CARMAX INC 10-K Cybersecurity GRC - 2024-04-15

Page last updated on April 15, 2024

CARMAX INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-15 10:36:38 EDT.

Filings

10-K filed on 2024-04-15

CARMAX INC filed an 10-K at 2024-04-15 10:36:38 EDT
Accession Number: 0001170010-24-000034

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. CarMax s cybersecurity program is designed to help ensure the proper assessment, identification, and management of the company s risks from cybersecurity threats and is integrated into our overall risk management system. The company s cybersecurity program is staffed by well-trained and experienced cybersecurity professionals and includes technology controls, proactive identification of data security vulnerabilities, and quarterly, or as needed, reporting by management to the Technology and Innovation Committee of the Board of Directors (the Board ). CarMax s cybersecurity team manages the company s Incident Response Plan, which establishes a comprehensive system and process for tracking and logging cybersecurity occurrences, reviewing the occurrences to determine whether remediation or escalation is appropriate and escalating certain occurrences to the company s Chief Information Security Officer (the CISO ) for further review and assessment. CarMax has an established review and escalation process for assessing cybersecurity occurrences and, if necessary, escalating cybersecurity incidents to members of our senior management team. We monitor industry trends to prioritize and mitigate cybersecurity risk for our customers, associates and business, and to remain apprised of industry developments and emerging threats. CarMax engages in testing to improve our cybersecurity approach internally and with third-party vendors and conducts exercises based on current threat intelligence. Additionally, all CarMax associates are required to complete the company s cybersecurity training program on an annual basis. The company engages a third-party with extensive experience in cybersecurity to periodically perform a maturity analysis of CarMax s cybersecurity program as compared to peer companies. We conduct annual tabletop exercises, guided by a third-party cybersecurity firm, with key members of our cybersecurity and legal teams to assess the company’s readiness and capabilities to respond to a cyber-attack. At least annually, we also conduct third-party penetration tests to enhance the security of our digital systems, and we employ network scanning to help us identify any newly developed vulnerabilities or threats. Our third-party intake process incorporates cybersecurity risk into the assessment of our third-party vendors when we engage a new vendor or experience a change in relationship with an existing vendor. Further, CarMax s cybersecurity team conducts reviews of the company s third-party vendors depending on the vendor s risk profile as determined by the company s cybersecurity team. The company s cybersecurity program is led and overseen by our Chief Information and Technology Officer (the CITO ) and our CISO. The CITO joined CarMax in 2012, reports to our Chief Executive Officer and has served in various technology leadership roles in startup organizations and Fortune 500 companies across the retail, travel, hospitality, finance, and technology industries for over 20 years. The company s CISO reports to the CITO, joined CarMax in 2015 and has served in various roles in information technology for over 20 years, including prior service as the vice president of information security, risk and compliance for a Fortune 500 company. The Board s Technology and Innovation Committee assists in the Board s oversight of the company s cybersecurity risk. The Committee monitors and oversees the company s exposure to cybersecurity occurrences as well as the company s approach to managing cybersecurity risk, including how to reasonably control and monitor cybersecurity risks and effectively assign management oversight and responsibility. CarMax s management team, including the CITO and the CISO, provide quarterly updates to the Committee regarding the cybersecurity landscape and the company s security posture in the context of external cybersecurity occurrences as well as updates on the latest issues related to cybersecurity risk as needed. The company has not experienced any material cybersecurity incidents or incurred any material expenses resulting from a cybersecurity breach however, we cannot provide assurance that our business strategy, results of operations and financial condition will not be materially affected in the future by such risks or any future material incidents. For a discussion of whether and how any risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, refer to the risk factors captioned We rely on third-party vendors for key components of our business and We collect sensitive confidential information from our customers. A breach of this confidentiality, whether due to a cybersecurity or other incident, could result in harm to our customers and damage to our brand set forth under the heading Risk Factors included in Part I, Item 1A of this Form 10-K. 20

Company Information