General Motors Co - (GM)

10-K Filing Date: January 30, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Material risks from cybersecurity threats are managed across GM, GM Financial, Cruise and third-party suppliers and vendors, and monitoring such risks and threats is integrated into the Company’s overall risk management program.

GM has a Cybersecurity Management Board that brings together representatives from senior management across the Company’s Software & Services, Product Development, Information Technology, Manufacturing, Finance, Communications, Human Resources, Legal and Public Policy organizations to provide guidance and monitor overall company cybersecurity risk. The Company’s cybersecurity maturity scorecard, cybersecurity threats and certain incident information are reviewed by the Company’s Chief Cybersecurity Officer (CCO), the Risk and Cybersecurity Committee of the Company’s Board of Directors and the Cybersecurity Management Board during standing meetings as well as in impromptu sessions, when appropriate. During the reviews, various topics are discussed, which may include:

implementation and maturity of the Company’s cybersecurity program, risk management framework, including cybersecurity risk policies, procedures and governance;
cybersecurity and privacy risk, including potential impact to the Company’s employees, customers, supply chain, joint ventures and other stakeholders;
intelligence briefings on notable cyber events impacting the industry; and
23



GENERAL MOTORS COMPANY AND SUBSIDIARIES
cybersecurity budget and resource allocation, including industry benchmarking and economic modeling of various potential cybersecurity events.

The Company maintains technical and organizational safeguards, including employee training, incident response capability reviews and exercises, cybersecurity insurance and business continuity mechanisms for the protection of the Company’s assets. From time to time, the Company’s processes are audited and validated by internal and external experts. The Company leverages a third-party cybersecurity program with the goal of minimizing disruption to the Company’s business and production operations, strengthening supply chain resilience in response to cyber-related events and supporting the integrity of components and systems used in its products and services.

As cybersecurity incidents occur, the GM Cybersecurity team focuses on responding to and containing the threat and minimizing any business impact, as appropriate. In the event of an incident, the Cybersecurity team assesses, among other factors, safety impact, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with support from external technical, legal and law enforcement support, as appropriate.

In the last three fiscal years, the Company has not experienced any material cybersecurity incidents and expenses incurred from cybersecurity incidents were immaterial (including penalties and settlements, of which there were none). For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, see Item 1A. Risk Factors – "Risks related to our intellectual property, cybersecurity, information technology and data management practices", which are incorporated by reference into this Item 1C.

Governance

The GM Board of Directors is responsible for overseeing the Company’s enterprise risk, and has established its Risk and Cybersecurity Committee with specific responsibility for overseeing cybersecurity threats, among other things. The Company’s cybersecurity organization is led by the CCO, who is responsible for assessing and managing material risks from cybersecurity threats and reports to GM’s Executive Vice President, Legal, Policy, Cybersecurity, and Corporate Secretary as well as to the Risk and Cybersecurity Committee. The CCO has served in this role for four years, and has more than 11 years of experience in various roles involving managing cybersecurity functions, developing cybersecurity strategies to protect privacy, customer safety and intellectual property, and developing key capabilities such as product security engineering, risk management and cybersecurity governance. The CCO holds a bachelor’s degree in electrical engineering and a master’s degree in systems engineering, with over 10 years of previous software and hardware systems engineering experience. The CCO chairs the Automotive – Information Sharing and Analysis Center (ISAC) and serves on the Department of Homeland Security – Cybersecurity and Infrastructure Security Agency (DHS-CISA) Advisory Committee.

The CCO and the Cybersecurity Management Board monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of the Company’s incident response plans, which include escalation to the CCO and the Cybersecurity Management Board, as appropriate. As discussed above, the CCO reports out to the Risk and Cybersecurity Committee about cybersecurity threat risks, among other cybersecurity related matters, at least quarterly.

* * * * * * *