Cars.com Inc. - (CARS)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy. The cybersecurity program at Cars Commerce is part of our enterprise risk management program. At Cars Commerce, we believe cybersecurity risk management is of the utmost importance. As a result, Cars Commerce has implemented an information security management system (the “ISMS”) designed to protect our infrastructure from potential threats and is designed to allow us to assess, identify and manage material risks from cybersecurity threats as described in more detail below. The ISMS supports the security safeguards that are designed to protect the confidentiality, integrity, availability, and contractual compliance of the Cars.com Inc. (d/b/a Cars Commerce, Inc.) entities, which include Cars.com LLC, Accu-Trade, LLC, CreditIQ, LLC, DealerRater.com LLC and Dealer Inspire Inc. which is inclusive of the In-Market Video and NewCars brands. In addition, we engage with external resources to contribute to, and provide independent evaluation of, our existing cybersecurity practices. As a result, in 2023, Cars Commerce engaged an independent auditor to conduct an audit of the ISMS. As a result of the independent audit, in December 2023, Cars Commerce completed the certification to meet International Organization for Standardization 27001 requirements for the above-stated entities. In October 2023, Cars Commerce, through its subsidiary, completed the acquisition of D2C Media Inc. ("D2C Media"). During the due diligence, Cars Commerce completed a robust evaluation of its cybersecurity risk management process and plans to integrate D2C Media into the ISO Certification Process.

Protect. Our employees are the first line of defense against cybersecurity incidents. As such, employees receive annual security awareness training to understand the behaviors and technical requirements necessary to protect information. We also conduct periodic phishing awareness exercises to educate employees to recognize and report suspicious activity. We also use a combination of tools and in-house technologies to protect Cars Commerce, our employees and our customers, including but not limited to using only SOC 2 compliant hosting providers, anti-malware software, intrusion prevention systems, network and web application firewalls, multi-factor authentication, encryption, and remote access via virtual private network (“VPN”) software.

Assess. In addition to in-house assessments, we engage with security and technology vendors to assess our information security and cybersecurity program and test our technical capabilities, including conducting penetration testing. We conduct risk assessments and audits to identify new risks and include any newly identified risks in remediation planning, as well as confirming that previously identified risks have been remediated. Identified risks are included in a central risk register and assigned an overall risk score. Risk levels are assigned based on a number of factors, including the nature of the risk and likelihood of exploitation. Lastly, we create remediation plans to bring unacceptable risks to an acceptable level.

Identify. We use several methods to identify cybersecurity events, including, but not limited to, security alert tools, log monitoring by systems engineers working on operational incidents that are later determined to be security incidents, or suspicious activity reported directly by employees. Cars Commerce has developed security incident response procedures to (1) assess cybersecurity incidents, (2) identify and implement containment measures, (3) preserve evidence, (4) log response activities and (5) determine corrective actions to prevent similar incidents.

Respond and Manage. When detected, suspected cybersecurity threats are escalated to the Information Security Team (as described below) in various ways based on the nature of the cybersecurity incident, including but not limited to system engineer escalation, the Cars Commerce helpdesk and in-house and third-party security tools. Cars Commerce employees are also responsible for reporting any suspected cybersecurity or information security event that they observe or experience as soon as possible, by either contacting the Cars Commerce helpdesk, or the Information Security Team directly. The Information Security Team then creates a Security Incident Response Team (“SIRT”) which, depending on the incident, comprises of the cybersecurity staff, Systems and Network Engineers, the Chief Technology Officer and the Chief Legal Officer, or other stakeholders as appropriate. The SIRT investigates and manages the impact of cybersecurity incidents in accordance with the security incident response procedures.

Report. Following the conclusion of a security investigation, the SIRT prepares a report for the Information Security Governance Committee, as appropriate. The report includes information about the incident, details about the response and includes recommendations to prevent similar security events from occurring in the future. Additionally, the Information Security Team provides the Audit Committee and the Board with regular updates on cybersecurity matters, including recent cybersecurity threats and incidents and ongoing efforts to prevent, detects and respond to internal and external cybersecurity threats.

As of the date of this Report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, Cars Commerce, including our business strategy, results of operations or financial condition. However, there can be no assurance that our cybersecurity prevention and mitigation efforts have been or will continue to prevent possible cybersecurity threats or whether a cybersecurity threat could have a material adverse effect on our business strategy, results of operations or financial condition. See “Risks Related to Technology” in “Risk Factors” of this Report.

In July 2023, the SEC adopted rules requiring the disclosure of material cybersecurity incidents. To ensure compliance with the SEC requirement, Cars Commerce has a review process to determine whether the impact of a cybersecurity threat is material and requires

21


 

disclosure of the cybersecurity incident. In compliance with the SEC rule and Cars Commerce’s process, if such a cybersecurity incident occurs and the appropriate representatives from the Information Security Governance Committee determine that the cybersecurity incident is material, Cars Commerce will make the appropriate disclosures in a Current Report on Form 8-K within the required timeframe.

Governance. The Board of Directors provides strategic guidance regarding Cars Commerce’s overall risk oversight, including identification, management and mitigation of risk. The Board has delegated direct cybersecurity and information security risk oversight to the Audit Committee. Cars Commerce management provides the Audit Committee with regular updates at least quarterly regarding the effectiveness of Cars Commerce’s overall cybersecurity program and other cyber security related matters, which may include, Cars Commerce’s inherent cybersecurity risks, updates on recent cybersecurity threats and incidents, policies and practices, industry trends, regulatory developments, threat environment and vulnerability assessments and specific and ongoing efforts to prevent, detect and respond to internal and external cybersecurity threats. The Chair of the Audit Committee informs the Board of the outcome of these meetings through updates presented to the Board at regularly scheduled Board meetings.

At the management level, our CEO provides general management, oversight and mitigation of Cars Commerce’s risk. The Chief Legal Officer and the Chief Technology Officer are the key executives responsible for managing Cars Commerce’s Information Security function and ensuring that Cars Commerce’s information security processes comply with applicable laws, SEC requirements and contractual obligations respectively. Cars Commerce’s Information Security Team, in conjunction with the Information Security Governance Committee are responsible for assessing and managing material risks from cybersecurity threats and providing management direction and support for information security. The Information Security Team is composed of skilled professionals with relevant information and cybersecurity education, certifications and experience. The Information Security Team coordinates the Cars Commerce Information Security Governance Committee, comprised of senior business leaders who support Cars Commerce’s Information Security Management System based on their area of expertise. Working together the teams initiate and control the implementation and operation of information security within Cars Commerce.