PENSKE AUTOMOTIVE GROUP, INC. 10-K Cybersecurity GRC - 2024-02-16

Page last updated on May 6, 2024

PENSKE AUTOMOTIVE GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 16:44:57 EST.

Filings

10-K filed on 2024-02-16

PENSKE AUTOMOTIVE GROUP, INC. filed an 10-K at 2024-02-16 16:44:57 EST
Accession Number: 0001019849-24-000033

Item 1C. Cybersecurity.

Risk Management Processes. We recognize the importance of assessing, identifying, and managing material risks from cybersecurity threats to our business and operations and developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems. As a result, we have integrated the management of cybersecurity threats into our broader risk management efforts, implementing policies and procedures to promote cybersecurity risk management and enhance mitigation efforts against cyber-attacks and similar threats. To help secure our systems that store or transmit electronic information, we have implemented multi-layered preventive controls which use aggregated intelligence to proactively detect, block and evaluate attacks. We also maintain a Chief Information Officer who is charged with implementing and overseeing our comprehensive written Information Security Program. In connection with our Information Security Program, we perform cybersecurity risk assessments at least annually to analyze the materiality of identified risks, the likelihood of such risks materializing, and the scope and intensity of adverse impacts if such risks result in the compromise of our information systems or sensitive information stored by us or on our behalf.

Our Information Security Program includes proactive measures to manage cybersecurity risks and threats, including mandatory annual security awareness training for all personnel with enhanced training for designated information security personnel; enterprise-wide phishing simulations and security assessments; a business continuity and recovery plan in the event of a cybersecurity incident; and the implementation of targeted access controls and various other measures, including multi-factor authentication, with respect to certain systems containing sensitive information. We have also implemented an incident response plan to guide our response to cybersecurity incidents, with a dedicated, cross-functional response team, including senior management from our information technology, information security, finance, risk management, investor relations and legal teams, responsible for overseeing efforts related to detection, containment, threat mitigation and notification, as appropriate. We identify vulnerabilities in our information systems through proactive scanning of system assets for known vulnerabilities. Our outsourced managed security source operates 24/7, identifying threats and vulnerabilities, and our information security team regularly monitors alerts and meets to discuss trends in cybersecurity threats. We proactively manage vulnerabilities from major software publishers through a global patching program. To prevent unauthorized access to our information systems, we have a system of controls in place to manage user access to our information systems. Our employees acknowledge an acceptable use policy and are trained in how to identify information security risks in the workplace.

Third Party Engagement and Oversight. We engage third-party service providers, including consultants and auditors, to monitor and protect critical assets from cyber-attacks and to enhance certain components of our Information Security Program, including to assist us with annual security assessments, penetration and vulnerability testing, email and web filtering, endpoint protection, and consultation on certain cybersecurity enhancements. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain current. To oversee and identify cybersecurity threats associated with our use of third-party service providers, we periodically audit and review certain information security practices of critical vendors in possession of sensitive information, including through seeking responses to cybersecurity questionnaires. In the ordinary course of business, we also rely on contractual obligations from certain third-party service providers to meet certain information security standards and to notify and cooperate with us in the event of qualifying cybersecurity incidents.

Board of Directors Oversight. Our business is managed under the direction of our Board of Directors (“the Board”), which guides our long-term strategy and represents the highest level of oversight at the Company. Our Board views the identification and effective management of cybersecurity threats as a critical component of overall risk management and oversight responsibilities. To that end, the Board assures that we maintain robust corporate governance policies designed to promote our culture of uncompromised integrity that have been implemented in a manner that facilitates active oversight and engagement regarding various cybersecurity matters. Consistent with these policies, the Board receives updates regarding cybersecurity threats in connection with its regularly scheduled meetings, as appropriate, and as part of its ongoing strategy and risk management sessions, engages in discussions regarding cybersecurity threats to our operations. In addition to this direct oversight, the Board has delegated oversight responsibilities with respect to cybersecurity risks to the Audit Committee of the Board. In addition to its oversight of the quality and integrity of the Company’s financial statements and internal audit functions, the Audit Committee is also responsible for reviewing the Company’s key risk areas, including cybersecurity risks.

Management’s Role in Managing Risk. As noted above, we have a designated Chief Information Officer who is charged with implementing and overseeing our comprehensive written Information Security Program. With over 25 years of experience in the field of information technology and cybersecurity, our Chief Information Officer brings a wealth of expertise to his role and maintains both Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) certifications and additional personnel on our information security team have cybersecurity experience and certifications. Our Chief Information Officer’s background includes extensive experience as an enterprise chief information officer and is well-recognized within our industry. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our Chief Information Officer reviews with senior management, at least quarterly, the status of our Information Security Program, identified threats to our data security, and cyber incidents relevant to our operations and reviews these matters with our Board and/or Audit Committee at least annually, or more frequently when appropriate. Further, at least quarterly, our senior leadership team, including our Chief Financial Officer, General Counsel, Chief Information Officer, Executive Vice President of Financial Services, and Global Risk Management, prepares a comprehensive summary of certain key risks facing the Company (the “Risk Report”). The Risk Report includes feedback from multiple constituencies within the Company, incorporating and evaluating heightened risk areas identified by senior management, functional area teams within the organization, and management at the regional and local dealership levels. In addition to various enterprise-wide risks identified throughout this management-led process, the Risk Report highlights cybersecurity risks, tasking the Chief Information Officer or his designees with the responsibility to monitor such risks and, as appropriate, implement risk mitigation strategies. The Risk Report also clarifies that both the Board and the Audit Committee retain oversight of such risks. The Risk Report is shared and discussed at least quarterly with the Audit Committee and periodically, with the full Board, with certain specified risks and mitigation efforts reported to the Board or designated standing committees on a more frequent basis, as appropriate.

We and others across our industry face a number of cybersecurity risks in connection with our business and operations. Although such risks have not materially affected our business strategy, results of operations, or financial condition to date, we have, from time to time, experienced threats to, and incidents in connection with, our information systems. Any security breach or event resulting in the unauthorized disclosure of our information or the information of our customers or the degradation of services provided by our critical business systems, whether by us directly or our third-party service providers, could adversely affect our business operations, sales, reputation with current and potential customers, associates, or vendors as well as other operational and financial impacts derived from investigations, litigation, the imposition of penalties, or other means. For more information about the cybersecurity risks we face, see the risk factors entitled “Information technology,” “Cybersecurity” and “Regulatory Issues - Privacy Regulation” in discussed in Item 1A. Risk Factors.

Company Information