OPENLANE, Inc. 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 20, 2025

OPENLANE, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 19:14:51 EST.

Filings

10-K filed on 2025-02-19

OPENLANE, Inc. filed a 10-K at 2025-02-19 19:14:51 EST
Accession Number: 0001395942-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy The Company’s enterprise risk management (“ERM”) program includes assessing, identifying and managing material risks from various sources, including those related to cybersecurity. The Company uses information from incident history, threat intelligence, formal and informal security networks, government information sharing and recognized information security frameworks to inform its cybersecurity risk management approach. The Company’s cybersecurity risk management processes incorporate multiple layers of security to help identify and protect against cybersecurity threats including a dedicated cybersecurity team, technical security controls, policy enforcement, monitoring systems, employee training, contractual arrangements and management oversight. Given the dynamic nature of the cyber-threat environment, the Company engages with third-party assessors, consultants and others from time to time on various cyber-related matters, including assessing, enhancing, advising and monitoring the Company’s cybersecurity risk management process. The Company maintains a vendor risk management program designed to help identify and manage risks associated with third-party service providers, including a risk-based approach to identifying and monitoring cybersecurity threats presented by certain third-party service providers, with management retaining responsibility for oversight of cybersecurity threats. The Company maintains an incident response plan that includes escalation criteria and preliminary materiality assessments to guide reporting and disclosure objectives. The Company describes risks related to cybersecurity threats that could materially impact its business strategy, results of operations or financial condition in Item 1A. “Risk Factors” of this Annual Report on Form 10-K. Governance Management is responsible for assessing and managing risk at the Company, including communicating key risks to the Board of Directors and its committees. The Board of Directors has primary responsibility for risk oversight, with a focus on the most significant risks facing the Company. With respect to cybersecurity risks, the Audit Committee of the Board of Directors (“Audit Committee”) provides oversight for matters specifically relating to cybersecurity and other risks related to information technology systems and procedures, including but not limited to data security and privacy. Management leverages the collective expertise of the Company’s information security function which reports to the Chief Financial Officer through the Company’s Chief Information Security Officer (“CISO”). The CISO has served in this position for the Company since 2017, holds various relevant credentials including CISSP (Certified Information Systems Security Professional), and has extensive cybersecurity and privacy experience having served in information technology roles for over 35 years and cybersecurity leadership roles for 15 years. The CISO reports to the Audit Committee quarterly on information security matters, including, among other things, the Company’s cyber risks and threats, any incidents or events, the status of projects to further strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging regulatory and threat landscape. The CISO also briefs the full Board of Directors on cybersecurity matters at least annually. As described above, management informs the Audit Committee about prevention, detection, mitigation, resolution, and remediation of cybersecurity incidents quarterly and monitors such matters continuously. The Audit Committee reviews and discusses with management the quality and effectiveness of the Company’s efforts to mitigate such risks and reports such findings to the Board of Directors .

Company Information