FORD MOTOR CREDIT CO LLC 10-K Cybersecurity GRC - 2025-02-05

Page last updated on February 6, 2025

FORD MOTOR CREDIT CO LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-05 20:47:39 EST.

Filings

10-K filed on 2025-02-05

FORD MOTOR CREDIT CO LLC filed a 10-K at 2025-02-05 20:47:39 EST
Accession Number: 0000038009-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Strategy and Risk Management We devote significant resources to our security program that we believe is reasonably designed to mitigate our cybersecurity and information technology risk. We believe our cybersecurity program is reasonably designed to protect our information systems, software, networks, and other assets against, and mitigate the effects of, cybersecurity incidents where unauthorized parties attempt, among other things, to disrupt or degrade service or our operations; misuse or abuse technology and information systems; make unauthorized disclosure of data; or otherwise cause harm to Ford and Ford Credit, our customers, suppliers, or dealers, or other key stakeholders. We employ capabilities, processes, and other security measures we believe are reasonably designed to reduce and mitigate these risks, and have requirements for our suppliers and service providers to do the same. Data safeguard practices of suppliers and service providers who process Personally Identifiable Information on our behalf are reviewed annually for compliance with our policies and applicable regulations. Despite having thorough due diligence, onboarding, and cybersecurity assessment processes in place for our suppliers and service providers, there can be no assurance that we can prevent the risk of any compromise or failure in the information systems, software, networks, and other assets owned or controlled by those parties. When we become aware that a supplier or service provider’s cybersecurity has been compromised, we attempt to mitigate the risk to the Company, including, if appropriate and feasible, by terminating the supplier’s connection to our information systems. In an effort to effectively prevent, detect, and respond to cybersecurity threats, we employ a multi-layered cybersecurity risk management program supervised by Ford’s Chief Information Security Officer, whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, architecture, and processes. The team provides cybersecurity services for Ford and its affiliates, including Ford Credit. The services provided to Ford Credit and its affiliates are governed by appropriate service agreements with Ford. Local regional teams and designated responsible individuals work with the enterprise-wide team to provide cybersecurity-related services in compliance with local requirements. The team’s responsibility includes identifying, considering, and assessing potentially material cybersecurity incidents on an ongoing basis, establishing processes designed to prevent and monitor potential cybersecurity risks, implementing mitigation and remedial measures, and maintaining the cybersecurity program. To do so, the program is informed by and designed to comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The program leverages both internal and external techniques and expertise. Internally, we perform penetration tests, internal tests/code reviews, and Red Team exercises, among other things, to evaluate aspects of our cybersecurity program. We also perform phishing and social engineering simulations with, and provide cybersecurity training for, personnel with Company email and access to Company assets, and regularly circulate security awareness newsletters to employees. Externally, we monitor notifications from the U.S. Computer Emergency Readiness Team (“CERT”) and various Information Sharing and Analysis Centers (each an “ISAC”); review customer, media, and third-party cybersecurity reports; and operate a bug bounty program. The cybersecurity program also includes disaster recovery and incident response plans, including a ransomware response plan, which is regularly tested and evaluated in tabletop simulations. Ford and Ford Credit’s global cybersecurity incident response is overseen by Ford’s Chief Information Security Officer. Ford’s Chief Information Security Officer has served in that role for over 7 years and has over a decade of engineering and operations expertise with cybersecurity technologies and services. He was appointed in 2022 by the Ford Credit Board as Ford Credit’s “Qualified Individual” under the Federal Trade Commission Safeguards Rule, and is responsible for overseeing and implementing Ford Credit’s information security program and enforcing it. Ford Credit’s Chief Technology Officer is Ford Credit’s senior member responsible for direction and oversight of the Qualified Individual. Ford’s Chief Information Security Officer also reports to Ford Motor Company’s Chief Enterprise Technology Officer, who has spent over two decades managing cybersecurity risks as a leader at enterprise software and Fortune 50 companies. Ford’s Chief Enterprise Technology Officer reports directly to Ford’s Chief Executive Officer. 28 When a cybersecurity threat or incident is identified, our policy is to review and triage the threat or incident, and to then manage it to conclusion in accordance with our cybersecurity incident response processes. When a cybersecurity incident is determined to be significant, it is addressed by management committees using processes that leverage subject-matter expertise from across Ford and Ford Credit. Further, we have in the past and may in the future engage with third-party advisors and government and law enforcement agencies as part of our incident management processes. All cybersecurity incidents that are identified as reasonably having the potential to be highly significant to Ford and Ford Credit are brought to the attention of Ford’s Chief Enterprise Technology Officer and General Counsel by Ford’s Chief Information Security Officer as part of the Company’s cybersecurity incident response processes. Cybersecurity Governance and Oversight Cybersecurity risk identification, assessment, and management are integrated into Ford Credit’s overall enterprise risk management program. As part of its enterprise risk management efforts, the Ford Credit Board meets with senior management to assess and respond to critical business risks. These critical enterprise risks are assessed by senior management annually and discussed with the Ford Credit Board. Then each of the top risks are validated, prioritized, and assigned risk owners who are responsible to oversee risk assessment, develop and implement mitigation plans, and provide regular updates to the Board (and/or Board committee assigned to the risk). In this way, critical business risks, including cybersecurity risk, benefit from both top-down and bottom-up risk management efforts that we believe are reasonably designed to escalate key risk and control issues to senior management and the Ford Credit Board. As a result of this enterprise risk management process, cybersecurity threats have been and continue to be identified as one of the Company’s top risks, with Ford Credit’s Chief Technology Officer assigned as the executive risk owner . Ford Credit’s Board is responsible for the oversight of cybersecurity and information technology risks, and Ford Credit’s preparedness for these risks . As part of its oversight responsibilities, the Ford Credit Board receives annual cybersecurity updates from Ford’s Chief Information Security Officer. The annual review includes oversight of cybersecurity practices, cyber risks, and risk management processes, such as updates to Ford Credit’s cybersecurity programs and mitigation strategies, and other cybersecurity developments. In addition, Ford Credit’s Compliance Committee reviews at least annually Ford Credit’s cybersecurity programs, and the Ford Credit Audit Committee receives updates on Ford Credit’s cybersecurity initiatives and information technology internal controls. In addition to these regular updates, as part of Ford Credit’s incident response processes, Ford Credit’s Chief Technology Officer, in collaboration with Ford Credit’s Qualified Individual and Chief Compliance Officer, provides updates on certain cybersecurity incidents to Ford Credit’s Compliance Committee and, in some cases, the Ford Credit Board of Directors . In the event Ford Credit determines it has experienced a material cybersecurity incident, Ford Credit’s Audit Committee and Chief Compliance Officer are notified about the incident in advance of filing a Current Report on Form 8-K . In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. For a discussion of whether and how cybersecurity incidents, ransomware attacks, and other disruptions to Ford and Ford Credit’s operational information systems, security systems, vehicles, and services could reasonably be expected to affect Ford and Ford Credit, including their business strategy, results of operations or financial condition, see our risk factors above in Item 1A. generally and, in particular, “Operational information systems, security systems, vehicles, and services could be affected by cybersecurity incidents, ransomware attacks, and other disruptions and impact Ford, Ford Credit, their suppliers, and dealers” on page 18. 29

Company Information