GENUINE PARTS CO - (GPC)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY.
15

Our information security program is managed by a dedicated Chief Information Security Officer ("CISO"), whose team is responsible for leading enterprise-wide cybersecurity strategy, risk assessment and management policies, standards, architecture, and processes. The CISO, along with the Chief Information and Digital Officer ("CIDO"), each have over 15 years of prior work experience in various roles involving information technology, including security, compliance, and systems. The CISO provides periodic reports, which take into account information from internal stakeholders, known privacy and information security vulnerabilities, threat detection plans, and information from external sources such as reported security incidents, industry trends, and third party evaluations to our CIDO, who provides regular updates to our Audit Committee, Chief Executive Officer, and other members of our executive team. The Audit Committee receives regular updates specific to the Company’s cyber security program and IT security risk, including descriptions of mitigation and incident response plans, projects to continually enhance our information security systems, overviews of awareness and training programs and the emerging threat landscape. The Board of Directors ("Board") has ultimate oversight for risks relating to our information security program and practices and receives periodic updates from the Audit Committee Chair on cybersecurity and IT security risk and mitigation strategies, as well as periodic updates directly from the CIDO and CISO. Our program is regularly evaluated by internal and external resources with the results of those reviews reported to senior management, the Audit Committee and the Board. We also actively engage with key vendors, industry participants, and intelligence and law enforcement communities for benchmarking and awareness of best practices as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. As part of our cybersecurity risk management system, our governance, risk & compliance team tracks and logs privacy and security incidents across GPC as well as performs third-party risk management to identify and mitigate risks from third parties such as vendors and suppliers. The results of our evaluations and the feedback from our engagements are used to drive alignment on, and prioritization of, initiatives to enhance our cybersecurity strategies, policies, and processes and make recommendations to improve processes.
Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) and other applicable industry standards. In connection with our information security program, we perform ongoing internal and external risk assessment activities, and deploy systems, processes, and procedures across our global business units in response to identified risks. As cybersecurity events are detected via our global processes, the potential impact of the events are assessed using a variety of methods, and our incident response plan is enacted as needed. The incident response plan is periodically evaluated by our cybersecurity team as well as by independent advisors using simulated security events. Security awareness training is also key component of our information security program and involves required training for all our teammates.
Although we have not experienced a material breach of cybersecurity to date, our computer systems and
the computer systems of our third-party service providers have been, and will likely continue to be, subjected to
unauthorized access or phishing attempts, computer viruses, malware, ransomware or other malicious codes. For
more information about these and other information security risks we face, see “Item 1A. Risk Factors — Strategic
and Operational Risks.”