O REILLY AUTOMOTIVE INC - (ORLY)
10-K Filing Date: February 28, 2024
We execute a comprehensive approach to cybersecurity risk management, helping ensure the data customers and other stakeholders entrust to us remains safe and secure. Our board of directors (the “Board”), Compliance Committee, and Information Security Program leaders are actively involved in the oversight of our cybersecurity risk management program. As described in more detail below, we have established standards, policies, practices, and processes focused on identifying, assessing, managing, mitigating, and responding to material risks from cybersecurity threats. To date, the Company is not aware of any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our business strategies, results of operations, financial condition, or cash flows. However, while we have devoted financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make investments to maintain the security of our data and cybersecurity infrastructure, we cannot provide absolute assurance that any potential future cybersecurity threats or incidents will not materially affect us or our business strategies, results of operations, financial condition, or cash flows. For further discussion on cybersecurity related risks, see the “Risk Factors” section of Item 1A of this annual report on Form 10-K.
RISK MANAGEMENT AND STRATEGY
We execute a holistic approach to our standards, policies, practices, and processes for identifying, assessing, managing, mitigating, and responding to material risks from cybersecurity threats, all of which are integrated into our overall risk management program. Our cybersecurity program is informed by industry-wide recognized standards, such as The National Institute of Standards and Technology (NIST) Cybersecurity Framework.
We have implemented best practices and established numerous programs and controls to reduce cybersecurity risk. Our Information Security Program includes physical, administrative, and technical safeguards. Some key components of the Information Security Program include:
| ● | Security awareness training for Team Members. |
| ● | A dedicated security operations team to monitor, analyze, and respond to security threats. |
| ● | Security governance to manage and maintain security processes. |
| ● | Intrusion, detection, and prevention systems. |
| ● | A vulnerability management program to identify and remediate security liabilities. |
23
| ● | A configuration management program to harden systems based on industry standards. |
| ● | Industry-leading email security, endpoint detection, and response platforms. |
| ● | Threat intelligence from multiple resources to identify and anticipate emerging threats. |
| ● | Network and web application firewalls. |
| ● | Multi-factor authentication. |
| ● | Network segmentation to isolate and safeguard critical systems and sensitive data. |
On an ongoing basis we conduct cybersecurity risk assessments, including compiling, reviewing, and acting on information garnered from internal stakeholders, known security vulnerabilities, and data from external sources. The results of these assessments are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee, and members of management.
We routinely assess our systems and processes for modifications in advance of evolving state privacy regulations and other applicable industry standards and regularly update our privacy and information security policies to remain current with industry-leading practices. We are continually adapting to the ever-changing cyber risk landscape and have a dedicated team of information security professionals committed to maintaining the highest levels of systems and data security. The Company conducts and has engaged external information security firms to conduct assessments, including penetration tests, to continually improve security controls and ensure security controls. We continue to expand and grow our security team and their skillsets and make regular enhancements to our Information Security Program.
In addition, we engage with our third-party business partners to enforce our internal cybersecurity practices. We rely on all third-party business partners to maintain appropriate security programs; however, we cannot ensure in all circumstances that their efforts will be successful. We assess third-party cybersecurity controls through a detailed cybersecurity assessment and review and include security and privacy addendums to our contracts, where applicable. We also require that our third parties report material cybersecurity incidents to us, allowing us the ability to assess the impact of any reported incident on our operations.
Additionally, we developed a business continuity and disaster recovery program to help minimize the impact from certain types of cybersecurity risks. The Company’s incident response plans include emergency response, systems recovery, and other plans that would be enacted in the event of certain types of cybersecurity attacks. Our business continuity and disaster recovery plans are updated regularly and tested each year or as needed.
GOVERNANCE
Board Oversight
Our Board, in coordination with the Audit Committee, oversees our management of cybersecurity risk. The Board receives regular reports from management about the prevention, detection, assessment, mitigation, and remediation of cybersecurity risks and incidents, including analysis of material security risks or information security vulnerabilities. Our Audit Committee directly oversees our Information Security Program. The Audit Committee is composed of Board members with diverse expertise, including risk management, technology, and finance experience, which provides them with the necessary qualifications to effectively oversee cybersecurity risks. The Audit Committee receives on a quarterly basis, or as needed, comprehensive updates from management on cybersecurity risks, including risk assessments, cybersecurity maturity assessments, progress of risk reduction initiatives, enhancements to cybersecurity programs and initiatives, business continuity planning, PCI compliance, any relevant internal or industry cybersecurity incidents, and compliance with regulatory requirements and industry standards, as applicable.
Management’s Role
A cross-functional Compliance Committee comprised of O’Reilly executive and senior leadership, including our Chief Information Officer (“CIO”), have responsibility for assessing and managing material cybersecurity risks and oversees our enterprise security, privacy, and risk priorities, including ensuring alignment on security decisions across the Company. The Compliance Committee meets quarterly, or as needed, to review security performance metrics, identify security risks, assess the status of approved security enhancements, and discuss future changes necessary to execute best practice, among other items. The Compliance Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies to senior management. We have an established escalation process to help ensure senior management and the Board are timely informed of any potential cybersecurity issues or incidents. Our comprehensive monitoring, analysis, response, and communication protocols are designed to ensure the highest level of management is informed of cybersecurity risks and that the Board has comprehensive oversight and information necessary to provide guidance on critical cybersecurity issues.
24
Our Compliance Committee members have decades of business and leadership experience managing risk, including cybersecurity risks, that collectively enables them to effectively oversee comprehensive cybersecurity risks. Our CIO has served in various roles in information technology for more than 30 years, including serving as a chief information officer for a technology company, and has a degree in information management systems. Information Security Program leaders and Team Members who support our Information Security Program have relevant educational and technical certifications, such as Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP), and applicable industry experience, including cybersecurity threat assessment and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats, and regulatory compliance. For further details about our CIO’s background, see the “Information About Our Executive Officers” section of Item 1 of this annual report on Form 10-K.