finance/Risk Management Committee receives presentations from our Chief Information Officer (the CIO ) on cybersecurity and information security risk, as well as our cybersecurity initiatives. The Audit Committee oversees compliance with cybersecurity policies with guidance from members of management, including the Vice President of Internal Audit, who informs the Audit Committee on the audit results of cybersecurity controls. Management s Role in Assessing and Managing Cybersecurity Threats Our IT and Security team, which is headed by our CIO, is responsible for our efforts to comply with cybersecurity standards, establish industry-recognized protocols and protect the integrity, confidentiality and availability of our IT infrastructure. Our CIO and various members of the IT and Security team, meet regularly with members of management to address key security and privacy issues. Our CIO has more than 24 years of infrastructure and cybersecurity experience and holds various relevant certifications. We also have formed a cyber event incident team, composed of our CIO, Chief Financial Officer, Corporate Controller, Chief Legal Officer and vice president of Internal Audit, who upon the occurrence of a cybersecurity incident, would convene to assess the materiality of the event as well as the appropriate remediation and escalation procedures, including escalation to our Chief Executive Officer and the Board of Directors. Our internal audit department additionally conducts regular audits to assess management s processes and controls employed to identify and manage material cybersecurity risks. 23

Company Information