General Motors Financial Company, Inc. - (ACF)
10-K Filing Date: January 30, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.
We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is aligned to the Company’s business strategy. It shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk, including legal, compliance, strategic, operational, and financial risk. Key elements of our cybersecurity risk management program include:
•risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment;
•a security team principally responsible for managing our cybersecurity risk assessment processes, our security controls, and our response to cybersecurity incidents;
•the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•training and awareness programs for team members that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls;
•a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
•a third-party risk management process for service providers, suppliers, and vendors.
In the last three fiscal years, the Company has not experienced any material cybersecurity incidents, and expenses incurred from cybersecurity incidents were immaterial. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, refer to Item 1A. Risk Factors – "Risks Related to Cybersecurity, Information Technology and Data Management Practices," which is incorporated by reference into this Item 1C.
Cybersecurity Governance
The GM Board of Directors established its Risk and Cybersecurity Committee with specific responsibility for overseeing cybersecurity threats, among other things. Our Global Chief Information Security Officer provides the Risk and Cybersecurity Committee periodic reports on our cybersecurity risks and any material cybersecurity incidents. In addition, our cybersecurity team provides periodic reports to our Board of Directors.
Our team of cybersecurity professionals is led by our Global Chief Information Security Officer, who has over 20 years of experience in the cybersecurity space and has obtained professional security certifications and advanced training in the field of cybersecurity and technology. The cybersecurity team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants.
Our cybersecurity team also monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings with internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the information technology environment.