CREDIT ACCEPTANCE CORP - (CACC)
10-K Filing Date: February 09, 2024
ITEM 1C. CYBERSECURITY
The Company regularly assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities, and tests those systems pursuant to the Company’s cybersecurity policies, standards, processes, and practices, which are integrated into the Company’s overall risk management program. We have adopted aspects of the ISO 27002 and NIST SP 800-37 Rev. 2 frameworks, to which risk management in relation to our information systems is aligned. We categorize our information systems as either critical or secondary, depending on business value and/or risk of financial or compliance impact of cybersecurity incidents. Our information security team uses a multifaceted approach to assess, identify, and manage material risks to the Company from cybersecurity threats, including testing of the effectiveness of our cybersecurity incident prevention and response systems; conducting routine vulnerability scanning of information systems assets; network/endpoint detection and response coupled with anomaly identification enhanced logging capabilities powered by artificial intelligence software; discovery through collaboration with the Company’s internal audit team; monitoring of threat intelligence feeds provided by industry associations/groups, service providers, and federal/state authorities; and professional service engagements, such as retaining the services of an external 24/7 security operations center and partnering with third parties in testing our information systems for vulnerabilities from external, internal, and social engineering perspectives and assessing the effectiveness of our cybersecurity controls.
The Company partners with third-party service providers and employs processes to assess, identify, and manage material risks from cybersecurity threats arising from the use of such third-party service providers. Our latest assessment attempted to identify vulnerabilities in our network and systems from external, internal, and social engineering perspectives. Our cybersecurity practices (including with respect to third-party service providers) have been assessed to represent a level of maturity consistent with industry best practices.
Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations, and financial condition. For more information about these risks, see the disclosure under the heading “Technology and Cybersecurity Risks” in Part I, Item 1A. Risk Factors.
Our board of directors oversees the Company’s risk management process, including cybersecurity risks, directly and through its committees. The audit committee of the Company’s board of directors provides structured oversight of the Company’s risk management program, which focuses on the most significant short-, intermediate-, and long-term risks the Company faces. The Company has an information security compliance committee (the “Committee”) that consists of the members of the Company's compliance committee, which reports to the board of directors, and at least three members of Company management. The Committee is responsible for overseeing the development and upkeep of written policies and procedures aimed at safeguarding the Company’s information systems and the nonpublic information stored within them. In addition, the Committee plays a crucial role in the governance of the cybersecurity risk management process. This involves collaborating with third-party industry experts and the Company’s internal audit team to conduct risk assessments of the Company’s information security program (the “Program”). The assessments encompass an evaluation of the Company’s adherence to the Program, including the elements of the Program that are dictated by relevant laws, regulations, and the Company’s information security manual. Furthermore, the Company conducts periodic cybersecurity assessments and preparedness analyses, supervised by our designated Chief Information Security Officer (“CISO”).
At least annually, our internal audit team conducts a formal risk assessment and develops an audit plan that identifies, assesses, and prioritizes risks that include cybersecurity. The results of the risk assessment and the proposed audit plan are communicated to various leaders within the Company as well as the audit committee of the board of directors for input. The audit plan is reassessed throughout the year, and the plan is subject to modification by our internal audit team, e.g., based on such considerations as changes to resources, business operations, or internal or external risk factors.
The CISO, the Vice President, Engineering – Security, Compliance and Trust, or the Director of Engineering Security and Compliance also issues an annual written report to the board of directors on the Program and material cybersecurity risks.
23
The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents. In particular, the Company has adopted and maintains written policies and procedures for the protection of Company’s information systems and nonpublic information stored on those systems, which are based on the Company’s risk assessment and that address all other specific topics as may be required by applicable laws and regulations.
The Program includes processes to coordinate and facilitate the implementation of information security best practices and services throughout the Company and to comply with applicable cybersecurity requirements under federal and state laws and regulations, including, but not limited to, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, and the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500. The Program is based on the Company’s risk assessment and designed to perform in accordance with applicable laws and regulations.
The Company has established and maintains a comprehensive information security incident management plan (the “Plan”) that allows the Company to respond quickly and effectively to cybersecurity threats and cybersecurity incidents, including cybersecurity breaches, in accordance with applicable laws and regulations.
The Company routinely engages third-party industry experts to work in conjunction with our internal audit team in performing risk assessments of the Program and the Plan and of the Company’s execution of the Program and the Plan.
The CISO, in coordination with the Director of Engineering Security and Compliance and the information security managers, is responsible for leading the assessment and management of cybersecurity risks. The Company’s information security team has extensive experience in information security and previous information security work experience in several industries, including defense, manufacturing, and financial services. The CISO reports to the board of directors, the audit committee, and senior management on cybersecurity threats.