RumbleOn, Inc. - (RMBL)

10-K Filing Date: March 28, 2024
ITEM 1C. CYBERSECURITY.

We believe cybersecurity is a critical part of our overall risk management and key to enabling our digital operations. As a company that heavily relies on our website to buy and market powersports, we face a multitude of cybersecurity threats common to most industries, such as phishing/malware, ransomware and denial-of-service, as well as threats common to retailers, such as theft of customer and employee data. Our customers, suppliers, and subcontractors face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. These cybersecurity threats necessitate an appropriate focus on cybersecurity.

The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Senior Director of Information Security, regularly briefs the Board of Directors on our cybersecurity and information security posture and the Board of Directors is apprised of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us. The full Board retains oversight of cybersecurity because of its importance to RumbleOn. We are finalizing our IT Risk Management Program that will outline the steps to be followed in the event of an incident, from incident detection to mitigation, recovery, and notification, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate.

Our corporate information security team is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The current Senior Director of Information Security has extensive information technology and program management experience. The corporate information security organization manages an enterprise security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. Central to this effort will be our technical solution that we are implementing that will provide near real time monitoring of our data and enterprise computing networks. Employees outside of our corporate information security organization also have a role in our cybersecurity defenses and they are immersed in a corporate culture supportive of security, which we believe improves our cybersecurity.

Assessing, identifying, monitoring, and managing cybersecurity-related risks are being included in our overall risk management processes. Cybersecurity-related risks are included in the population of risks that are evaluated to assess top risks to the Company on an annual basis. To the extent a heightened cybersecurity related risk is identified, risk owners will be assigned to develop risk mitigation plans, which are then tracked to completion. The annual risk assessment will be presented to the Board of Directors.

We rely heavily on third parties to deliver our products and services to our customers, and a cybersecurity incident at a key supplier or subcontractor could materially adversely impact us. We include security and privacy addenda to our contracts where applicable. In addition, any subcontractors connecting to our network are instructed to report cybersecurity incidents to us so that we can assess the impact of the incident on us.

Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While RumbleOn maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. No previous cybersecurity incidents have materially affected us, including our business strategy, results of operations or financial condition. Future cybersecurity threats or incidents may materially affect our business strategy, results of operations or financial condition. No previous cybersecurity incidents have materially affected us, including our business strategy, results of operations or financial condition. Future cybersecurity threats or incidents may materially affect our business strategy, results of operations or financial condition.
17