ARKO Corp. - (ARKO)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY.

Cybersecurity risk management is a component of our overall risk management systems and processes and we recognize the importance of evaluating, detecting, and mitigating significant risks related to cybersecurity threats, including operational risks, theft of intellectual property, fraud, injury to employees or customers, and breach of applicable laws.

Our information security program aims to manage these cybersecurity risks and threats that we can reasonably anticipate using different methods, such as third-party assessments, internal IT audits, governance oversight, and risk and compliance reviews. We use various security tools designed to help protect our information systems from cyberattacks and to address any vulnerabilities or incidents in a timely manner, and we rely in part on third-party services to identify, prioritize, assess, reduce, and remediate cybersecurity threats and incidents.

Our information security program also evaluates potential risks associated with certain third-parties with whom we do business, especially our service providers that deal with sensitive employee, business, or customer data. This includes risk evaluation before choosing such vendors, periodic assessment thereafter and if a third-party has a reported cybersecurity incident, we perform an assessment to find and reduce risks related to such third-party incident that may affect us.

Our systems regularly face attacks that aim to interrupt and delay our operations or obtain information from our systems. Any major disruption or nefarious access, to our systems or a third-party’s systems, could lead to disclosure or destruction of data, including employee, customer and corporate information, which may expose us to business, regulatory, litigation and reputation risk and could negatively affect our business and results of operations. As of the date of this Annual Report on Form 10-K, we have not

19


 

encountered risks from cybersecurity threats that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations or financial position. Refer to “Item 1A. Risk factors” in this Annual Report on Form 10-K, including “Significant disruptions of information technology systems, breaches of data security, or compromised data could materially adversely affect our business” for additional discussion about cybersecurity-related risks.

We perform various tasks designed to protect the Company from cybersecurity incidents, such as: conducting proactive cybersecurity reviews of systems and applications; performing penetration testing using external third-party tools and techniques; conducting employee training; and monitoring emerging laws and regulations related to data protection and information security. We evaluate risks from cyberattacks and technology threats and check our information systems for possible weaknesses. We use a risk quantification model created by the National Institute of Standards and Technology to find, assess and rank cybersecurity and technology risks and create related security controls and protections. Using third-party organizations and ongoing internal assessments, we regularly review and test our information security program to enhance our security measures and planning. We also engage an external auditor to perform an annual payment card industry data security standard review of our security controls protecting payment information, as well as quarterly third-party penetration testing of our cardholder environment and related systems.

We follow incident response and breach management processes that principally consist of four interrelated steps to identify and assess material risks from cybersecurity threats: (1) preparing for a cybersecurity incident; (2) detecting and analyzing a cybersecurity incident; (3) containing, eliminating and recovering from the cybersecurity incident; and (4) analyzing the cybersecurity incident after it is resolved. We assess, rank and prioritize cybersecurity incidents based on their severity and impact on our operations and business. Our information security team, with assistance from our legal team, oversees cybersecurity incident response and breach management processes and commencing with the formation of the Board’s Cybersecurity Special Committee, reports to such committee.

GPM’s Senior Vice President of Information Technology (the “SVP of IT”), who has more than 30 years of technology experience, leads our information security team. We also use additional employees with relevant educational and industry experience to support our information security program.

Until November 2023, our Board had oversight responsibility for cybersecurity threats, and the SVP of IT provided cybersecurity-related information to the Board on a periodic basis. In November 2023, the Board formed a Cybersecurity Special Committee which has oversight over our management of cybersecurity threats and is charged with periodically reporting on cybersecurity matters to the Board. Currently, the Cybersecurity Special Committee consists of four independent directors. The Board’s oversight, including through the Cybersecurity Special Committee, includes receiving periodic reports from the SVP of IT and other information technology team members on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. In addition, the Cybersecurity Special Committee is now tasked with oversight of our annual cybersecurity assessment of key cybersecurity risks, which was previously overseen by the Board.

In November 2023, the Board adopted cybersecurity processes, which strengthened and formalized company-wide procedures related to identifying, managing and assessing cybersecurity threats. In the event of a cybersecurity incident which is potentially material, the SVP of IT must report such incident to the Company’s CEO, CFO, General Counsel and the chair of the Cybersecurity Special Committee, and these executives and board member determine whether, based on materiality or potential materiality, to report the cybersecurity incident to the Cybersecurity Special Committee, which committee makes a determination if such cybersecurity incident requires a public filing.