MARINEMAX INC 10-K Cybersecurity GRC - 2024-11-14

Page last updated on November 14, 2024

MARINEMAX INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-14 16:05:44 EST.

Company Summary

MarineMax is a new and used boat dealer and yacht broker, and the largest Sea Ray dealer in the world. (Source: Crunchbase)

Filings

10-K filed on 2024-11-14

MARINEMAX INC filed a 10-K at 2024-11-14 16:05:44 EST
Accession Number: 0000950170-24-127036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity" included in this report for a discussion of our cybersecurity procedures and policies. We may also have access to sensitive, confidential or personal data or information that is subject to privacy, security laws, and regulations. Despite our efforts to protect sensitive, confidential or personal data or information, we and our third-party service providers may be vulnerable to security breaches, theft, misplaced or lost data, programming errors, employee errors and/or malfeasance that could potentially lead to the compromising of sensitive, confidential or personal data or information, improper use of our systems, unauthorized access, use, disclosure, modification or destruction of information, and operational disruptions. As previously disclosed in a Current Report on Form 8-K filed with the SEC on March 12, 2024 and a Current Report on Form 8-K/A filed with the SEC on April 1, 2024, we experienced a cybersecurity incident (the “Incident”) whereby a cybercrime organization accessed a limited portion of our information environment that included some personally identifiable information. Although as of the date of this Annual Report on Form 10-K, the incident has not resulted in material impacts to the Company’s operations, financial conditions or results of operations, the 32 Company remains subject to risks and uncertainties as a result of the incident and any future instances of unauthorized access to our information environment could have material adverse effects on our business. It is possible that we or our third-party service providers might not be aware of a successful cyber-related attack on our systems until well after the incident. In addition, a cyber-related attack could result in other negative consequences, including damage to our reputation or competitiveness, remediation or increased protection costs, litigation or regulatory action, and could adversely affect our business, financial condition, and results of operations. Depending on the nature of the data compromised, we may have obligations to notify customers and/or employees about the incident, and we may need to provide some form of remedy, such as a subscription to a credit monitoring service, for the individuals affected by the incident, which could result in material reputational damage to us. While we traditionally maintain a full range of insurance coverage for any such events, there can be no assurance that such insurance coverage is adequate to cover losses that we sustain as a result of an outage or breach of our technology platform or a cybersecurity event. We are also subject to laws and regulations in the United States and other countries concerning the handling of personal information, including laws that require us to notify governmental authorities and/or affected individuals of data breaches involving certain personal information. These laws and regulations include, for example, the European General Data Protection Regulation, effective May 2018, the California Consumer Privacy Act, effective January 2020, other similar state Consumer Privacy regulations, and new SEC cybersecurity-related disclosures adopted in July 2023. Regulatory actions or litigation seeking to impose significant penalties could be brought against us in the event of a data breach or alleged non-compliance with such laws and regulations. Risks Related to Our Common Stock The timing and amount of our share repurchases are subject to a number of uncertainties. The Company maintains a stock repurchase plan authorizing the Company to purchase up to $100 million of its common stock through March 2026. There is no guarantee that our stock repurchase plans will be able to successfully mitigate the dilutive effect of stock options and stock-based grants. The success of our stock repurchase plans is based upon a number of factors, including the price and availability of the Company’s stock, general market conditions, the nature of other investment opportunities available to us from time to time, and the availability of cash. We do not pay cash dividends. We have never paid cash dividends on our common stock and we have no current intention to do so for the foreseeable future. If securities analysts do not publish research or reports about our company, or if they issue unfavorable commentary about us or our industry or downgrade our common stock, the price of our common stock could decline. The trading market for our common stock depends in part on the research and reports that third-party securities analysts publish about our company and our industry. We may be unable or slow to attract research coverage and if one or more analysts cease coverage of our company, we could lose visibility in the market. In addition, one or more of these analysts could downgrade our common stock or issue other negative commentary about our company or our industry. As a result of one or more of these factors, the trading price of our common stock could decline. Certain activist shareholder actions could cause us to incur expense and hinder execution of our strategies. We actively engage in discussions with our shareholders regarding further strengthening our Company and creating long-term shareholder value. This ongoing dialogue can include certain divisive activist tactics, which can take many forms. Some shareholder activism, including potential proxy contests, could result in substantial costs, such as legal fees and expenses, and divert management’s and our Board’s attention and resources from our business and strategic plans. Additionally, public shareholder activism could give rise to perceived uncertainties as to our future, adversely affect our relationships with suppliers or customers, make it more difficult to attract and retain qualified personnel, and cause our stock price to fluctuate based on temporary or speculative market perceptions or other factors that do not necessarily reflect the underlying fundamentals and prospects of our businesses. These risks could adversely affect our financial performance. Item 1B. U nresolve d Staff Comments None. 33 Item 1C. Cybersecurity Management of material risks from cybersecurity threats is integrated into the Company’s overall risk management processes and is monitored as an enterprise risk. The Company’s Board of Directors (the “Board”), with the input of management, oversees the Company’s internal controls and processes, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. Our comprehensive cybersecurity program includes, but is not limited to, standards and procedures for vulnerability management, user training, security assessments and testing, business continuity planning, encryption of sensitive data, physical security, user access controls, vendor risk management, teleworking, user device management and proactive systems, data and activity monitoring, and incident response. A limited scope of third-party service providers are involved in supporting our business and, where appropriate, we have established standards and procedures to ensure commercial best practices, audit, risk management, and strict contractual controls are in place and followed. Comprehensive contingency, recovery, and continuity plans are in place to ensure the ongoing provision of services to customers in the event of a cybersecurity incident. Our Executive Vice President and Chief Digital Officer, (the “CDO”), Shawn C. Berg, is responsible for managing the Company’s cybersecurity risk and cybersecurity program. Shawn Berg has served as Chief Digital Officer since April 2019 overseeing the Company’s Technology, Marketing, and Digital Business operations. Mr. Berg was appointed as an executive officer of MarineMax by our Board in October 2022. Previously he served as Vice President of Technology after joining MarineMax in 2017. Mr. Berg has over 30 years of experience, including multiple officer-level positions, of invaluable experience in information technology and security. Our Technology Group monitors material risks over time and updates the Company’s mitigation measures as appropriate. The Technology Group also regularly reports to the CDO and other key executives, as identified in the incident response plan, on the status of material risks, mitigation measures, and incidents related to such risks. The CDO provides the Board with ongoing security updates, which include notable changes to program plans, changes to the risk environment, information regarding material incidents that may have occurred, reports on recent assessments of our security controls, and details regarding forward-looking plans and strategies to mitigate cyber risk. The Company has been subject to cybersecurity threats in the past, including the Incident. We believe the impacts of the Incident were not material to MarineMax’s financial condition or results of operations. In addition, as of the date of this report, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Notwithstanding our vigilant cybersecurity measures, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For further discussion of the risks associated with cybersecurity incidents, see the cybersecurity risk factor in Item 1A. Risk Factor in this report, titled “Increased cybersecurity requirements, threats and more sophisticated and targeted computer crime could pose a risk to our systems, networks, data and our third-party service providers. Our business operations could be negatively impacted by an outage or breach of our informational technology systems or a cybersecurity event”.
Item 1C. Cybersecurity Management of material risks from cybersecurity threats is integrated into the Company’s overall risk management processes and is monitored as an enterprise risk. The Company’s Board of Directors (the “Board”), with the input of management, oversees the Company’s internal controls and processes, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. Our comprehensive cybersecurity program includes, but is not limited to, standards and procedures for vulnerability management, user training, security assessments and testing, business continuity planning, encryption of sensitive data, physical security, user access controls, vendor risk management, teleworking, user device management and proactive systems, data and activity monitoring, and incident response. A limited scope of third-party service providers are involved in supporting our business and, where appropriate, we have established standards and procedures to ensure commercial best practices, audit, risk management, and strict contractual controls are in place and followed. Comprehensive contingency, recovery, and continuity plans are in place to ensure the ongoing provision of services to customers in the event of a cybersecurity incident. Our Executive Vice President and Chief Digital Officer, (the “CDO”), Shawn C. Berg, is responsible for managing the Company’s cybersecurity risk and cybersecurity program. Shawn Berg has served as Chief Digital Officer since April 2019 overseeing the Company’s Technology, Marketing, and Digital Business operations. Mr. Berg was appointed as an executive officer of MarineMax by our Board in October 2022. Previously he served as Vice President of Technology after joining MarineMax in 2017. Mr. Berg has over 30 years of experience, including multiple officer-level positions, of invaluable experience in information technology and security. Our Technology Group monitors material risks over time and updates the Company’s mitigation measures as appropriate. The Technology Group also regularly reports to the CDO and other key executives, as identified in the incident response plan, on the status of material risks, mitigation measures, and incidents related to such risks. The CDO provides the Board with ongoing security updates, which include notable changes to program plans, changes to the risk environment, information regarding material incidents that may have occurred, reports on recent assessments of our security controls, and details regarding forward-looking plans and strategies to mitigate cyber risk. The Company has been subject to cybersecurity threats in the past, including the Incident. We believe the impacts of the Incident were not material to MarineMax’s financial condition or results of operations. In addition, as of the date of this report, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Notwithstanding our vigilant cybersecurity measures, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For further discussion of the risks associated with cybersecurity incidents, see the cybersecurity risk factor in Item 1A. Risk Factor in this report, titled “Increased cybersecurity requirements, threats and more sophisticated and targeted computer crime could pose a risk to our systems, networks, data and our third-party service providers. Our business operations could be negatively impacted by an outage or breach of our informational technology systems or a cybersecurity event”.

Company Information