AUTONATION, INC. - (AN)

10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We have developed and continue to enhance our cybersecurity governance program to help protect the security of our computer systems, software, networks, and other technology assets against material risks from cybersecurity threats, including unauthorized attempts to access confidential information or to disrupt or degrade our business operations. Our cybersecurity governance program is strategically integrated into our broader risk management framework and aims to (1) proactively manage cyber and information security risks at AutoNation, (2) implement the internal controls required by cybersecurity regulatory requirements as well as AutoNation’s information security control objective documents and information security standards, and (3) improve the efficiency, maturity, and effectiveness of technology functions and processes.
We regularly evaluate new and emerging risks and ever-changing legal and compliance requirements and examine the effectiveness and maturity of our cyber defenses through various means, including internal audits, targeted testing, incident response exercises, maturity assessments, and industry benchmarking. We also dedicate significant resources that are designed to secure our systems and to protect confidential information, such as firewalls, endpoint protection, and behavior analysis tools, among others, and engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. In addition, we annually perform a risk assessment of our third-party service providers.
To date, risks from cybersecurity threats have not materially affected us, and we currently do not expect that the risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our efforts to ensure the integrity of our computer systems, software, networks, and other technology assets, we may not be able to anticipate, detect, or recognize threats to our systems and assets, or to implement effective preventive measures against all cyber threats, especially because the techniques used are increasingly sophisticated, change frequently, are complex, and are often not recognized until launched. See the risk factor “A failure of our information systems or any security breach or unauthorized disclosure of confidential information could have a material adverse effect on our business in Part I, Item 1A of this Form 10-K.
Governance
Our Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats and oversees risks associated with cybersecurity threats. The Board’s Audit Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this area. The Audit Committee is composed of independent directors with diverse expertise including, risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.
Our Chief Information Security Officer (“CISO”) plays a pivotal role in informing the Audit Committee on cybersecurity risks. He provides comprehensive briefings to the Audit Committee on a quarterly basis or as needed. These briefings encompass a broad range of topics, including emerging threats, the status of ongoing cybersecurity initiatives, and incident reports and learnings from any cybersecurity events. The Audit Committee actively participates and offers guidance in strategic decisions related to cybersecurity. This involvement helps ensure that cybersecurity considerations are integrated into our broader strategic objectives.
Our CISO is responsible for assessing, monitoring, and managing our cybersecurity risks. With over 25 years of experience in the field of cybersecurity, including extensive experience as an enterprise CISO, his in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CISO oversees our cybersecurity governance programs, tests our compliance with applicable standards, remediates known risks, and leads our employee cybersecurity training program.
Our CISO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. In the event of a cybersecurity incident, our CISO is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.

24

Our CISO regularly informs our Chief Executive Officer and Chief Financial Officer of all aspects related to cybersecurity risks and incidents. This helps ensure that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters and strategic risk management decisions are escalated to our Board of Directors, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.