LKQ CORP 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

LKQ CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 17:01:27 EST.

Company Summary

LKQ Corporation is the largest nationwide provider of alternative collision replacement parts and a leading provider of recycled engines.

Filings

10-K filed on 2025-02-20

LKQ CORP filed a 10-K at 2025-02-20 17:01:27 EST
Accession Number: 0001065696-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company’s Board recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to risk management. The Company’s cybersecurity policies, standards, processes and practices are fully integrated into the Company’s operations and are based on recognized frameworks established by the International Organization for Standardization, the National Institute of Standards and Technology and other industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, integrity and availability of the information that the Company collects and stores and maintaining access to critical systems by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Risk Management and Strategy As one of the critical elements of the Company’s overall risk management approach, the Company’s cybersecurity program is focused on the following key areas: Governance: As discussed in more detail under the heading “Governance,” the Board’s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the " Audit Committee"), which regularly interacts with the Company’s Chief Information Security Officer (“CISO”) and other members of management. 26 Collaborative Approach: The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including but not limited to secure web gateways, secure e-mail gateways, multi-factor authentication, endpoint detection and response, cloud security posture management, privileged access management, firewalls, intrusion detection/prevention systems, and web application firewalls. Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans that fully address the Company’s response to a cybersecurity incident, and such plans are maintained, tested and evaluated on a regular basis. Third Party Risk Management: The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third party systems. Education and Awareness: The Company provides regular, mandatory training for personnel regarding cybersecurity threats and best practices as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s information security policies, standards, processes and practices. The Company engages in the periodic assessment and testing of adherence to the Company’s policies, standards, processes and practices that are designed to address cybersecurity risks, threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Risk Management Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Governance The Board, in coordination with the Risk Management Committee, oversees the Company’s risk management process, including the management of risks arising from cybersecurity threats. The Board, Audit Committee and the Risk Management Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. The Board and the Risk Management Committee also receive prompt and timely information regarding any cybersecurity incident that meets or could potentially meet materiality reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Board and the Company’s senior executives and CISO discuss the Company’s approach to cybersecurity risk management. The CISO, in coordination with the Risk Management Committee, which includes our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), Senior Vice President of Policy and Administration, and General Counsel (“GC”), works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and reports significant (including potentially material) threats and incidents to executive leadership. The CISO has served in various roles in IT and information security for over 27 years, including serving as the Chief Information Security Officer of two large public companies. The CISO holds an undergraduate degree in computer science and a graduate degree in business and attained professional certification as a Certified Information System Security Professional (“CISSP”), Certified Information Security Manager (“CISM”) and GIAC Certified Incident Handler (“GCIH”). The Company’s 27 CEO, CFO, Senior Vice President of Policy and Administration, and GC each hold degrees in their respective fields, and each has experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats. To date, we do not believe that any risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security incidents of these types, and we may not be able to implement effective preventive measures against such security incidents in a timely manner. See the risk factor titled " We rely on information technology and communication systems in critical areas of our operations and a disruption relating to such technology and systems, including cybersecurity threats, could harm our business. " in Part I, Item 1A of this Annual Report on Form 10-K for further information.

Company Information