CarGurus, Inc. 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

CarGurus, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 16:10:51 EST.

Filings

10-K filed on 2024-02-26

CarGurus, Inc. filed an 10-K at 2024-02-26 16:10:51 EST
Accession Number: 0000950170-24-020157

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have policies, procedures, and processes for assessing, identifying, and managing cybersecurity risks, which are built into our overall information technology function and are designed to help protect our information assets and operations from internal and external cyber threats as well as secure our networks and systems. Such processes include procedural and technical safeguards, response plans, regular vulnerability and penetration tests on our systems and product applications, incident simulations, and routine review of our policies and procedures to identify risks and improve our practices. Our security incident response plan is designed to help coordinate our response to, and recovery from, cybersecurity incidents, and includes processes to assess the severity of, escalate, contain, investigate, and remediate incidents as well as to comply with applicable legal obligations. We maintain cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks, and other related breaches. We engage certain external parties to enhance our cybersecurity processes and strategies. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, we evaluate the security and risk posture according to the perceived level of risk and in accordance with industry standard best practices. The Audit Committee of the Board of Directors provides direct oversight over cybersecurity risk and provides regular updates to the Board of Directors regarding such oversight. The Audit Committee regularly meets with members of management responsible for data privacy, technology, and information security risks to discuss these risks, risk management activities, incident response plans, best practices, the effectiveness of our security measures, and other related matters. Our Vice President, Information Security and Technology, who reports to our Chief Technology Officer, leads the operational oversight of company-wide cybersecurity strategy, policy, standards, and processes and works across relevant departments to assess and help prepare us and our employees to address cybersecurity risks. Specific cybersecurity related responsibilities include overseeing our processes and strategies for the detection, mitigation, and remediation of cybersecurity incidents. Our Vice President, Information Security and Technology has extensive experience assessing and managing cybersecurity and risk programs having served in the current position for us since December 2020 and prior Senior Director level positions in Security and Privacy at several private and public Software as a Service, or SaaS, companies. Specialized knowledge also results from our Vice President, Information Security and Technology holding a Master of Information Security and Assurance from Norwich University. In an effort to deter and detect cyber threats, we annually provide all employees, including part-time employees, with a data protection, cybersecurity, and incident response and prevention training program, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use, and mobile security, and educates employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity threats and risks and to bolster our employee-based cybersecurity programs. Despite our cybersecurity efforts, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Part I, Item 1A, Risk Factors, in this Annual Report for a discussion of cybersecurity risks. 43

Company Information