Cars.com Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Cars.com Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:06:04 EST.

Filings

10-K filed on 2026-02-26

Cars.com Inc. filed a 10-K at 2026-02-26 16:06:04 EST
Accession Number: 0001193125-26-076546

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Risk Management and Strategy. The cybersecurity program is part of our enterprise risk management program. We believe cybersecurity risk management is of the utmost importance. As a result, we have implemented an information security management system (the "ISMS") designed to protect our infrastructure from potential threats and to allow us to assess, identify and manage material risks from cybersecurity threats as described in more detail below. The ISMS supports the security safeguards that are designed to protect the confidentiality, integrity, availability and contractual compliance of the Company, which includes the solutions and brands related to AccuTrade, Cars.com Marketplace, Cars Commerce Media Network, CreditIQ, D2C Media, Dealer Club and Dealer Inspire. In addition we engage with third parties to contribute and provide independent evaluation of our existing cybersecurity practices. Protect. Our employees receive annual security awareness training to understand the behaviors and technical requirements necessary to protect information. We also conduct annual phishing awareness exercises to educate employees to recognize and report suspicious activity. Assess. In addition to in-house assessments, we engage with security and technology vendors to assess our information security and cybersecurity program and test our technical capabilities, including conducting penetration testing. We conduct risk assessments and audits to identify new risks and include any newly identified risks in remediation planning, as w ell as to confirm that previously identified risks have been remediated. Identify. We use several methods to identify cybersecu rity threats and incidents, i ncluding, but not limited to, security alert tools, log monitoring by systems engineers working on operational incidents that are later determined to be security incidents, or suspicious activity reported directly by employees. We have developed security incident response procedures to (1) assess cybersecurity incidents, (2) identify and implement containment measures, (3) preserve evidence, (4) log response activities and (5) determine corrective actions to prevent similar incidents. Respond and Manage. When detected, suspected cybersecurity threats or incidents are escalated to the Information Security Team (as described below) in various ways based on the nature of the cybersecurity incident, including but not limited to system engineer escalation, our helpdesk and in-house and third-party security tools. Our employees are also responsible for reporting any suspected cybersecurity or information security event that they observe or experience as soon as possible, by either contacting the Company's helpdesk, or the Information Security Team directly. The Information Security Team then creates a Security Incident Response Team ("SIRT") which, depending on the incident, is comprised of cybersecurity staff, Systems and Network Engineers, the Chief Technology Officer and the Chief Legal Officer, or other stakeholders as appropriate. The SIRT investigates and manages the impact of cybersecurity incidents in accordance with the cybersecurity incident response procedures. 19 Report. Following the conclusion of a cybersecurity investigation, the SIRT prepares a report for the Information Security Governance Committee, as appropriate. The report includes information about the incident and, details about the response and includes recommendations to prevent similar cybersecurity events from occurring in the future. Additionally, the Information Security Team provides the Audit Committee and the Board with regular updates on cybersecurity matters, including recent cybersecurity threats and incidents and ongoing efforts to prevent, detect and respond to internal and external cybersecurity threats. As of the date of this Report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. However, there can be no assurance that our cybersecurity prevention and mitigation efforts have been or will continue to prevent possible cybersecurity threats or whether a cybersecurity threat could have a material adverse effect on our business strategy, results of operations or financial condition. See "Risks Related to Technology" in "Risk Factors" of this Report. Third-Party Service Providers. We manage third-party service provider cybersecurity risks through contract management, evaluation of applicable security control assessments and third-party risk assessment processes. Governance. The Board of Directors provides strategic guidance regarding our overall risk oversight, including identification, assessment, managem ent and mitigation of risk. The Board has delegated direct cybersecurity and information security risk oversight to the Audit Committee. Our management provides the Audit Committee with regular updates at least quarterly regarding the effectiveness of our overall cybersecurity program and other cybersecurity related matters, which may include, our inherent cybersecurity risks, updates on recent cybersecurity threats and incidents, policies and practices, industry trends, regulatory developments, threat environment and vulnerability assessments and specific and ongoing efforts to prevent, detect and respond to internal and external cybersecurity threats. The Chair of the Audit Committee informs the Board of the outcome of these meetings through updates presented to the Board at regularly scheduled Board meetings. Our Chief Technology Officer and Senior Vice President of Information Security manage our Information Security function and team . Our Chief Technology Officer has served in this role since 2025. Prior to joining the Company, he served as Chief Technology Officer of Envoy and previously held the same role at OpenTable and oversaw security in both of these roles. Our Senior Vice President of Information Security has served in this role since 2024. Prior to joining the Company, he served as Chief Information Security Officer at Boomi and previously held the same role at Ancestry.com. The Information Security Team is composed of skilled professionals with relevant information and cybersecurity education, certifications and experience. The Information Security Team coordinates with the Information Security Governance Committee, comprised of senior business leaders who support our Information Security Management System based on their area of expertise. Our Information Security Team, in conjunction with the Information Security Governance Committee, assesses and manages material risks from cybersecurity threats and provides management direction and support for information security.

Company Information