CARVANA CO. - (CVNA)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY.
We consider cybersecurity protection, including protection of sensitive customer, employee, and partner information, to be a priority in the Company’s business, strategy, and management. Carvana's enterprise risk management program, which is designed to identify, evaluate, and respond to our high priority risks and opportunities, integrates assessment, review, identification and management of cybersecurity risks.
The Audit Committee is responsible for ensuring sufficient oversight of our cybersecurity risk exposures and leads the full Board in periodic reviews of the adequacy and effectiveness of our information security program and internal controls, including quarterly and ad hoc updates of cybersecurity risks, initiatives, and key metrics. Senior leaders from our Information Security, Legal and Compliance teams provide the Board and Audit Committee with periodic briefings of our current risks and security strategy, as well as future plans with regard to cybersecurity posture, preparation, prevention, and incident response.
Our Chief Information Security Officer ("CISO"), who has extensive cybersecurity knowledge and experience, with over ten years in the field of information security, is primarily responsible for assessing and managing cybersecurity risk. The CISO oversees a team of dedicated information security professionals (the “Information Security Team”) who focus on specialty areas such as application security, security compliance, security architecture and engineering, vulnerability management, and security operations, each with relevant experience and industry certifications in their respective areas.
The Information Security Team leverages a variety of processes and controls to stay informed of and manage cybersecurity risk. It partners with a variety of business units, including our engineering, legal, compliance, internal audit, technology, and product teams to identify and control emerging risks. We also from time to time engage third parties to assist in investigating and remediating security incidents, monitoring of security vulnerabilities, and performing risk assessments based on industry standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our Information Governance Committee, whose members include representatives from the Information Security Team and key senior leaders from relevant stakeholder groups, meets quarterly to review and discuss, among other topics, the implementation and management of these cybersecurity processes. The Information Security Team additionally has adopted security control principles based on ISO 27002:2022 and uses various formalized incident management and monitoring standards and incident response plans and playbooks, which define immediate steps in the event of a cybersecurity incident, roles and responsibilities, as well as materiality criteria to allow for efficient and effective incident management. This includes a third-party vendor management procedure, under which we conduct vendor risk assessments and, when appropriate, ongoing threat monitoring. In implementing these policies, the Information Security Team utilizes a layered approach, aided by industry leading technology, to detect, respond, and prevent cybersecurity risks and exposures.
As of the date hereof, we have not experienced any material cybersecurity incidents. However, future incidents, whether direct or through our third-party providers, could have a material impact on our business strategy, results of operations, or financial condition. The Company maintains cybersecurity insurance to mitigate the risks of a material cybersecurity incident; however, the costs may exceed our coverage and, therefore, may not be fully insured. See Part I, Item 1A - “Risk Factors” in this Annual Report on Form 10-K for a further discussion of various cybersecurity risks to the Company.