Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
We leverage technology for our business advantage and have invested in internal and external business applications. Our regular operations involve handling sensitive data, including proprietary business information, intellectual property, and personally identifiable information of our customers, suppliers, and employees. To ensure the safety of this data, the Vice President of Information Security provides oversight and establishes central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. Any risks from cybersecurity threats to our products and services are communicated to our general counsel and senior management and if deemed material, are further reviewed by the Audit Committee of our Board of Directors. We also periodically engage third-party consultants to help us assess, enhance, implement and monitor our cybersecurity risk management programs and respond to any incidents.
We have experienced cybersecurity incidents in the past and may continue to experience them in the future, whether directly or through our supply chain or other channels. In 2024, CDK, a third-party provider of certain of our information systems, experienced a cybersecurity incident that resulted in temporary suspension of certain of the systems used by us, including our dealer management system (the “DMS”), our customer relationship management system (the “CRM”) and other systems that support sales, inventory and accounting functions (collectively with the DMS and CRM the “Affected Systems”). Access to the Affected Systems was restored by July 31, 2024, and we implemented internal risk assessment and data validation procedures before resuming full operations. This incident adversely affected our business and results of operations during the second and third fiscal quarters of 2024. Since that event, we have been working with CDK and other information technology vendors to take steps to strengthen our systems infrastructure, and our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents. However, there is no guarantee that another cyber incident would not materially affect our business strategy, results of operations or financial condition. See “General Risk Factors” in “Item 1A. Risk Factors” of this Annual Report on Form 10-K.
|
| Cybersecurity Risk Management Processes Integrated [Text Block] |
Risk Management and Strategy
Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, suppliers and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology (the “NIST”) Cybersecurity Framework.
The Information Security team has adopted the NIST Cybersecurity Framework as a reference to manage cybersecurity risks. This framework enables the team to implement a comprehensive statement of activities and responsibilities that cover data, information architecture, risk communications, emerging technology, third-party risk, IT operations, and regulation. By following industry best practices, the team has established a recognized baseline for engaging external firms to audit and test the resiliency of the cybersecurity program.
|
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] |
Governance
Our Board of Directors is responsible for overseeing enterprise risk and has delegated the responsibility for the oversight of cybersecurity and information technology risks, and the Company’s preparedness for these risks, to the Audit Committee. Our Vice President of Information Security provides periodic updates to the Audit Committee in order to assist the Audit Committee in understanding the implications of cybersecurity risks. The Audit Committee meets regularly to ensure a shared understanding of cybersecurity risks, to review new regulations or laws, and to provide guidance on complex risk issues.
Our Information Security team has gained their expertise in information technology (“IT”) and cybersecurity through a combination of education, relevant degrees, certifications and prior work experience. As part of the cybersecurity process, their respective teams inform them about the prevention, detection, mitigation, and remediation of cybersecurity incidents.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |