Page last updated on February 18, 2026
CARVANA CO. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 16:11:36 EST.
Filings
10-K filed on 2026-02-18
CARVANA CO. filed a 10-K at 2026-02-18 16:11:36 EST
Accession Number: 0001690820-26-000009
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY. We consider cybersecurity protection, including protection of customer, employee, and partner information, to be a priority in the Company's business, strategy, and management. Carvana's enterprise risk management program, is designed to identify, assess, prioritize, and respond to significant risks and opportunities, and incorporates processes for the identification, evaluation, and management of risks from cybersecurity threats, including those arising from third-party service providers and vendors. While management is responsible for the day-to-day handling of our risk management program, the Board, as a whole and through its committees, oversees risk management, including cybersecurity risks. The Board has delegated certain risk management responsibilities with respect to cybersecurity to the Audit Committee, which is responsible for ensuring sufficient oversight of our cybersecurity risk exposures. The Audit Committee leads the full Board in periodic reviews of the adequacy and effectiveness of our information security program and internal controls, including quarterly and ad hoc updates of cybersecurity risks, initiatives, and key metrics. Senior leaders from our Information Security, Legal, Privacy, and Compliance teams provide the Board and Audit Committee with periodic briefings on the threat landscape, our security strategy and roadmap, and the status of risk reduction initiatives, including preparation, prevention, detection, response, and recovery activities. Our Chief Information Security Officer ("CISO") , who has extensive cybersecurity knowledge and experience, including over 16 years in the field of information security and over eight years of experience leading enterprise security programs in financial services and technology organizations, is primarily responsible for assessing and managing cybersecurity risk. The CISO oversees a team of dedicated information security professionals (the "Information Security Team") who focus on specialty areas such as application security, security compliance, security architecture and engineering, vulnerability management, and security operations, each with relevant experience and industry certifications in their respective areas. The Information Security Team leverages a variety of processes and controls to stay informed of and manage cybersecurity risk. It partners with a variety of business units, including our Engineering, Legal, Privacy, Compliance, Internal Audit, Technology, and Product teams to identify and control emerging risks. The Information Security and privacy teams also from time to time engage consultants and other third parties to assist in investigating and remediating security incidents, monitoring of security vulnerabilities, and performing annual internal and external penetration tests based on best practices and industry standards such as the Open Web Application Security Project (OWASP) Top Ten. Our Information Governance Committee, whose members include representatives from the Information Security Team and key senior leaders from relevant stakeholder groups, meets quarterly to review and discuss, among other topics, the implementation and management of these cybersecurity processes. The Information Security Team additionally has adopted security control principles based on ISO 27002:2022 and partners with counterparts in our legal department to use various formalized incident management and monitoring standards and incident response plans and playbooks, which define immediate steps in the event of a cybersecurity incident, roles and responsibilities, as well as materiality criteria to allow for efficient and effective incident management. This includes a third-party vendor management procedure, under which we conduct vendor risk assessments and, when appropriate, ongoing threat monitoring. In implementing these policies, the Information Security Team utilizes a layered approach, aided by industry leading technology, to detect, respond, and prevent cybersecurity risks and exposures. Upon hire and annually thereafter, employees are assigned Information Security and Privacy Awareness Training to provide awareness on topics such as social engineering, phishing, password requirements, ethical use of artificial intelligence, physical security, best practices for secure remote work, protecting sensitive information, and identifying and reporting potential issues. Phishing simulations are also conducted on an ongoing basis. As of the date hereof, we have not identified any material cybersecurity incidents impacting the Company. However, future incidents, whether direct or through our third-party providers, could have a material impact on our business strategy, results of operations, or financial condition. We maintain cybersecurity insurance to mitigate the risks of a material cybersecurity incident; however, the costs may exceed our coverage and, therefore, may not be fully insured. See Part I, Item 1A - "Risk Factors" in this Annual Report on Form 10-K for a further discussion of various cybersecurity risks to the Company. 31
Company Information
| Name | CARVANA CO. |
| CIK | 0001690820 |
| SIC Description | Retail-Auto Dealers & Gasoline Stations |
| Ticker | CVNA - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 31 |