ACV Auctions Inc. - (ACVA)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity.

Cybersecurity Strategy and Risk Management

We have established and maintain policies and processes for assessing, identifying, monitoring, and managing material risks arising from cybersecurity threats which form an important component of our overall risk management program. Our policies and processes underlie and support the integrity and availability of critical data and systems, and are designed to provide a framework for timely, effective responses to cybersecurity threats, such as threats associated with our services and with our use of services or technology products by our strategic vendors, contractors, or other suppliers. ACV also engages independent third parties to help us assess our internal

41


preparedness, audit our adherence to cybersecurity standards, assist us with risk mitigation activities, such as security assessments and penetration testing, and identify areas for continued focus and improvement.

Our efforts are led by ACV's Chief Information Officer (“CIO”) who oversees a team of cybersecurity professionals (the “Cybersecurity Department”) dedicated to identifying, assessing, escalating, responding to, and recovering from cybersecurity threats on a day-to-day basis.

The Cybersecurity Department works with our strategic vendors, contractors, or other suppliers that provide services or technology products to complete information security risk assessments, each consisting of a holistic review using NIST as a standard. For these suppliers, operational security details, including third-party reports on compliance frameworks (such as NIST, SOC2 Type2), are reviewed by the Cybersecurity Department for sufficiency. The Cybersecurity Department uses tools to assist in monitoring cyber activities, benign and otherwise, and creates alerts based on anomalous activities or potential vulnerabilities. ACV personnel also are required to take cybersecurity training, which is designed to prepare our personnel to look out for and report any suspicious or anomalous events they may experience.

Governance

While our board of directors has overall responsibility for risk oversight, our Audit Committee assists our board of directors in monitoring cybersecurity risks by receiving regular reports from our CIO, as needed, that cover information such as NIST review outcomes, and actions to address findings and vulnerabilities.

Our CIO has primary management responsibility for ACV’s cybersecurity. He has over twenty- five years of experience working in information technology, with the last fifteen years in senior leadership and delivery roles in large, geographically spread corporate technology settings.

Pursuant to our Cybersecurity Incident Response Plan (“CIRP”), which governs ACV’s responses to cybersecurity events and is designed to align with industry practices, when a cybersecurity event has been identified, it is assessed by our Cybersecurity Department based on a threat detection and response analysis to determine whether the event is a cybersecurity incident. Events that do not meet the standard of incident are resolved and closed out by the Cybersecurity Department in our cybersecurity event management system.

If an event is identified as an incident, the CIRP provides for notification to designated members of the Cybersecurity Department and the legal compliance function who will analyze the incident for potential materiality. Any incident whose impacts are judged to be potentially material is escalated immediately to a senior management team comprised of at least our CIO, Chief Legal Officer, Chief Operations Officer, and Chief Financial Officer. Additionally, certain cybersecurity events, such as a ransomware attack, will be immediately escalated to the designated members set forth above and the CIO. If the threat is found to be credible, it is further escalated on an emergency basis to the Chief Legal Officer and Chief Financial Officer. Once a cybersecurity incident is escalated to senior management, other members of management and senior management may be engaged to oversee the assessment, response, recovery, and disclosure efforts relating to such cybersecurity event.

Despite our efforts, we can offer no guarantees that the cybersecurity measures we use will prevent unauthorized or malicious access to ACV systems and information. For more information regarding the risks relating to cybersecurity, see “Risk Factors—Risks Related to Information Technology and Intellectual Property—Security breaches, cyber-attacks or other similar incidents with respect to our information technology systems, or those of our third- party service providers, could result in adverse consequences, including, but not limited to, a disruption of our business operations; reputational harm; loss of revenue or profits; regulatory investigations or actions; litigation; fines and penalties. If we fail to comply with our commitments, assurances or other obligations regarding data privacy and security, our reputation may be harmed and we may be exposed to liability; loss of business; and other adverse business consequences.”