SONIC AUTOMOTIVE INC 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

SONIC AUTOMOTIVE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:00:48 EST.

Filings

10-K filed on 2024-02-22

SONIC AUTOMOTIVE INC filed an 10-K at 2024-02-22 16:00:48 EST
Accession Number: 0001043509-24-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity, our information technology and infrastructure may be vulnerable to attacks by hackers or breaches due to employee error, malfeasance or other disruptions. These cybersecurity risks include vulnerability to cyberattack of our internal or externally hosted business applications; interruption of service or access to systems may affect our ability to deliver vehicles or complete transactions with customers; unauthorized access or theft of customer or employee personal confidential information, including financial information, or strategically sensitive data; disruption of communications (both internally and externally) that may affect the quality of information used to make informed business decisions; and damage to our reputation as a result of a breach in security that could affect the financial security of our customers. Any cybersecurity breach or other loss of information could result in legal claims or proceedings, liability under laws that protect the privacy of personal information, regulatory penalties or damage to our reputation, and cause a loss of confidence in our services, which could materially adversely affect our competitive position, results of operations and financial condition. 21 SONIC AUTOMOTIVE, INC. RISK FACTORS We may be subject to substantial withdrawal liability assessments in the future related to a multiemployer pension plan to which certain of our dealerships make contributions pursuant to collective bargaining agreements. Three of our dealership subsidiaries in northern California currently make fixed-dollar contributions to the Automotive Industries Pension Plan (the AI Pension Plan ) pursuant to collective bargaining agreements between our subsidiaries and the International Association of Machinists (the IAM ). The AI Pension Plan is a multiemployer plan as defined under the Employee Retirement Income Security Act of 1974, as amended. Three of our dealership subsidiaries actively contribute to the AI Pension Plan under collective bargaining agreements with the IAM. These subsidiaries employ approximately 160 individuals, which constitutes less than 2% of our total workforce. In March 2008, the Board of Trustees of the AI Pension Plan notified participants, participating employers and local unions that the AI Pension Plan s actuary had issued a certification that the AI Pension Plan was in critical status. In conjunction with the AI Pension Plan s critical status, all participating employers were required to increase employer contributions to the AI Pension Plan for a seven-year period which commenced in 2013. As of April 2023, the AI Pension Plan s actuary certified that the AI Pension Plan remained in Critical Status for the plan year commencing January 1, 2023, with the projected pension liability underfunded by approximately $1.0 billion and projected to become insolvent in the 2032 plan year. In July 2023, the Pension Benefit Guaranty Corporation approved an application by the AI Pension Plan for special financial assistance in the amount of approximately $1.1 billion to address the underfunded status of the plan. Under applicable federal law, any employer contributing to a multiemployer pension plan that completely ceases participating in the plan while the plan is underfunded is subject to payment of such employer s assessed share of the aggregate unfunded vested benefits of the plan. In certain circumstances, an employer can be assessed withdrawal liability for a partial withdrawal from a multiemployer pension plan. If any of these adverse events were to occur in the future, it could result in a substantial withdrawal liability assessment that could have a material adverse effect on our business, financial condition, results of operations or cash flows. Tax positions may exist related to our tax filings that could be challenged by governmental agencies and result in higher income tax expenses and affect our overall liquidity if we are unable to successfully defend these tax positions. We are subject to audits by federal and state governmental income tax agencies on a continual basis. During the course of those audits, the agencies may disagree with or challenge tax positions taken on tax returns filed for Sonic and its subsidiaries. As a result of these audits, the agencies may issue assessments and penalties based on their understanding of the underlying facts and circumstances. In the event we are not able to arrive at an agreeable resolution, we may be forced to litigate these matters. If we are unsuccessful in litigation, our results of operations and financial position may be negatively impacted. Impairment of our goodwill, other intangible assets or other long-lived assets could have a material adverse impact on our earnings. Goodwill and other intangible assets are subject to impairment assessments at least annually or more frequently when events or changes in circumstances indicate that an impairment may have occurred. Pursuant to applicable accounting pronouncements, we evaluate goodwill for impairment annually on April 30, or more frequently if an event occurs or circumstances change that would more likely than not reduce the fair value of a reporting unit below its carrying amount. We describe the process for testing goodwill and other intangible assets more thoroughly under the heading Critical Accounting Estimates in Item 7. Management s Discussion and Analysis of Financial Condition and Results of Operations. A significant amount of our goodwill is related to our franchised dealerships reporting unit, and we have significant other intangible assets associated with acquisitions of franchised dealerships. If we determine that the amount of our goodwill or other intangible assets is impaired at any point in time, we are required to reduce the balances recorded on our balance sheet. If goodwill or other intangible assets are impaired based on a future impairment test, we will be required to record a significant non-cash impairment charge that may also have a material adverse effect on our results of operations for the period in which the impairment of goodwill or other intangible assets occurs. As of December 31, 2023, our balance sheet reflected a carrying amount of approximately $253.8 million in goodwill and approximately $417.4 million in other intangible assets, net. 22 SONIC AUTOMOTIVE, INC. RISK FACTORS We are also required to test for impairment of other long-lived assets in the event certain conditions exist that may indicate the recorded value of the assets is not recoverable through future operating cash flows. These conditions include, but are not limited to, a decrease in the market pricing of a long-lived asset group, a significant change in the extent or manner in which a long-lived asset group is being used or its physical condition, a significant adverse change in legal factors or business climate that could affect the value of a long-lived asset group, an accumulation of costs significant in excess of the amount originally expected for the acquisition or construction of a long-lived asset group, a current-period operating cash flow loss combined with a history of operating cash flow losses or a projection or forecast that demonstrates continuing losses associated with the use of a long-lived asset group, or a current expectation that, more likely than not, a long-lived asset group will be sold or otherwise disposed of significantly before the end of its previously estimated useful life. If we determine that the amount of certain long-lived asset groups are impaired, we are required to reduce the balances recorded on our consolidated balance sheet, which may result in a significant non-cash impairment charge. 23 SONIC AUTOMOTIVE, INC. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. Risk Management and Strategy Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, suppliers and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology (the NIST ) Cybersecurity Framework. We leverage technology for our business advantage and have invested in internal and external business applications. Our regular operations involve handling sensitive data, including proprietary business information, intellectual property, and personally identifiable information of our customers, suppliers, and employees. To ensure the safety of this data, the Vice President of Information Security provides oversight and establishes central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. Any risks from cybersecurity threats to our products and services are communicated to our general counsel and senior management and if deemed material, are further reviewed by the Audit Committee of our Board of Directors. We also periodically engage third-party consultants to help us assess, enhance, implement and monitor our cybersecurity risk management programs and respond to any incidents. We have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not materially affected our business strategy, results of operations or financial condition, and although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. See General Risk Factors in Item 1A. Risk Factors of this Annual Report on Form 10-K. Governance Our Board of Directors is responsible for overseeing enterprise risk and has delegated the responsibility for the oversight of cybersecurity and information technology risks, and the Company’s preparedness for these risks, to the Audit Committee. Our Vice President of Information Security provides periodic updates to the Audit Committee in order to assist the Audit Committee in understanding the implications of cybersecurity risks. The Audit Committee meets regularly to ensure a shared understanding of cybersecurity risks, to review new regulations or laws, and to provide guidance on complex risk issues. Our Information Security team has gained their expertise in information technology ( IT ) and cybersecurity through a combination of education, relevant degrees, certifications and prior work experience. As part of the cybersecurity process, their respective teams inform them about the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Information Security team has adopted the NIST Cybersecurity Framework as a reference to manage cybersecurity risks. This framework enables the team to implement a comprehensive statement of activities and responsibilities that cover data, information architecture, risk communications, emerging technology, third-party risk, IT operations, and regulation. By following industry best practices, the team has established a recognized baseline for engaging external firms to audit and test the resiliency of the cybersecurity program.
Item 1C. Cybersecurity. Risk Management and Strategy Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, suppliers and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology (the NIST ) Cybersecurity Framework. We leverage technology for our business advantage and have invested in internal and external business applications. Our regular operations involve handling sensitive data, including proprietary business information, intellectual property, and personally identifiable information of our customers, suppliers, and employees. To ensure the safety of this data, the Vice President of Information Security provides oversight and establishes central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. Any risks from cybersecurity threats to our products and services are communicated to our general counsel and senior management and if deemed material, are further reviewed by the Audit Committee of our Board of Directors. We also periodically engage third-party consultants to help us assess, enhance, implement and monitor our cybersecurity risk management programs and respond to any incidents. We have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not materially affected our business strategy, results of operations or financial condition, and although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. See General Risk Factors in Item 1A. Risk Factors of this Annual Report on Form 10-K. Governance Our Board of Directors is responsible for overseeing enterprise risk and has delegated the responsibility for the oversight of cybersecurity and information technology risks, and the Company’s preparedness for these risks, to the Audit Committee. Our Vice President of Information Security provides periodic updates to the Audit Committee in order to assist the Audit Committee in understanding the implications of cybersecurity risks. The Audit Committee meets regularly to ensure a shared understanding of cybersecurity risks, to review new regulations or laws, and to provide guidance on complex risk issues. Our Information Security team has gained their expertise in information technology ( IT ) and cybersecurity through a combination of education, relevant degrees, certifications and prior work experience. As part of the cybersecurity process, their respective teams inform them about the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Information Security team has adopted the NIST Cybersecurity Framework as a reference to manage cybersecurity risks. This framework enables the team to implement a comprehensive statement of activities and responsibilities that cover data, information architecture, risk communications, emerging technology, third-party risk, IT operations, and regulation. By following industry best practices, the team has established a recognized baseline for engaging external firms to audit and test the resiliency of the cybersecurity program.

Company Information