General Motors Co 10-K Cybersecurity GRC - 2025-01-28

Page last updated on January 28, 2025

General Motors Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-28 15:40:05 EST.

Filings

10-K filed on 2025-01-28

General Motors Co filed a 10-K at 2025-01-28 15:40:05 EST
Accession Number: 0001467858-25-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying and managing material risks associated with cybersecurity threats. We have implemented cybersecurity policies, procedures, technologies and controls to aid in our efforts to access, identify and manage such risks. Material risks from cybersecurity threats are managed across GM, GM Financial, Cruise, service providers such as data processors, third-party suppliers, dealers and vendors, and monitoring such risks and threats are integrated into the Company’s overall risk management program . GM has a Cybersecurity Management Board that brings together representatives from senior management across the Company’s Software & Services, Product Development, Information Technology, Manufacturing, Finance, Communications, Human Resources, Legal and Public Policy organizations to provide guidance and monitor overall company cybersecurity risk. The Company’s cybersecurity maturity scorecard, cybersecurity threats and incident information are reviewed by the Company’s Chief Information Security Officer (CISO) , the Risk and Cybersecurity Committee of the Company’s Board of Directors and the Cybersecurity Management Board during standing meetings as well as in impromptu sessions, when appropriate. During the reviews, various topics are discussed, which may include: - implementation and maturity of the Company’s cybersecurity program, risk management framework, including cybersecurity risk policies, procedures and governance; - cybersecurity and privacy risk, including potential impact to the Company’s employees, customers, supply chain, joint ventures and other stakeholders; - intelligence briefings on notable cyber events impacting the industry; and - cybersecurity budget and resource allocation, including industry benchmarking and economic modeling of various potential cybersecurity events. The Company maintains administrative, physical, technical and organizational safeguards, including employee training, incident response capability reviews and exercises, cybersecurity insurance and business continuity mechanisms for the protection of the Company’s assets. From time to time, the Company’s processes are audited and validated by internal and external experts. The Company leverages a third-party cybersecurity program with the goal of minimizing disruption to the Company’s business and production operations, strengthening supply chain resilience in response to cyber-related events and supporting the integrity of components and systems used in its products and services. GENERAL MOTORS COMPANY AND SUBSIDIARIES When cybersecurity incidents occur, the GM Cybersecurity team’s focus is on responding to and containing the threat and minimizing impact. When we become aware of a cybersecurity incident, we have defined policies and procedures to respond to and recover from such incident as quickly as possible. In the event of a cybersecurity incident, the Cybersecurity team also assesses, among other factors, safety impact, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with support from external technical, legal and law enforcement, as appropriate. Our policies and procedures are reviewed periodically for alignment with regulatory requirements and the threat landscape. In the last three fiscal years, the Company has not experienced any material cybersecurity incidents and expenses incurred from cybersecurity incidents were immaterial (including penalties and settlements, of which there were none). For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or, if realized, are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, see Item 1A. Risk Factors - “Risks related to our intellectual property, cybersecurity, information technology and data management practices”, which are incorporated by reference into this Item 1C. Governance The GM Board of Directors is responsible for overseeing the Company’s enterprise risk, and has established its Risk and Cybersecurity Committee with specific responsibility for overseeing our cybersecurity program, among other things. The Company’s cybersecurity organization is led by the CISO, who is responsible for assessing and managing material risks from cybersecurity threats and reports to the Risk and Cybersecurity Committee. The CISO has served in this role since December 2024 and has more than 20 years of experience in various information technology, cybersecurity and software engineering roles. The CISO’s experience includes building and leading cybersecurity functions at large enterprises, startups, and research and development centers, as well as leading software engineering teams responsible for building and operating large-scale software services. The CISO also has expertise in building and designing secure software, scalable and resilient systems, incident response practices, privacy programs and other critical security disciplines and practice areas. The CISO holds a master’s degree in information security policy and management, has taught information security courses at the graduate level, is an inventor on cybersecurity-related patents and has been a speaker at leading cybersecurity conferences. The CISO and the Cybersecurity Management Board monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of the Company’s incident response plans, which include escalation to the Risk and Cybersecurity Committee, as appropriate, and simulated exercises. * * * * * * *
Item 1C. Governance The GM Board of Directors is responsible for overseeing the Company’s enterprise risk, and has established its Risk and Cybersecurity Committee with specific responsibility for overseeing our cybersecurity program, among other things. The Company’s cybersecurity organization is led by the CISO, who is responsible for assessing and managing material risks from cybersecurity threats and reports to the Risk and Cybersecurity Committee. The CISO has served in this role since December 2024 and has more than 20 years of experience in various information technology, cybersecurity and software engineering roles. The CISO’s experience includes building and leading cybersecurity functions at large enterprises, startups, and research and development centers, as well as leading software engineering teams responsible for building and operating large-scale software services. The CISO also has expertise in building and designing secure software, scalable and resilient systems, incident response practices, privacy programs and other critical security disciplines and practice areas. The CISO holds a master’s degree in information security policy and management, has taught information security courses at the graduate level, is an inventor on cybersecurity-related patents and has been a speaker at leading cybersecurity conferences. The CISO and the Cybersecurity Management Board monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of the Company’s incident response plans, which include escalation to the Risk and Cybersecurity Committee, as appropriate, and simulated exercises. * * * * * * *


Company Information

NameGeneral Motors Co
CIK0001467858
SIC DescriptionMotor Vehicles & Passenger Car Bodies
TickerGM - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30