AMERICAS CARMART INC 10-K Cybersecurity GRC - 2024-07-15

Page last updated on July 16, 2024

AMERICAS CARMART INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-15 16:01:14 EDT.

Filings

10-K filed on 2024-07-15

AMERICAS CARMART INC filed a 10-K at 2024-07-15 16:01:14 EDT
Accession Number: 0001171843-24-003950

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Material Effects of Cybersecurity Incidents Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition. Further information regarding cybersecurity risks can be found in Item 1A. Risk Factors, of this Annual Report on Form 10-K. 23 Cybersecurity Risk Management and Strategy We consider the protection of our customers’ and corporate data to be a priority within our business. We continually monitor and assess the cybersecurity landscape and invest in enhancing our cybersecurity capabilities and strengthening our partnerships with appropriate business partners, service partners, and government and law enforcement agencies to understand the range of cybersecurity risks in the operating environment, enhance defenses, and improve resiliency against cybersecurity threats. Through these partnerships, we incorporate threat intelligence, security operations, continuous training, and penetration testing. We strive to reduce the threat landscape for both the Company and our customers, through vigilantly monitoring systems and general technology controls. Our efforts focus on protecting and enhancing the security of our information systems, software, networks, and other assets, whether commercial products or custom solutions. Our cybersecurity program focuses on protecting and enhancing the security of our information systems, software, networks, and other assets, whether commercial products or custom solutions. These efforts are under continuous review for improvement within the changing threat landscape and are designed to protect against, and mitigate the effects of, cybersecurity incidents that could result in unauthorized access to confidential, sensitive, or personal information of associates or customers or proprietary company information and potentially disrupt or impede our operations or otherwise cause harm to the Company, our customers, suppliers, dealers, or other key stakeholders. Our cybersecurity program leverages both internal and external techniques and expertise across the cybersecurity spectrum. We maintain and utilize industry best practice capabilities, processes, and other security-related measures, based upon National Institute of Standards and Technology (NIST) and Control Objectives for Information Technologies (CoBIT) frameworks. Our capabilities, processes, and other security measures include, among others: ● Threat detection through the use of security information and event management software; ● Incident management processes for any security-related activity, requiring senior management signoff; ● Corporate endpoint detection and response software, which monitors for malicious activities on external-facing endpoints; ● Cloud monitoring tools, running on primary public and private cloud environments; ● Data encryption at rest and during transit and immutable data backups; and ● Business continuity, disaster recovery and incident response plans. We also expect our suppliers to follow the same industry-standard security practices that we follow. Despite having thorough due diligence, onboarding, and cybersecurity assessment processes in place for our suppliers, the responsibility ultimately rests with our suppliers to establish and uphold their respective cybersecurity programs. The ability and availability of information to monitor the cybersecurity practices and controls of our suppliers is limited, and there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in information systems, software, networks, and other assets owned or controlled by our suppliers. Although the Company attempts to manage its exposure to such events through the purchase of cyber liability insurance, such events are inherently unpredictable, and insurance may not be sufficient to protect the Company against all losses. There is no assurance that the Company’s security systems or processes will prevent or mitigate future break-ins, tampering, security breaches or other cyber-related attacks. Cybersecurity Governance Our Board of Directors oversees the management of risks inherent in the operation of our business, with a focus on the most significant risks that we face, including those related to cybersecurity. Our Board of Directors has delegated oversight of cybersecurity, including privacy and information security, as well as enterprise risk management to the Innovation and Technology Committee. In connection with that oversight responsibility, our Senior Vice President of Technology and Chief Legal Officer meet with the Innovation and Technology Committee on a quarterly basis to provide information and updates on a range of cybersecurity topics which may include our cybersecurity program and governance processes; cyber risk monitoring and management; the status of projects to strengthen our cybersecurity and privacy capabilities; recent significant incidents or threats impacting our operations, industry, or third-party suppliers; and the emerging threat landscape. 24 Our information security team works closely with key stakeholders, including regulators, government agencies, law enforcement, peer institutions, industry groups, and develops and invests in talent and innovative technology to manage cybersecurity risk. When a cybersecurity threat or incident is identified, the Senior Vice President of Technology and the security team works closely with cross functional committees, leveraging subject matter expertise across the organization, as part of our incident response plans and promptly provides information to senior management, with the goal of timely assessing such incidents, determining applicable disclosure requirements and communicating with the Chairs of the Innovation and Technology Committee and the Audit Committee, regarding any significant cybersecurity incidents, including those experienced by third party service providers, which may pose significant risk to our business, customers, clients, associates and stakeholders, and continues to provide regular reports until such incidents are concluded. The above framework tracks and allows team members to monitor each incident throughout its lifecycle to ensure the Company is informed about and following cybersecurity incidents as they are mitigated and remediated. Post-incident reviews are also performed to determine if there are any additional controls that may feasibly be implemented to prevent recurrence.

Company Information