LKQ CORP - (LKQ)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY

Our Board recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to risk management. The Company’s cybersecurity policies, standards, processes and practices are fully integrated into the Company’s operations and are based on recognized frameworks established by the International Organization for Standardization, the National Institute of Standards and Technology and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, integrity and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.

Risk Management and Strategy

As one of the critical elements of the Company’s overall risk management approach, the Company’s cybersecurity program is focused on the following key areas:

Governance: As discussed in more detail under the heading “Governance,” the Board’s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the “Audit Committee”), which interacts with and receives cybersecurity information or reports from members of the Company’s Risk Management Committee, the Company's Chief Information Security Officer (“CISO”) and other members of management.

Collaborative Approach: The Company's Board and management have implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made in a timely manner. The Company also purchases cybersecurity insurance to mitigate the financial risk associated with cybersecurity breaches.

Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including but not limited to secure web gateways, secure e-mail gateways, multi-factor authentication, endpoint detection and response, cloud security posture management, privileged access management, firewalls, intrusion detection/prevention systems, and web application firewalls.

Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans that fully address the Company’s response to a cybersecurity incident, and such plans are maintained, tested and evaluated on a regular basis.

Third-Party Risk Management: The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.

Education and Awareness: The Company provides regular, mandatory training for personnel regarding cybersecurity threats as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s information security policies, standards, processes and practices.

The Company engages in the periodic assessment and testing of adherence to the Company’s policies, standards, processes and practices that are designed to address cybersecurity risks, threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Risk Management Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.

29



Governance

The Board, in coordination with the Audit Committee and the Risk Management Committee, which is comprised of senior management of the Company, oversees the Company’s risk management process, including the management of risks arising from cybersecurity threats. The Board, Audit Committee and Risk Management Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. The Board, Audit Committee and Risk Management Committee also receive prompt and timely information regarding any cybersecurity incident that meets materiality reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On a quarterly basis, the CISO holds security risk meetings with LKQ’s business segment leadership to highlight the security risk environment, policies, controls, and remedial actions planned to address risks or vulnerabilities. On an annual basis, the Board and the Company’s Chief Information Officer ("CIO") and CISO discuss the Company’s approach to cybersecurity risk management.

The CISO, in coordination with the Risk Management Committee, which includes, among others, our Chief Executive Officer ("CEO"), Chief Financial Officer ("CFO"), CIO and General Counsel ("GC"), works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and reports significant (including potentially material) threats and incidents to executive leadership.

The CISO has served in various roles in IT and information security for over 26 years, including serving as the Chief Information Security Officer of two large public companies. The CISO holds an undergraduate degree in computer science and a graduate degree in business and attained professional certification as a Certified Information System Security Professional ("CISSP"), Certified Information Security Manager ("CISM") and GIAC Certified Incident Handler ("GCIH"). The CIO holds an undergraduate degree in Economics and a master’s degree in business administration, and has served in various roles in IT for over 25 years, including serving as the Chief Information Officer of three public companies. The Company’s CEO, CFO and GC each hold undergraduate and graduate degrees in their respective fields, and each has experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition.