CarGurus, Inc. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

CarGurus, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:16:18 EST.

Filings

10-K filed on 2026-02-19

CarGurus, Inc. filed a 10-K at 2026-02-19 16:16:18 EST
Accession Number: 0001193125-26-059435

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have policies, procedures, and processes for assessing, identifying, and managing cybersecurity risks, which are built into our overall information technology function and are designed to help protect our information assets and operations from internal and external cyber threats as well as secure our networks and systems. Such processes include procedural and technical safeguards, response plans, regular vulnerability and penetration tests on our systems and product applications, incident simulations, and routine review of our policies and procedures to identify risks and improve our practices. Our cybersecurity program is informed by recognized industry frameworks, including elements of the National Institute of Standards and Technology Cybersecurity Framework and ISO/IEC 27001 standards, and is considered as a part of our broader enterprise risk analysis. Our security incident response plan is designed to help coordinate our response to, and recovery from, cybersecurity incidents, and includes processes to assess the severity of, escalate, contain, investigate, and remediate incidents as well as to comply with applicable legal obligations. We maintain cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks, and other related breaches. We engage certain external parties to enhance our cybersecurity processes and strategies, and we continue to adjust and refine our processes and strategies in response to assessments by such external parties industry best practices and the shifting threat landscape (including AI-related threats). Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, we evaluate the security and risk posture according to the perceived level of risk and in accordance with industry standard best practices. We maintain a dedicated Security Operations and Trust team that conducts security reviews of third-party service providers critical to our business, which may include due diligence assessments, security questionnaires, and reviews of third-party attestations and certifications. The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk and provides regular updates to our Board of Directors regarding such oversight. The Audit Committee regularly meets with members of management responsible for data privacy, technology, and information security risks to discuss these risks, risk management activities, incident response plans, best practices, the effectiveness of our security measures, and other related matters. Our Chief Technology Officer and our Director of Information Security provide periodic, and at least quarterly, updates to the Audit Committee on cybersecurity risks and our risk management processes, which may include reports on identified threats, mitigation status, and applicable legal or regulatory developments. Cybersecurity matters are also formally raised to our Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, and General Counsel through their attendance at Audit Committee meetings or direct communications as needed. Our Director of Information Security leads our cybersecurity initiatives and oversees our Security Operations and Governance, Risk, and Compliance teams. This individual is primarily responsible for assessing, managing, and monitoring our cybersecurity risks and response programs and reports to our Chief Technology Officer. He has over 15 years of experience in the technology sector, including as a Chief Information Security Officer at other companies, and has deep expertise in cybersecurity, compliance, and risk assessment. In an effort to deter and detect cyber threats, we annually provide all employees, including part-time employees, with a data protection, cybersecurity, and incident response and prevention training program, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use, and mobile security, and educates employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity threats and risks and to bolster our employee-based cybersecurity programs. Despite our cybersecurity efforts, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Part I, Item 1A, Risk Factors, in this Annual Report for a discussion of cybersecurity risks.

Company Information