ADVANCE AUTO PARTS INC - (AAP)
10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity.
We have processes in place for assessing, identifying and managing significant risks from potential cyber threats and vulnerabilities. To protect our information systems from cyber threats, we use a wide variety of tools, controls, technologies, methods, systems and other processes that are designed to prevent, detect, escalate, investigate, mitigate and/or remediate data loss, theft, misuse, unauthorized access or other security incidents or vulnerabilities affecting information systems and data.
Our Senior Vice President, Chief Information Security Officer (“CISO”) and Senior Vice President, Internal Audit and Risk, who oversees our enterprise risk management (“ERM”) framework, partner on definition and treatment of cyber risks. Cybersecurity is a component of our ERM framework and processes. We utilize a wide range of capabilities to help us identify and assess potential cyber threats and vulnerabilities, which feed into our development and regular updating of a risk treatment plan to help us manage our cybersecurity risk posture. We evaluate risks on an ongoing basis across several categories in terms of probability of the likelihood and magnitude of potential impact, using evaluation results to inform our areas of focus and prioritization.
We evaluate risks associated with use of third-party providers through a lifecycle-based approach, conducting risk-based due diligence before engagement, using contractual provisions to apportion risk, and for certain third-party providers, engaging in architectural review and validation at the beginning of engagement. We use third parties to assist with penetration testing, simulated attacks and survey and other threat intelligence reporting on third parties, as well as review and enhancement of associated response processes.
Our cyber risk treatment plan is reviewed in a bimonthly cadence with a cross-functional Cyber Steering Committee, the managerial governing body that regularly reviews our top cyber risks and receives reports on progress on key cyber initiatives. Our CISO leads the Cyber Steering Committee, which also includes individuals with experience identifying and managing enterprise risks, including our President and Chief Executive Officer, Executive Vice President, Chief Financial Officer, Executive Vice President, General Counsel and Corporate Secretary and Senior Vice President, Internal Audit, as well as individuals with technical expertise in information technology, data and cyber matters and/or experience in managing cyber incident responses, including our Executive Vice President, Chief Technology Officer, Senior Vice President, Information Technology Operations and Senior Vice President, Deputy General Counsel and Chief Compliance Officer. Our CISO has over 15 years of Chief Information Security Officer experience leading security strategy and execution for large companies. He holds a Certificate in Secure Software and Information Engineering from Pace University and is a Certified Information Systems Security Professional.
15
The Internal Audit function assesses cyber security risks and audits components of cyber security on an annual basis. At least every three years, we use an external party to evaluate the maturity of our program against the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework.
The Audit Committee of our Board of Directors is charged with reviewing, discussing with management and overseeing the Company’s information technology and cybersecurity risk. Our CISO and Senior Vice President, Internal Audit and Risk report regularly to the Audit Committee, and at least annually, to the full Board of Directors on cybersecurity risks and management thereof.