TrueCar, Inc. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

TrueCar, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 17:37:58 EST.

Filings

10-K filed on 2024-02-21

TrueCar, Inc. filed an 10-K at 2024-02-21 17:37:58 EST
Accession Number: 0001327318-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a combination of third party assessments, internal audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: proactively review systems and applications, audit against applicable data security policies, perform penetration testing to test security controls, encourage proactive vulnerability reporting, conduct employee training, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes. We have implemented incident response and breach management processes which have four overarching and interconnected stages: detection of a security incident, identification and containment, response, eradication and recovery, and post-incident analysis. Incident responses are overseen by leaders from our Software and Infrastructure Engineering, Compliance and Legal teams. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact. We also conduct tabletop exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with other stakeholders across our organization to further analyze the risk to the company and form detection, mitigation and remediation strategies. As part of the above processes, we regularly engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. Our risk management program also assesses third party risks, and we have a third-party risk management program designed to identify and mitigate risks from vendors, suppliers, and other business partners. Cybersecurity risks are evaluated when selecting third-party service providers. In addition to new vendor onboarding, we perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading Security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business included within Item 1A of this Annual Report on Form 10-K. In the last three fiscal years, the Company has not experienced any material cybersecurity incidents, and expenses incurred from cybersecurity incidents were immaterial. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. As part of our Board s overall responsibility for oversight of management s general risk identification and management activities, our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee review and discuss with management and our auditors the Company s cybersecurity risks and the steps that management has taken to protect against threats to the Company s information systems and security and review risk and mitigation steps taken by management related to data privacy. Members of the Audit Committee also receive cybersecurity updates on a quarterly basis from senior management. This update includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. 52 Table of Contents Our cybersecurity risk management and strategy processes are overseen by leaders from our Software and Infrastructure Engineering, Compliance and Legal teams. These individuals have prior work experience in various roles involving information technology, including security, auditing, compliance, systems and programming. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items.

Company Information