LiveWire Group, Inc. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

LiveWire Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:51:11 EST.

Filings

10-K filed on 2024-02-23

LiveWire Group, Inc. filed an 10-K at 2024-02-23 16:51:11 EST
Accession Number: 0001898795-24-000066

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management Strategy The Company has implemented a cybersecurity program intended to assess, identify, manage and reduce cybersecurity risk. Through our partnership with Harley-Davidson we maintain an IT incident response plan that is designed to protect against, identify, evaluate, respond to, and recover from an incident. The plan is designed to be flexible so it may be adapted to an array of potential scenarios and includes a cybersecurity incident response team in the event of a cyber incident. The incident response team is a cross-functional group that is composed of both Company and Harley-Davidson personnel and external service providers, and which is tailored to a particular incident so that individuals with appropriate experience and expertise are available. Currently the Company contracts for such cybersecurity services through the Master Services Agreement with Harley-Davidson, in addition to leveraging its own information technology and security tools and teams. We have invested in tools and technologies intended to protect our data and business systems, and we monitor our computing environment on an ongoing basis to help identify and assess risk. In addition, we have implemented a cybersecurity training program designed to educate and train employees how to identify, potentially avoid and report cybersecurity threats. It is focused on helping our workforce recognize, avoid falling victim to and raise the visibility of potential cyber threats and scams. In addition, periodic cybersecurity awareness messages are posted to employees on the Company portal as new threats and scams develop throughout the year. Through the Master Services Agreement with Harley-Davidson, we take measures to regularly update and improve our cybersecurity program, including conducting assessments, performing penetration testing and scanning of our systems for vulnerabilities using external third-party tools and techniques to test security controls, auditing applicable data policies, and monitoring emerging laws and regulations related to information security. We design our program based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. However, this does not imply that we meet any particular technical standards, specifications or requirements, only that we use the NIST Cybersecurity Framework as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. In addition, we periodically engage third-party advisors to assess the effectiveness of our cybersecurity program, policies and practices. We rely on Harley-Davidson to regularly consult with external advisors and cybersecurity providers regarding opportunities and enhancements to strengthen our policies and practices. With respect to third-party service providers, our cybersecurity program includes conducting due diligence of relevant and material service providers information security programs prior to onboarding. In general we also contractually require material third-party service providers with access to our information technology systems, sensitive business data or personal information to implement and maintain reasonably appropriate security controls and to use our personal information only to provide services to us, except as required by law. 55 While the Company has experienced, and may in the future experience, cybersecurity incidents, prior incidents have not materially affected the Company s business, results of operations or financial condition. Although the Company has invested in the protection of its data and information technology and monitors its systems on an ongoing basis, there can be no assurance that such efforts will in the future prevent material compromises to Company information technology systems that could have a material adverse effect on the Company s business. See Item 1A. Risk Factors, which are incorporated by reference into this Item 1C. Governance Our Board of Directors has risk oversight responsibility for the Company and administers this responsibility both directly and with assistance from the Audit and Finance Committee, which periodically reports to the Board of Directors on its risk oversight activities. Cybersecurity is a critical component of our overall risk management program. Our Board of Directors is actively involved in reviewing our information security and technology risks and opportunities (including cybersecurity) and discusses these topics on a regular basis. The Audit and Finance Committee, comprised solely of independent directors, oversees our enterprise risk management program and assists the Board of Directors in fulfilling its oversight responsibility with respect to our information security and technology risks (including cybersecurity), which are fully integrated into our enterprise risk management systems. The Audit and Finance Committee reviews and discusses our information security and technology risks (such as cybersecurity), including our information security and risk management programs. Our cybersecurity program is contracted through and led by Harley-Davidson s Chief Information Security Officer (CISO) who is responsible for assessing and managing the Company s information security and technology risks (including cybersecurity). On December 15, 2023, the Harley-Davidson CISO announced his retirement from Harley-Davidson, and since that time, Harley-Davidson’s Chief Digital and Operations Officer is serving as the acting Harley-Davidson CISO, executing all of the responsibilities of the CISO while Harley-Davidson conducts a search to fill the position. Harley-Davidson s Chief Digital and Operations Officer has extensive experience in leading information systems management, strategy and operational execution, including information security and incident management, prevention and response. The Harley-Davidson CISO meets regularly with our Head of Digital to review and discuss our cybersecurity and other information technology risks and opportunities. Our cybersecurity incident response plan sets forth a security incident management and reporting protocol, with escalation timelines and responsibilities. The Audit and Finance Committee receives periodic updates from the Harley-Davidson CISO or his designee on our cybersecurity program, including industry trends, the current state of our business systems, and any current known risks or concerns related thereto. The Audit and Finance Committee is involved in reviewing our information security and technology risks, including with respect to cybersecurity and reports on such matters to the Board as necessary, and at least annually.
Item 1C. Governance Our Board of Directors has risk oversight responsibility for the Company and administers this responsibility both directly and with assistance from the Audit and Finance Committee, which periodically reports to the Board of Directors on its risk oversight activities. Cybersecurity is a critical component of our overall risk management program. Our Board of Directors is actively involved in reviewing our information security and technology risks and opportunities (including cybersecurity) and discusses these topics on a regular basis. The Audit and Finance Committee, comprised solely of independent directors, oversees our enterprise risk management program and assists the Board of Directors in fulfilling its oversight responsibility with respect to our information security and technology risks (including cybersecurity), which are fully integrated into our enterprise risk management systems. The Audit and Finance Committee reviews and discusses our information security and technology risks (such as cybersecurity), including our information security and risk management programs. Our cybersecurity program is contracted through and led by Harley-Davidson s Chief Information Security Officer (CISO) who is responsible for assessing and managing the Company s information security and technology risks (including cybersecurity). On December 15, 2023, the Harley-Davidson CISO announced his retirement from Harley-Davidson, and since that time, Harley-Davidson’s Chief Digital and Operations Officer is serving as the acting Harley-Davidson CISO, executing all of the responsibilities of the CISO while Harley-Davidson conducts a search to fill the position. Harley-Davidson s Chief Digital and Operations Officer has extensive experience in leading information systems management, strategy and operational execution, including information security and incident management, prevention and response. The Harley-Davidson CISO meets regularly with our Head of Digital to review and discuss our cybersecurity and other information technology risks and opportunities. Our cybersecurity incident response plan sets forth a security incident management and reporting protocol, with escalation timelines and responsibilities. The Audit and Finance Committee receives periodic updates from the Harley-Davidson CISO or his designee on our cybersecurity program, including industry trends, the current state of our business systems, and any current known risks or concerns related thereto. The Audit and Finance Committee is involved in reviewing our information security and technology risks, including with respect to cybersecurity and reports on such matters to the Board as necessary, and at least annually.

Company Information