10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company has implemented policies and procedures that are intended to manage and reduce cybersecurity risks. Material risks from cybersecurity threats are managed across HDMC, HDFS, LiveWire and third-party suppliers and vendors. Cybersecurity risks and threats are monitored by the Company's Corporate Information Security Office and routinely discussed with senior management across the Company. Cybersecurity risks are identified and assessed through third-party assessments, IT security assessments, audits conducted by Internal Audit and risk and compliance reviews. Additionally, as part of the Company’s cybersecurity risk management process, tabletop exercises are conducted at the technical and management levels. During these tabletop exercises, cybersecurity incidents are simulated, aimed at ensuring the Company is prepared in the event of a cybersecurity incident and to help identify areas of improvement for the cybersecurity program.
The Company takes measures to regularly update and continuously improve its cybersecurity program, including conducting independent program assessments, performing penetration testing and scanning the Company’s systems for vulnerabilities using external third-party tools and techniques to test security controls, auditing applicable data policies and monitoring emerging laws and regulations related to information security. The Company also periodically engages third-party consultants to assist in assessing and enhancing its cybersecurity program. The Company has implemented risk-based controls to protect its information, customer information, third-party information, its information systems and its business operations. The Company follows the National Institute of Standards and Technology (NIST) Cybersecurity Framework and has adopted security-control principles based on NIST, other industry-recognized standards and contractual requirements, as required.
With respect to third parties, the Company's cybersecurity program includes a cybersecurity supply chain risk management component aimed at identifying and mitigating risks from vendors, suppliers, and other third-parties. The supply chain risk management program is integrated into the Company’s procurement workflow and includes conducting due diligence on select suppliers, vendors and other third parties. The cybersecurity risks of the vendor, supplier or other third party are evaluated by the Corporate Information Security Office when assessing the engagement and determining the appropriate oversight of the vendor, supplier or other third party. The Company also contractually requires suppliers, vendors and other third parties with access to its information technology systems, sensitive business data or personal information to implement and maintain appropriate security controls and contractually restricts their ability to use the Company’s data, including personal information, for purposes other than to provide services to the Company, except as required by law. To oversee the risks associated with these service providers, the Company works with suppliers, vendors and other third parties to help ensure that their cybersecurity protocols are appropriate to the risk presented by their access to or use of the Company’s systems and/or data, including notification and coordination concerning incidents occurring on third-party systems that may affect the Company.
The Company's cybersecurity program also includes a cybersecurity training component. All employees are required to complete annual cybersecurity training focused on helping the workforce recognize cyber threats and scams, avoid falling victim to threats and scams, and report potential threats and scams. In addition, periodic cybersecurity awareness messages are posted on the Company portal.
While the Company has experienced, and may in the future experience, cybersecurity incidents, prior incidents have not materially affected the Company’s business, results of operations or financial condition. Although the Company has invested in the protection of its data and information technology and monitors its systems on an ongoing basis, there can be no assurance that such efforts will in the future prevent material compromises to Company information technology systems that could have a material adverse effect on the Company’s business. For additional information, refer to “A significant cybersecurity incident or data privacy breach may adversely affect the Company’s reputation, revenue and earnings,” in Item 1A. Risk Factors.
The Audit and Finance Committee, consisting entirely of independent directors and on behalf of the Board of Directors, has oversight responsibility for enterprise risk and enterprise risk management systems for the Company, including cybersecurity risks. The Committee reports on its activities related to risk oversight to the full Board after each meeting. The Audit and Finance Committee is actively involved in reviewing the Company’s information security and technology risks and opportunities, including cybersecurity, and discusses these topics on a regular basis. The Audit and Finance Committee also receives updates on a quarterly basis from senior management, including the Chief Information Security Officer (CISO) regarding cybersecurity matters. These updates include cybersecurity risks, mitigation and status of cybersecurity risks, cybersecurity incidents (if any), cybersecurity initiatives and cybersecurity industry news and trends. In the event of a potentially material cybersecurity event, the Presiding Director and the Chair of the Audit and Finance Committee will be notified and briefed. If appropriate, the Audit and Finance Committee and/or full Board of Directors would hold a meeting or meetings to discuss and be briefed on the event.
The Company’s cybersecurity program is led by the CISO who is responsible for assessing and managing the Company’s information security and technology risks, including cybersecurity. On December 15, 2023, the CISO announced his retirement from the Company, and since that time, our Chief Digital and Operations Officer is serving as our acting CISO, executing all of the responsibilities of the CISO, while the Company conducts a search to fill the position. The Company's Chief Digital and Operations Officer has extensive experience in leading information systems management, strategy and operational execution, including information security and incident management, prevention and response.
At the management level, the Company has established an incident review committee consisting of senior executives including the Chief Legal Officer, Chief Financial Officer, Chief Accounting Officer, Vice President of Communications and Corporate Relations, Chief Digital and Operations Officer, Director of Internal Audit and Deputy General Counsel, that meets regularly with the CISO to ensure identified issues are addressed expeditiously and reported to the appropriate regulatory agencies as required. In addition, the CISO escalates issues determined to be significant to the Chief Legal Officer in accordance with the Company's incident response processes.