GROUP 1 AUTOMOTIVE INC 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

GROUP 1 AUTOMOTIVE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 15:43:12 EST.

Company Summary

Group 1 Automotive owns and operates about 130 franchises at approximately 100 dealerships, as well as about 25 collision service centers.

Filings

10-K filed on 2025-02-14

GROUP 1 AUTOMOTIVE INC filed a 10-K at 2025-02-14 15:43:12 EST
Accession Number: 0001031203-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Description of Processes for Assessing, Identifying and Managing Cybersecurity Risks In the ordinary course of business, our information systems on which we run our business operations and store confidential or proprietary data, such as PII about our customers and our employees, are subject to potential cyber-attack. The techniques used by cyber attackers change frequently and may be difficult to detect for long periods of time. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or compromise to our IT systems. We have implemented security measures that are designed to detect and protect against cyberattacks . Our processes and procedures align with the National Institute of Standards and Technology Cybersecurity Framework. I n particular, we seek to assess, identify and manage cybersecurity risks through the processes described below: Risk Assessment A multi-layered system designed to protect and monitor data and cybersecurity risk has been implemented. Regular assessments and testing of our cybersecurity safeguards are conducted by independent third-party cybersecurity experts. Our internal audit department additionally conducts regular audits to assess management’s processes and controls employed to identify and manage material cybersecurity risks. We use a variety of layered applications to alert us to suspicious activity. 22 Incident Identification and Response A security information and event management process (“SIEM”) has been implemented to help promptly identify cybersecurity incidents. In the event of any breach or cybersecurity incident, we have an incident response plan within our SIEM that is designed to provide for action to contain the incident, mitigate the impact and restore normal operations efficiently. We conduct annual reviews of our cyber incident response plan. Cybersecurity Training and Awareness Cybersecurity awareness among our employees is promoted with regular training and awareness programs. Employees who access our systems are required to undergo annual cybersecurity training and, each year, employees are required to test their understanding of our cybersecurity policies. Further, our employees that handle PII are required to undergo training, including phishing exercises and awareness programs on the appropriate management, use and protection of that information. Access Controls We have endeavored to implement physical access controls to prevent access to endpoints that may leave Company data vulnerable to attack. We have also sought to implement systems to prevent encrypted information from bypassing certain Company-defined information control mechanisms and have also sought to purge or wipe information from certain Company-defined endpoints after consecutive, unsuccessful logon attempts or other indicators of unauthorized access. Finally, we have implemented encrypted virtual private networks in an effort to enhance the integrity of remote connections and have endeavored to protect wireless access points to our systems using authentication of users and/or devices. Segmented networks and user access controls are used to limit unauthorized access to sensitive information and systems. Employees are required to use multi-factor authentication and regularly update their passwords. Encryption and Data Protection Encryption methods are used to protect sensitive data in transit and at rest. This includes the encryption of customer data, financial information and other confidential data. We also have a program in place to monitor our retained data by identifying PII and ensuring it is not stored outside of approved locations and systems. We maintain policies that govern the deletion of PII to limit the information exposed to a potential cyberattack. We have endeavored to use strong, up-to-date encryption algorithms and to regularly update and patch systems in an effort to guard against vulnerabilities. Similarly, we have sought to manage encryption keys with use of a secure key management system and rotation of keys after use. We have implemented secure protocols, including, e.g., hypertext transfer protocol secure for web traffic and secure file transfer protocol for file transfers. Processes designed to monitor cybersecurity incidents are also intended to protect our data. Our cybersecurity safeguards, including those provided by third parties, are designed to monitor for unauthorized access. These services are designed to monitor both internal and external threats. We engage several third-party consultants in connection with our risk assessment and risk management, and we have established separate processes and procedures to oversee and identify cybersecurity risks associated with third parties. Finally, we have implemented encrypted virtual private networks for remote connections. The above cybersecurity risk management processes are integrated into the Company’s overall enterprise risk management program. Cybersecurity risks are understood to be significant business risks, and as such, are considered as an important component of our enterprise-wide risk management approach. 23 Impact of Risks from Cybersecurity Threats As of the date of this Form 10-K, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Our processes designed to monitor cybersecurity incidents are also intended to protect our data. Our cybersecurity safeguards, including those provided by third parties, are designed to monitor for unauthorized access, extraction, and deletion of certain sensitive data, large quantities of data, and other anomalous network traffic. These services are designed to monitor both internal and external threats. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our IT systems could have significant consequences to our business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or compromise to our IT systems. Board of Directors’ Oversight of Risks from Cybersecurity Threats The Board of Directors oversees risks from cybersecurity threats. The Board of Directors delegates oversight of our operations risk, including quarterly reviews of cybersecurity and data protection, to the Finance/Risk Management Committee, and delegates compliance with cybersecurity policies to the Audit Committee. Both the Finance/Risk Management Committee and the Audit Committee report to the full Board of Directors on cybersecurity matters. Additionally, on an annual basis, management reviews results from tests of key cybersecurity systems with the full Board of Directors and the steps taken to mitigate new cybersecurity risks which have been identified. The Finance/Risk Management Committee oversees the formal process to identify risks company-wide, allocate them to the appropriate committee of the Board of Directors, and ensure that risk mitigation activities are being followed. At each of its meetings, the Finance/Risk Management Committee receives presentations from our Chief Information Officer (the “CIO”) on cybersecurity and information security risk, as well as our cybersecurity initiatives. The Audit Committee oversees compliance with cybersecurity policies with guidance from members of management, including the Vice President of Internal Audit, who informs the Audit Committee on the audit results of cybersecurity controls. Management’s Role in Assessing and Managing Cybersecurity Threats Our IT and Security team, which is headed by our CIO , is responsible for our efforts to comply with cybersecurity standards, establish industry-recognized protocols and protect the integrity, confidentiality and availability of our IT infrastructure. Our CIO and various members of the IT and Security team, meet regularly with members of management to address key security and privacy issues. Our CIO has more than 25 years of infrastructure and cybersecurity experience. We also have formed a cyber event incident team, composed of our CIO, Chief Financial Officer, Corporate Controller, Chief Legal Officer and vice president of Internal Audit, who, upon the occurrence of a cybersecurity incident, convene to assess the materiality of the event as well as the appropriate remediation and escalation procedures, including escalation to our Chief Executive Officer, the Finance/Risk Management Committee, the Audit Committee and the Board of Directors. Our internal audit department additionally conducts regular audits to assess management’s processes and controls employed to identify and manage material cybersecurity risks .

Company Information