|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Company has implemented a cybersecurity program intended to assess, identify, manage and reduce cybersecurity risk. Through our partnership with Harley-Davidson we maintain an IT incident response plan that is designed to protect against, identify, evaluate, respond to, and recover from an incident. The plan is designed to be flexible so it may be adapted to an array of potential scenarios and includes a cybersecurity incident response team in the event of a cyber incident. The incident response team is a cross-functional group that is composed of both Company and Harley-Davidson personnel and external service providers, and which is tailored to a particular incident so that individuals with appropriate experience and expertise are available. Currently the Company contracts for such cybersecurity services through the Master Services Agreement with Harley-Davidson, in addition to leveraging its own information technology and security tools and teams.
We have invested in tools and technologies intended to protect our data and business systems, and we monitor our computing environment on an ongoing basis to help identify and assess risk. In addition, we have implemented a cybersecurity training program designed to educate and train employees how to identify, potentially avoid and report cybersecurity threats. It is focused on helping our workforce recognize, avoid falling victim to and raise the visibility of potential cyber threats and scams. In addition, periodic cybersecurity awareness messages are posted to employees on the Company portal as new threats and scams develop throughout the year.
Through the Master Services Agreement with Harley-Davidson, we take measures to regularly update and improve our cybersecurity program, including conducting assessments, performing penetration testing and scanning of our systems for vulnerabilities using external third-party tools and techniques to test security controls, auditing applicable data policies, and monitoring emerging laws and regulations related to information security. We design our program based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. However, this does not imply that we meet any particular technical standards, specifications or requirements, only that we use the NIST Cybersecurity Framework as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. In addition, we periodically engage third-party advisors to assess the effectiveness of our cybersecurity program, policies and practices. We rely on Harley-Davidson to regularly consult with external advisors and cybersecurity providers regarding opportunities and enhancements to strengthen our policies and practices.
With respect to third-party service providers, our cybersecurity program includes conducting due diligence of relevant and material service providers’ information security programs prior to onboarding. In general we also contractually require material third-party service providers with access to our information technology systems, sensitive business data or personal information to implement and maintain reasonably appropriate security controls and to use our personal information only to provide services to us, except as required by law.While the Company has experienced, and may in the future experience, cybersecurity incidents, prior incidents have not materially affected the Company’s business, results of operations or financial condition. Although the Company has invested in the protection of its data and information technology and monitors its systems on an ongoing basis, there can be no assurance that such efforts will in the future prevent material compromises to Company information technology systems that could have a material adverse effect on the Company’s business. See Item 1A. Risk Factors, which are incorporated by reference into this Item 1C.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Company has implemented a cybersecurity program intended to assess, identify, manage and reduce cybersecurity risk. Through our partnership with Harley-Davidson we maintain an IT incident response plan that is designed to protect against, identify, evaluate, respond to, and recover from an incident. The plan is designed to be flexible so it may be adapted to an array of potential scenarios and includes a cybersecurity incident response team in the event of a cyber incident.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board of Directors has risk oversight responsibility for the Company and administers this responsibility both directly and with assistance from the Audit and Finance Committee, which periodically reports to the Board of Directors on its risk oversight activities. Cybersecurity is a critical component of our overall risk management program. Our Board of Directors is actively involved in reviewing our information security and technology risks and opportunities (including cybersecurity) and discusses these topics on a regular basis.
The Audit and Finance Committee, comprised solely of independent directors, oversees our enterprise risk management program and assists the Board of Directors in fulfilling its oversight responsibility with respect to our information security and technology risks (including cybersecurity), which are fully integrated into our enterprise risk management systems. The Audit and Finance Committee reviews and discusses our information security and technology risks (such as cybersecurity), including our information security and risk management programs.
Our cybersecurity program is contracted through and led by Harley-Davidson’s Chief Information Security and Privacy Officer (CISO) who is responsible for assessing and managing the Company’s data privacy function and information security and technology risks (including cybersecurity). The CISO has over 20 years of cyber industry and compliance experience, serving in a CISO capacity for over ten of those years. The CISO reports to Harley Davidson’s Chief Digital and Operations Officer, who has extensive experience in leading information systems management, strategy and operational execution, including information security and incident management, prevention and response.
The Harley-Davidson CISO meets regularly with the appropriate management to review and discuss our cybersecurity and other information technology risks and opportunities. Our cybersecurity incident response plan sets forth a security incident management and reporting protocol, with escalation timelines and responsibilities.The Audit and Finance Committee receives periodic updates from the Harley-Davidson CISO or his designee on our cybersecurity program, including industry trends, the current state of our business systems, and any current known risks or concerns related thereto. The Audit and Finance Committee is involved in reviewing our information security and technology risks, including with respect to cybersecurity and reports on such matters to the Board as necessary, and at least annually.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors has risk oversight responsibility for the Company and administers this responsibility both directly and with assistance from the Audit and Finance Committee, which periodically reports to the Board of Directors on its risk oversight activities.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|the Audit and Finance Committee, which periodically reports to the Board of Directors on its risk oversight activities. Cybersecurity is a critical component of our overall risk management program.
|Cybersecurity Risk Role of Management [Text Block]
|The Audit and Finance Committee, comprised solely of independent directors, oversees our enterprise risk management program and assists the Board of Directors in fulfilling its oversight responsibility with respect to our information security and technology risks (including cybersecurity), which are fully integrated into our enterprise risk management systems. The Audit and Finance Committee reviews and discusses our information security and technology risks (such as cybersecurity), including our information security and risk management programs.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our cybersecurity program is contracted through and led by Harley-Davidson’s Chief Information Security and Privacy Officer (CISO) who is responsible for assessing and managing the Company’s data privacy function and information security and technology risks (including cybersecurity). The CISO has over 20 years of cyber industry and compliance experience, serving in a CISO capacity for over ten of those years. The CISO reports to Harley Davidson’s Chief Digital and Operations Officer, who has extensive experience in leading information systems management, strategy and operational execution, including information security and incident management, prevention and response.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO has over 20 years of cyber industry and compliance experience, serving in a CISO capacity for over ten of those years. The CISO reports to Harley Davidson’s Chief Digital and Operations Officer, who has extensive experience in leading information systems management, strategy and operational execution, including information security and incident management, prevention and response.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Audit and Finance Committee receives periodic updates from the Harley-Davidson CISO or his designee on our cybersecurity program, including industry trends, the current state of our business systems, and any current known risks or concerns related thereto. The Audit and Finance Committee is involved in reviewing our information security and technology risks, including with respect to cybersecurity and reports on such matters to the Board as necessary, and at least annually.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef