OPENLANE, Inc. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

OPENLANE, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 17:15:27 EST.

Filings

10-K filed on 2024-02-21

OPENLANE, Inc. filed an 10-K at 2024-02-21 17:15:27 EST
Accession Number: 0001395942-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy The Company s enterprise risk management ( ERM ) program includes assessing, identifying and managing material risks from various sources, including those related to cybersecurity. The Company uses information from incident history, threat intelligence, formal and informal security networks, government information sharing and recognized information security frameworks to inform its cybersecurity risk management approach. The Company s cybersecurity risk management processes incorporate multiple layers of security to help identify and protect against cybersecurity threats including a dedicated cybersecurity team, technical security controls, policy enforcement, monitoring systems, employee training, contractual arrangements and management oversight. Given the dynamic nature of the cyber-threat environment, the Company engages third-party assessors, consultants and others from time to time to assist in various cyber-related matters, including assessing, enhancing, implementing and monitoring the Company’s cybersecurity risk management process. The Company maintains a vendor risk management program designed to identify and manage risks associated with third-party service providers, with management retaining responsibility for oversight of cybersecurity threats. The Company also maintains an incident response plan that includes escalation criteria and preliminary materiality assessments to guide disclosure objectives. The Company describes risks related to cybersecurity threats that could materially impact its business strategy, results of operations or financial condition under the heading Risk Factors. Material impacts could include loss of access to systems and data, financial costs and reputational harm, among others. Governance Management is responsible for assessing and managing risk at the Company, including communicating the most material risks to the Board of Directors and its committees. The Board of Directors has primary responsibility for risk oversight, with a focus on the most significant risks facing the Company. With respect to cybersecurity risks, the Risk Committee of the Board of Directors ( Risk Committee ) provides oversight for matters specifically relating to cybersecurity and other risks related to information technology systems and procedures, including but not limited to data security and privacy. Management leverages the collective expertise of the Company s information security function which reports to the Chief Financial Officer through the Company s Chief Information Security Officer ( CISO ). The CISO has served in this position for the Company since 2017, holds various relevant credentials including CISSP (Certified Information Systems Security Professional), and has extensive cybersecurity experience having served in information technology roles for over 35 years and cybersecurity leadership roles for 15 years. The CISO reports to the Risk Committee quarterly on information security matters, including, among other things, the Company s cyber risks and threats, the status of projects to further strengthen the Company s 26 Table of Contents information security systems, assessments of the Company s security program and the emerging regulatory and threat landscape. The CISO also briefs the full Board of Directors on cybersecurity matters at least annually. As described above, management informs the Risk Committee about prevention, detection, mitigation and remediation of cybersecurity incidents quarterly and monitors such matters continuously. The Risk Committee reviews and discusses with management the quality and effectiveness of the Company s efforts to mitigate such risks and reports such findings to the Board of Directors.

Company Information