LITHIA MOTORS INC 10-K Cybersecurity GRC - 2025-02-24

Page last updated on February 24, 2025

LITHIA MOTORS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 17:16:35 EST.

Company Summary

Lithia Motors is an automotive dealership network headquartered in Medford, Oregon.

Filings

10-K filed on 2025-02-24

LITHIA MOTORS INC filed a 10-K at 2025-02-24 17:16:35 EST
Accession Number: 0001023128-25-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Assessing, identifying, and managing material risks from cybersecurity threats We are committed to maintaining robust cybersecurity practices to safeguard our information assets and ensure the confidentiality, integrity, and availability of our operations. We employ a comprehensive approach to assess, identify, and manage material risks arising from cybersecurity threats. The identification and oversight of material cybersecurity risks is included in continuous ERM Committee and Board meetings and reporting. We complete regular cybersecurity assessments to identify potential vulnerabilities and threats, analyzing our infrastructure, systems, and data. Assessments are conducted both internally and by third parties and consider internal and external factors, technological changes, regulatory requirements, and emerging cyber threats. Our cybersecurity program adheres to widely recognized standards for managing cybersecurity risk, including the National Institute of Standards and Technology Cybersecurity Framework, Center for Internet Security Controls and U.K. Cyber Essentials. We use advanced threat detection tools and technologies to identify potential cybersecurity risks. This includes continuous monitoring, intrusion detection systems, and anomaly detection mechanisms, to promptly identify any unusual activities or security breaches. Threat intelligence sharing with industry partners helps us stay informed about the latest cybersecurity threats. We assess cybersecurity risks for their potential impact on our operations, data, and reputation. Risks are prioritized based on their severity and likelihood of occurrence before implementing appropriate controls, safeguards, and mitigation measures to address and manage these risks effectively. We have developed a well-defined and frequently updated information security incident response plan that outlines procedures to be followed in the event of a cybersecurity incident. The plan is periodically drilled with incident response team members and includes robust processes for identification, categorization, escalation and reporting of incidents. Team members are regularly trained on key cybersecurity subjects to ensure awareness. In June 2024, a cybersecurity incident occurred involving CDK, a third-party provider of certain information systems used by us, that triggered our information security incident response plan. Although the incident disrupted our operations, we believe our response plan operated substantially as we intended and the incident did not materially impact our financial condition or results of operations. The incident, however, provided us an opportunity to test our response plan, refine our procedures and consider improvements. While no company can or will be completely immune from cybersecurity threats, especially as they relate to vendors and government agencies that we rely on, we know of no cybersecurity incident that has or is likely to materially affect us, our business strategy, or our results of operations, or financial condition. 21 Board of Directors Cybersecurity Oversight Our Board oversees our cybersecurity and data protection strategy and appoints a director to lead the Board’s efforts. Our Board is briefed on our cybersecurity posture, current and future risks and potential incidents or vulnerabilities on a quarterly basis. Board members and executives participate in engagements on cybersecurity, such as simulated cyber incident response and crisis management exercises. Our Board also regularly receives and reviews third-party cybersecurity assessments, which include assessments of our cyber maturity and cyber risk. Management’s Assessment and Response to Material Risks from Cybersecurity Threats Our information security team and its leadership have primary responsibility for assessing and managing cybersecurity risks, within the scope of the overall ERM Committee. Our Senior Director of Information Security is responsible for identifying, assessing, and managing risks from cybersecurity threats. The Senior Director of Information Security manages our cybersecurity program and receives information regarding cybersecurity incidents and threats from our information security management team, through internal cyber risk management processes. The Senior Director of Information Security reports to the Chief Technology and Innovation Officer (CTIO) and provides frequent and up to date reporting on cyber risk to our ERM Committee, a cross functional executive-level steering group, which includes the CTIO and has a wealth of experience in enterprise risk. The ERM Committee meets on a quarterly basis or as necessary to assess and respond to enterprise risks, including cybersecurity, and reports updates to the Board. The Senior Director of Information Security has over 10 years of experience in senior level information security roles, has over 20 years’ experience in Fortune 500 enterprise IT roles, and holds Associate and Bachelor Degrees and the Certified Information Security Manager (CISM) Professional certification, amongst others. The members of our information security management team have extensive experience in technology and security roles, possessing cybersecurity certifications such as Certified Information Systems Security Professional (CISSP), Cisco Certified Network Professional (CCNP) and Global Certified Incident Handler (GCIH), amongst others."

Company Information