MOTORCAR PARTS OF AMERICA INC - (MPAA)
10-K Filing Date: June 11, 2024
Item 1C.
Cybersecurity
Material Effects of Cybersecurity Incidents
Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition. Further information regarding cybersecurity risks can be found in Item 1A. Risk Factors - risks relating to “cyber-attacks or other breaches of information technology security could adversely impact our business and operation”.
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity program designed to provide structured and thorough cybersecurity risk management and governance. Our cybersecurity program prioritizes, among other things, prevention of unauthorized access; protection of sensitive information; detection, assessment, and response to cyber threats; and continuous improvement of our cybersecurity measures. We seek to achieve our cybersecurity program priorities through a multi-pronged approach to address cyber threats and incidents that includes (i) implementation of various industry best practices, (ii) proactive monitoring of our IT systems, (iii) ongoing employee training, (iv) quarterly phishing campaigns, (v) continued education for our cybersecurity team, and (vi) regular risk assessments. We also maintain cyber insurance coverage to help mitigate a portion of the potential costs in the event of covered events.
Our cybersecurity program is aligned with various frameworks for managing cybersecurity risks, such as the National Institute of Standards and Technology Cybersecurity Framework for IT. We have an Information Technology Steering Committee that oversees the IT function, material projects, budgeting, and cybersecurity. In addition, we have an Incident Response Team, as highlighted in our cybersecurity policy to respond to any information security risks or incidents. These committees report directly to the Audit Committee of the Board of Directors, which is responsible for overall oversight of the Company’s cybersecurity program.
We rely upon both internal and external resources for evaluating and enhancing our cyber posture. Our information security team works with external cybersecurity firms to review and provide feedback on improving our cybersecurity program, including in the areas of data protection, threat and vulnerability management, and end-point protection. We require annual cybersecurity training by our employees, send out regular tips and memos to help our employees recognize phishing emails and other social engineering tactics, and provide various methods for employees to report suspicious activity that may give rise to a cyber-incident or threat. Significant results of such testing and reviews are communicated to our executive management team and our Audit Committee, as applicable, and are utilized in our cybersecurity program’s continuous improvement process.
In response to the growing risks associated with third-party service providers, we do not have any direct connections between our enterprise resource planning (“ERP”) system to our third-party suppliers and their access to our IT systems that could significantly disrupt our operations.
We maintain a set of core practices and procedures when responding to certain high-risk information security threats and incidents, which are designed to ensure appropriate resources are utilized to provide an effective, timely, and coordinated response in managing crises, including significant cyber threats and incidents. Our Management Risk Committee will assume overall responsibility in an effort to ensure that the appropriate functions and work streams are mobilized and coordinated to effectively manage any significant cyber events.
We have been a target of cyberattacks and other hacking activities, as have certain of our third-party service providers. While our cybersecurity program is designed to prevent unauthorized access and protect sensitive information, including through continuous improvement of our cybersecurity measures, and we have not experienced any material cyber threats or incidents to date, we can give no assurance that we will be able to prevent, identify, respond to, or mitigate the impact of all cyber threats or incidents. To the extent future cyber threats or incidents result in significant disruptions and costs to our operations, reduce the effectiveness of our internal controls over financial reporting, or otherwise substantially impact our business, it could have a material adverse effect on our business, liquidity, financial condition, and/or results of operations. For additional discussion on our cybersecurity risks, refer to Item 1A. “Risk Factors” of this Form 10-K.
Cybersecurity Governance
Our Board of Directors oversees the management of risks inherent in the operation of our business, with a focus on the most significant risks that we face, including those related to cybersecurity. Our Board of Directors has delegated oversight of cybersecurity, including privacy and information security, as well as enterprise risk management to the Audit Committee. In connection with that oversight responsibility, our VP of IT and General Counsel meet with the Audit Committee on a quarterly basis to provide information and updates on a range of cybersecurity topics which may include our cybersecurity program and governance processes; cyber risk monitoring and management; the status of projects to strengthen our cybersecurity and privacy capabilities; recent significant incidents or threats impacting our operations, industry, or third-party suppliers; and the emerging threat landscape.
Our cybersecurity team is managed by a dedicated information security team, led by our VP of IT. Our VP of IT has more than 25 years of information technology experience across various disciplines, including nearly 15 years of experience in the financial, re-manufacturing, and distribution industries. She has led our global information security organization for almost three years. In addition to her employment experience in the cybersecurity field, our VP of IT has a Bachelor’s of Business Administration and Computer Information Systems, and meets regularly with other members of our executive team to provide relevant updates on our cybersecurity program.