LITHIA MOTORS INC 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

LITHIA MOTORS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:32:24 EST.

Company Summary

Lithia Motors is an automotive dealership network headquartered in Medford, Oregon.

Filings

10-K filed on 2026-02-25

LITHIA MOTORS INC filed a 10-K at 2026-02-25 16:32:24 EST
Accession Number: 0001023128-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Assessing, identifying, and managing material risks from cybersecurity threats We are committed to maintaining cybersecurity practices designed to safeguard our information assets and ensure the confidentiality, integrity, and availability of our operations. We employ a comprehensive risk-based approach to assess, identify, and manage risks arising from cybersecurity threats that could reasonably be expected to materially affect our business, financial condition, results of operations, or reputation. The identification and oversight of material cybersecurity risks is integrated into our enterprise risk management (ERM) program and included in ongoing ERM Committee and Board meetings and reporting. 20 We complete regular cybersecurity risk assessments to identify potential vulnerabilities and threats, analyzing our infrastructure, systems, and data. Assessments are conducted both internally and by third parties and consider internal and external factors, technological changes, regulatory requirements, and emerging cyber threats. Our cybersecurity program is informed by widely recognized standards for managing cybersecurity risk, including the National Institute of Standards and Technology Cybersecurity Framework, Center for Internet Security Controls and U.K. Cyber Essentials. We use threat detection and monitoring tools and technologies to identify potential cybersecurity risks. This includes continuous monitoring, mechanisms designed to detect unusual or anomalous activity, to promptly identify any unusual activities or security breaches. Threat intelligence sharing with industry partners helps us stay informed about the latest cybersecurity threats. We assess cybersecurity risks for their potential impact on our operations, data, financial condition, and reputation. Risks are prioritized based on their severity and likelihood of occurrence before implementing appropriate controls, safeguards, and mitigation measures designed to manage and reduce those risks to acceptable levels. We have developed a documented information security incident response plan that outlines procedures to be followed in the event of a cybersecurity incident. The plan is periodically tested through tabletop exercises and simulations with incident response team members and includes processes for identification, categorization, escalation and reporting of incidents and remediation, as appropriate. Team members are regularly trained on key cybersecurity subjects to ensure awareness. While no company can or will be completely immune from cybersecurity threats, especially as they relate to vendors and government agencies that we rely on, we know of no cybersecurity incident that has or is reasonably likely to materially affect us, our business strategy, or our results of operations, or financial condition. Board of Directors Cybersecurity Oversight Our Board oversees our cybersecurity and data protection strategy and has designated a director to lead its cybersecurity efforts. Our Board is briefed on our cybersecurity posture, current and future risks and potential incidents or vulnerabilities on a quarterly basis. Board members and executives participate in engagements on cybersecurity, such as simulated cyber incident response and crisis management exercises. Our Board also receives and reviews third-party cybersecurity assessments at least annually, which include assessments of our cyber maturity and cyber risk. Management's Assessment and Response to Material Risks from Cybersecurity Threats Our information security team and its leadership have primary responsibility for assessing and managing cybersecurity risks, within the scope of the overall ERM Committee. Our Senior Director of Information Security is responsible for identifying, assessing, and managing risks from cybersecurity threats. The Senior Director of Information Security manages our cybersecurity program and receives information regarding cybersecurity incidents and threats from our information security management team, through internal cyber risk management processes. The Senior Director of Information Security reports to the Chief Innovation and Technology Officer (CITO) and provides frequent, up-to-date reporting on cyber risk to our ERM Committee, a cross functional executive-level steering group, which includes the CITO. The ERM Committee meets on a quarterly basis or as necessary to assess and respond to enterprise risks, including cybersecurity, and reports updates to the Board. Management has authority to escalate significant cybersecurity matters to the Board as appropriate. The Senior Director of Information Security has over 10 years of experience in senior level information security roles, has over 20 years' experience in Fortune 500 enterprise IT roles, and holds Associate and Bachelor Degrees and the Certified Information Security Manager (CISM) Professional certification. The members of our information security management team have extensive experience in technology and security roles, possessing cybersecurity certifications such as Certified Information Systems Security Professional (CISSP), Cisco Certified Network Professional (CCNP) and Global Certified Incident Handler (GCIH). 21

Company Information