SONIC AUTOMOTIVE INC - (SAH)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, suppliers and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology (the “NIST”) Cybersecurity Framework.
We leverage technology for our business advantage and have invested in internal and external business applications. Our regular operations involve handling sensitive data, including proprietary business information, intellectual property, and personally identifiable information of our customers, suppliers, and employees. To ensure the safety of this data, the Vice President of Information Security provides oversight and establishes central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. Any risks from cybersecurity threats to our products and services are communicated to our general counsel and senior management and if deemed material, are further reviewed by the Audit Committee of our Board of Directors. We also periodically engage third-party consultants to help us assess, enhance, implement and monitor our cybersecurity risk management programs and respond to any incidents.
We have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not materially affected our business strategy, results of operations or financial condition, and although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. See “General Risk Factors” in “Item 1A. Risk Factors” of this Annual Report on Form 10-K.
Governance
Our Board of Directors is responsible for overseeing enterprise risk and has delegated the responsibility for the oversight of cybersecurity and information technology risks, and the Company's preparedness for these risks, to the Audit Committee. Our Vice President of Information Security provides periodic updates to the Audit Committee in order to assist the Audit Committee in understanding the implications of cybersecurity risks. The Audit Committee meets regularly to ensure a shared understanding of cybersecurity risks, to review new regulations or laws, and to provide guidance on complex risk issues.
Our Information Security team has gained their expertise in information technology (“IT”) and cybersecurity through a combination of education, relevant degrees, certifications and prior work experience. As part of the cybersecurity process, their respective teams inform them about the prevention, detection, mitigation, and remediation of cybersecurity incidents.
The Information Security team has adopted the NIST Cybersecurity Framework as a reference to manage cybersecurity risks. This framework enables the team to implement a comprehensive statement of activities and responsibilities that cover data, information architecture, risk communications, emerging technology, third-party risk, IT operations, and regulation. By following industry best practices, the team has established a recognized baseline for engaging external firms to audit and test the resiliency of the cybersecurity program.