LITHIA MOTORS INC 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

LITHIA MOTORS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 17:14:27 EST.

Filings

10-K filed on 2024-02-23

LITHIA MOTORS INC filed an 10-K at 2024-02-23 17:14:27 EST
Accession Number: 0001023128-24-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Assessing, identifying, and managing material risks from cybersecurity threats We are committed to maintaining robust cybersecurity practices to safeguard our information assets and ensure the confidentiality, integrity, and availability of our operations. We employ a comprehensive approach to assess, identify, and manage material risks arising from cybersecurity threats. The identification and oversight of material cybersecurity risks is included in continuous Enterprise Risk Management (ERM) Committee and Board of Directors meetings and reporting. We complete regular cybersecurity assessments to identify potential vulnerabilities and threats, analyzing our infrastructure, systems, and data. Assessments are conducted both internally and by third parties and consider internal and external factors, technological changes, regulatory requirements, and emerging cyber threats. Our cybersecurity program adheres to widely recognized standards for managing cybersecurity risk, including the National Institute of Standards and Technology Cybersecurity Framework, Center for Internet Security Controls and UK Cyber Essentials. We use advanced threat detection tools and technologies to identify potential cybersecurity risks. This includes continuous monitoring, intrusion detection systems, and anomaly detection mechanisms, to promptly identify any unusual activities or security breaches. Threat intelligence sharing with industry partners helps ensure we stay informed about the latest cybersecurity threats. We assess cybersecurity risks for their potential impact on our operations, data, and reputation. Risks are prioritized based on their severity and likelihood of occurrence before implementing appropriate controls, safeguards, and mitigation measures to address and manage these risks effectively. We have developed a well-defined and frequently updated information security incident response plan that outlines procedures to be followed in the event of a cybersecurity incident. The plan is periodically drilled with incident response team members and includes robust processes for identification, categorization, escalation and reporting of incidents. Employees are regularly trained on key cybersecurity subjects to ensure awareness. 19 While no company can or will be completely immune from cybersecurity threats, especially as they relate to vendors and government agencies that we rely on, we know of no cybersecurity incident that has or is likely to materially affect us, our business strategy, or our results of operations, or financial condition. Board of Directors Cybersecurity Oversight Our Board of Directors oversees our cybersecurity and data protection strategy and appoints a director to lead the Board s efforts. Our Board is briefed on our cybersecurity posture, current and future risks and potential incidents or vulnerabilities on a quarterly basis. Board members and executives participate in engagements on cybersecurity, such as simulated cyber incident response and crisis management exercises. Our Board also regularly receives and reviews third-party cybersecurity assessments, which include assessments of our cyber maturity and cyber risk. Management s Assessment and Response to Material Risks from Cybersecurity Threats Our information security team and its leadership have primary responsibility for assessing and managing cybersecurity risks, within the scope of the overall ERM Committee. Such individuals collectively have over 80 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs. Cybersecurity threats are reported to management through robust and documented incident reporting processes. Our ERM Committee is comprised of Information Security, Legal, Treasury and other key executive stakeholders. The committee meets on a quarterly basis or as necessary to assess and respond to enterprise risks, including cybersecurity. The ERM Committee reports updates to the Board of Directors when appropriate and at least on an annual basis.

Company Information