AVIS BUDGET GROUP, INC. - (CAR)
10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
We maintain processes for assessing, identifying and managing material risks from cybersecurity threats.
We regularly use both outsourced and in-house information security expertise to employ a variety of administrative, technical, and physical data safeguards designed to both deter and mitigate cybersecurity risks, including cyber incident response procedures, endpoint threat detection and response solutions, employee
29
training, third-party risk reviews, penetration testing, technical control reviews, vulnerability assessments, and enterprise-wide risk assessments. These policies and procedures, which are based on the National Institute of Standards and Technology framework, align with international standards under ISO/IEC 27001 and are reviewed annually, including via an annual assessment of relevant IT SOX controls and Payment Card Industry Data Security Standard reviews performed both by external Qualified Security Assessors and authorized members of our internal information security team. Our third-party due diligence processes also include procedures for identifying cybersecurity threats associated with third-party service providers. Cybersecurity risks are also identified and evaluated through our enterprise risk management (ERM) processes, which are overseen by the Audit Committee of our Board of Directors. Through our ERM processes, key stakeholders across the business identify, assess, and manage risk, including material cybersecurity risks. These processes enable us to monitor and assess the evolving landscape of cybersecurity risks.
Our information security program is administered under the supervision of our EVP, Chief Digital and Innovation Officer (CDIO) and Vice President (VP) of Platforms, Infrastructure and Cybersecurity, who share responsibility for assessing and managing the Company’s cybersecurity risks. Both our CDIO and VP of Platforms, Infrastructure, and Cybersecurity have over 20 years of related experience, holding technical leadership roles at notable multinational organizations, across diverse industries.
Our CDIO and VP of Platforms, Infrastructure and Cybersecurity also monitor the prevention, detention, mitigation and remediation of cybersecurity incidents through the same processes described above for the identification and management of material cybersecurity risks.
The Audit Committee of our Board of Directors oversees risks associated with information technology and cybersecurity. Cybersecurity risks and incidents identified through these processes are evaluated by our CDIO and VP of Platforms, Infrastructure and Cybersecurity. Our VP of Platforms, Infrastructure and Cybersecurity provides regular updates on a quarterly basis, and more frequently as required, on these matters to the Audit Committee of our Board of Directors. Such reports may include discussions on current control audits, risk assessments, proposed mitigation measures, and other key information technology and cyber initiatives.
Information about our material cybersecurity risks can be found in Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.