ASBURY AUTOMOTIVE GROUP INC - (ABG)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Overview
We have processes in place designed to protect our information systems, data, assets, infrastructure, and computing environments from cybersecurity threats and risks while maintaining confidentiality, integrity, and availability. Our cybersecurity risk management processes are integrated into our enterprise risk management program.
Training
We conduct regular training for cybersecurity awareness of our employees, senior executives, and certain other vendors or personnel. We also perform phishing and social engineering simulations and provide cybersecurity training for personnel with Company email and access to Company assets. We disseminate security awareness communications to certain employees to highlight emerging or urgent cybersecurity threats.
Asbury’s information and data security training programs are housed in a Learning Management System (LMS). We migrate our acquired companies into Asbury’s current LMS.
Governance
Our Chief Information Officer (“CIO”), who has over 35 years of experience in the technology field, oversees cybersecurity, data privacy and manages Asbury’s information and security procedures. Asbury also has a Director of Cybersecurity, as well as a formal team of analysts.
Our Board of Directors maintains ultimate oversight of the Company’s enterprise risk management program, which includes material cyber security risks. Under the oversight of the audit committee and capital allocation and risk management committee of the Company’s Board of Directors, and as directed by the Company’s Chief Executive Officer, our CIO is primarily responsible for the assessment and management of material cybersecurity risks. Our CIO oversees the Company’s cybersecurity incident response plan and related processes that are designed to assess and manage material risks from cybersecurity threats.
30
The CIO also coordinates with the Company’s legal counsel and third parties, such as consultants and legal advisors, to assess and manage material risks from cybersecurity threats. Our CIO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents pursuant to criteria set forth in the Company’s incident response plan and related processes.
The capital allocation and risk management committee of the Company’s Board of Directors assists the Board in the periodic review and evaluation of the Company’s risk profile and related risk management processes which identify and manage the Company’s key financial, strategic and operational risks. The audit committee of the Company’s Board of Directors oversees, among other things, the adequacy and effectiveness of the Company’s internal controls, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. The audit committee is informed of material risks from cybersecurity threats pursuant to the escalation criteria as set forth in the Company’s disclosure controls and procedures. Further, our CIO reports on cybersecurity matters, including material risks and threats, to the Company’s audit committee on a quarterly basis, and the audit committee provides updates to the Company’s Board of Directors at regular board meetings. In addition, the audit committee and capital allocation and risk management committee hold a joint meeting annually during which the CIO provides a comprehensive update regarding the assessment and management of material cybersecurity risks. Our CIO also provides updates as appropriate to the Company’s Board of Directors.
Risk Management
We have processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes are integrated into the Company’s overall risk management systems. These processes also include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. The Company conducts security assessments of certain third-party providers before engagement and has established monitoring procedures in its effort to mitigate risks related to data breaches or other security incidents originating from third parties. The Company from time to time engages third-party consultants, legal advisors, and audit firms in evaluating and testing the Company’s risk management systems and assessing and remediating certain potential cybersecurity incidents as appropriate.
Management
In an effort to effectively prevent, detect, and respond to cybersecurity threats, we employ a multi-layered cybersecurity risk management program supervised by our CIO, whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, architecture, and processes. This responsibility includes identifying, considering, and assessing potentially material cybersecurity incidents on an ongoing basis, establishing processes designed to prevent and monitor potential cybersecurity risks, implementing mitigation and remedial measures, and maintaining our cybersecurity program. To do so, our program leverages both internal and external techniques and expertise. Internally, among other things, we may perform penetration tests, internal tests/code reviews, and simulations using cybersecurity professionals to assess vulnerabilities in our information systems and evaluate our cyber defense capabilities. Our cybersecurity capabilities, processes, and other security measures also include, without limitation:
•Service Organization Controls ("SOC")-as-a-Service (SOCaas) wherein a third-party vendor operates and maintains a fully-managed SOC on a subscription basis via the cloud;
•Security Information and Event Management (“SIEM”) software, which provides a threat detection, compliance, and security incident management system;
•Endpoint Detection and Response (“EDR”) software, which monitors for malicious activities on internal endpoints (e.g., Windows workstations, servers, MAC clients, and Linux endpoints);
•Cloud monitoring; and
•Disaster recovery and incident response plans, including a ransomware response plan.
Although we believe we have systems and processes in place to protect against risks associated with cybersecurity incidents in the future, depending on the nature of an incident, these protections may not be fully sufficient. We have experienced targeted cybersecurity incidents in the past that have resulted in unauthorized persons gaining access to certain of our information systems, and we could in the future experience similar incidents. As of the date of this Form 10-K, no cybersecurity incident or attack, or any risk from cybersecurity threat, has materially affected or has been determined to be reasonably likely to materially affect the Company, our business strategy, results of operations, or financial condition. For additional information regarding the risks from cybersecurity threats we face, see the section captioned. For further discussion of the risks associated with cybersecurity incidents, see “A failure of any of our information systems or those of our third-party service providers, or a data security breach with regard to personally identifiable information ("PII") about our customers or
31
employees, could have a material adverse effect on our business, results of operations, financial condition and cash flows.” beginning on page 27 of the section entitled “Item 1A. Risk Factors” in this Form 10-K.