|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
The Group has adopted a comprehensive risk management system to manage various risks that it faces, including financial risks, operational risks, compliance risks and cybersecurity risks. In particular, cybersecurity risk management is a core component of the Group’s overall risk management framework. The Group has engaged independent registered public accounting firm to conduct independent audits on the Group’s compliance with the internal control requirements under the Sarbanes-Oxley Act of 2002, and IT general controls (ITGC) is an important part of it. ITGC audits and consultancy cover cybersecurity, including information technology governance, information security (network and data security), access controls, system change management and operation maintenance management. The Group has established an array of risk management procedures to identify, assess and manage such risks, primarily consisting of (i) preventive measures such as cybersecurity management policy and personal information protection policy, among others, to prevent cybersecurity incidents and (ii) remediation measures such as personal information incidents response plan and cybersecurity incident response plan, among others, to remediate cybersecurity incidents.
As part of the Group’s preventive measures, its cybersecurity management policy protects the security of its network structure and equipment, prevents unauthorized access and sets out procedures to monitor and assess its network operation. The Group’s personal information protection policy classifies personal information, sets out managing procedures based on such classification and only grants access to employees of designated positions. The Group has different level of authorizations corresponding to the responsibilities associated with each type of position. The Group has also adopted other preventive policies to ensure the safety of its system, mailbox, cloud, IT projects and software development, among others.
In addition, the Group adopted policies and procedures to remediate cybersecurity incidents. The Group’s personal information incidents response plan sets out procedures to handle personal information incidents of different materiality level and record-keeping policies to continuously enhance its personal information protection capabilities. The Group’s cybersecurity incident response plan sets out procedures to handle cyber-attack, computer virus and other impacts caused by natural disasters and accidents. The Group has also adopted other remediation policies such as malfunction handling procedures and data backup plans to minimize the loss caused by cybersecurity incidents.
Engagement of Third-Party Service Providers
To comply with the requirements under the Cybersecurity Law and Data Security Law and enhance the security of its information technology systems, the Group has engaged third-party agencies to perform system assessments and rectifications for hierarchical cybersecurity protection on a periodic basis. Fushun Insurance Brokerage Co., Ltd. and Shanghai Yungu have each obtained the Level 3 Certificate for Information Security Level Protection.
The Group has adopted third-party security assessment procedures and data outflow control procedures to manage risks from cybersecurity threats associated with its use of third-party service providers. For example, the Group’s servers are housed at third-party data centers, and its operations depend on the service providers’ ability to protect such systems in their facilities as well as their own systems. The Group performs security assessment on such third parties by assessing their cybersecurity policies, data encryption and privacy policies and relevant certificates, establishing procedures in granting such third parties access to the Group’s database and requiring them to conduct regular inspections. Since in cooperation with third-party service providers may involve data outbound, the Group desensitizes sensitive information before transferring such data. The Group does not allow third-party service providers to directly access its database and it includes customary confidentiality clause in the agreements it enters into with them.
Risks from Cybersecurity Threats
The Group faces risks associated with cybersecurity threats in carrying out its business operations. For more details, see “Item 3. Key Information—D. Risk Factors—Risks Relating to Our Automotive Business—Any significant disruption in the Group’s IT systems, including events beyond control, could prevent the offering of solutions and services through Cango platform or reduce their attractiveness and result in a loss of car buyers, financial institutions and other platform participants”; “Item 3. Key Information—D. Risk Factors—Risks Relating to Our Business Operations—Technology is a critical aspect in the efficient operation of the Group’s business, and if any of the Group’s systems contain undetected errors, or if the Group fails to effectively implement technology initiatives or anticipate future technology needs or demands, the Group’s operations may be materially and adversely affected”; “Item 3. Key Information—D. Risk Factors—Risks Relating to Our Automotive Business—If the Group is unable to safeguard the security of the confidential information of car buyers, dealers or third parties it collaborates with and adapt to the relevant regulatory framework as to protection of such information, the Group’s business and operations may be adversely affected”; and “Item 3. Key Information—D. Risk Factors— Risks Relating to Our Crypto Mining Business—Security threats to our crypto mining business could result in a loss of our crypto assets collateralized, or damage to our reputation and our brand, each of which could adversely affect an investment in our securities.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Group has adopted a comprehensive risk management system to manage various risks that it faces, including financial risks, operational risks, compliance risks and cybersecurity risks. In particular, cybersecurity risk management is a core component of the Group’s overall risk management framework. The Group has engaged independent registered public accounting firm to conduct independent audits on the Group’s compliance with the internal control requirements under the Sarbanes-Oxley Act of 2002, and IT general controls (ITGC) is an important part of it. ITGC audits and consultancy cover cybersecurity, including information technology governance, information security (network and data security), access controls, system change management and operation maintenance management. The Group has established an array of risk management procedures to identify, assess and manage such risks, primarily consisting of (i) preventive measures such as cybersecurity management policy and personal information protection policy, among others, to prevent cybersecurity incidents and (ii) remediation measures such as personal information incidents response plan and cybersecurity incident response plan, among others, to remediate cybersecurity incidents.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors
Our board of directors is responsible for and engaged in the oversight of our continuous efforts in monitoring, assessing and managing the risks associated with cybersecurity threats or incidents. When material cybersecurity risks and incidents occur or in other cases where management deems necessary, the board reviews reports from management and discusses remediation plans with them.
In addition, our audit committee is responsible for risk assessment and risk management, including risks relating to cybersecurity threats or incidents. The responsibilities of our audit committee include discussing policies with respect to risk assessment and risk management with management, internal auditors and the independent auditor.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|board of directors
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our board of directors is responsible for and engaged in the oversight of our continuous efforts in monitoring, assessing and managing the risks associated with cybersecurity threats or incidents. When material cybersecurity risks and incidents occur or in other cases where management deems necessary, the board reviews reports from management and discusses remediation plans with them.
In addition, our audit committee is responsible for risk assessment and risk management, including risks relating to cybersecurity threats or incidents. The responsibilities of our audit committee include discussing policies with respect to risk assessment and risk management with management, internal auditors and the independent auditor.
|Cybersecurity Risk Role of Management [Text Block]
|
Management
The Group’s management is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity risks and incidents primarily through (i) Cybersecurity Leadership Group, (ii) Implementation Group and (iii) Supervision Group. The Cybersecurity Leadership Group, which is led by our chief executive officer and chief technology officer, is in charge of establishing and overseeing cybersecurity policies and strategies. The Implementation Group, comprising maintenance and securities department and other relevant departments, is in charge of executing technical controls and solutions to safeguard the Group’s system, network and IT infrastructure, among others. The Supervision Group, comprising the Group’s internal auditors and internal control department, is in charge of ongoing assessment of its cybersecurity work and compliance, including the internal control assessment in accordance with the Sarbanes-Oxley Act.
Our chief technology officer, Mr. Xu Meng, has been in charge of designing and technologically upgrading our cybersecurity compliance framework under the Personal Information Protection Law since 2021. Prior to joining our Company, he was in charge of assessing and strengthening the cybersecurity management of a major automotive company under the General Data Protection Regulation in support of its expansion into Europe. Before that, he served in another renowned automotive company and was responsible for designing cybersecurity compliance framework, delivering internal trainings and implementing cybersecurity management policies and procedures.
Based on information obtained through Cybersecurity Leadership Group, Implementation Group and Supervision Group, the Group’s management makes assessments of cybersecurity risks and incidents and regularly reports information about such risks and incidents as well as their assessment to the board of directors, to foster the board’s understanding on such risks and enable them to make decisions timely.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|chief technology officer
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our chief technology officer, Mr. Xu Meng, has been in charge of designing and technologically upgrading our cybersecurity compliance framework under the Personal Information Protection Law since 2021. Prior to joining our Company, he was in charge of assessing and strengthening the cybersecurity management of a major automotive company under the General Data Protection Regulation in support of its expansion into Europe. Before that, he served in another renowned automotive company and was responsible for designing cybersecurity compliance framework, delivering internal trainings and implementing cybersecurity management policies and procedures.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Group’s management is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity risks and incidents primarily through (i) Cybersecurity Leadership Group, (ii) Implementation Group and (iii) Supervision Group. The Cybersecurity Leadership Group, which is led by our chief executive officer and chief technology officer, is in charge of establishing and overseeing cybersecurity policies and strategies.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef