Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
We leverage technology for our business advantage and have invested in internal and external business applications. Our regular operations involve handling sensitive data, including proprietary business information, intellectual property, and personally identifiable information of our customers, suppliers, and employees. To ensure the safety of this data, the Vice President of Information Security provides oversight and establishes central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. Any risks from cybersecurity threats to our products and services are communicated to our general counsel and senior management and if deemed material, are further reviewed by the Audit Committee of our Board of Directors. We also periodically engage third-party consultants to help us assess, enhance, implement and monitor our cybersecurity risk management programs and respond to any incidents.
We have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. Specifically, on June 19, 2024, CDK, a third-party provider of certain information systems, notified us that CDK had suspended certain systems used by us in response to a cybersecurity incident impacting CDK. As a result, we experienced disruptions to our dealer management system (the “DMS”), our customer relationship management system (the “CRM”) and other systems that support sales, inventory and accounting functions (collectively with the DMS and CRM the “Affected Systems”). On June 26, 2024, CDK began restoring access to certain of the Affected Systems. We performed internal risk assessments and data validation procedures on the Affected Systems, and beginning June 30, 2024, we resumed processing transactions in the DMS. As of July 31, 2024, we regained access to all of the Affected Systems, including the CRM and inventory management applications. As a result of the CDK outage, our business and results of operations during the second and third fiscal quarters of 2024 were adversely affected. Although we have been working with CDK and other information technology vendors and taking steps to strengthen our systems infrastructure, and our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that another cyber incident would not materially affect our business strategy, results of operations or financial condition. See “General Risk Factors” in “Item 1A. Risk Factors” of this Annual Report on Form 10-K.
|
| Cybersecurity Risk Management Processes Integrated [Text Block] |
Risk Management and Strategy
Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, suppliers and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology (the “NIST”) Cybersecurity Framework.
The Information Security team has adopted the NIST Cybersecurity Framework as a reference to manage cybersecurity risks. This framework enables the team to implement a comprehensive statement of activities and responsibilities that cover data, information architecture, risk communications, emerging technology, third-party risk, IT operations, and regulation. By following industry best practices, the team has established a recognized baseline for engaging external firms to audit and test the resiliency of the cybersecurity program.
|
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] |
Governance
Our Board of Directors is responsible for overseeing enterprise risk and has delegated the responsibility for the oversight of cybersecurity and information technology risks, and the Company’s preparedness for these risks, to the Audit Committee. Our Vice President of Information Security provides periodic updates to the Audit Committee in order to assist the Audit Committee in understanding the implications of cybersecurity risks. The Audit Committee meets regularly to ensure a shared understanding of cybersecurity risks, to review new regulations or laws, and to provide guidance on complex risk issues.
Our Information Security team has gained their expertise in information technology (“IT”) and cybersecurity through a combination of education, relevant degrees, certifications and prior work experience. As part of the cybersecurity process, their respective teams inform them about the prevention, detection, mitigation, and remediation of cybersecurity incidents.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |