|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY.
Management is responsible for identifying, monitoring and mitigating the material risks facing the Company, including cybersecurity risks. The Board of Directors oversees management’s processes related to those risks. The Audit Committee of the Board of Directors is responsible for overseeing the risks associated with information technology and cybersecurity threats, and reports on its activities to the full Board following each committee meeting.
The Audit Committee exercises its risk oversight function by carefully evaluating information and cybersecurity reports they receive from management; assessing the priorities and roadmap of the cybersecurity program; and making inquiries of management with respect to areas of particular interest to the Board. Senior leadership, including our chief digital officer (“CDO”) and our chief information security officer, periodically briefs the Audit Committee on our cybersecurity and information security programs and reviews relevant cybersecurity incidents.
Our global information technology organization, led by our CDO, is responsible for our overall information security strategy, policies, operations and threat detection and response. Our current CDO has more than two decades of experience in the automotive industry. The global information technology organization manages and maintains the cybersecurity program with the goal of preventing, detecting and remediating incidents, and works to increase our system resilience to minimize the business impact should an incident occur. Our cybersecurity program is informed by multiple, overlapping cybersecurity frameworks. These include the National Institute of Standards and Technology Cyber Security Framework (NIST-CSF); Cybersecurity Maturity Model Certification (CMMC); Control Objectives for Information and Related Technology (COBIT); International Organization for Standardization (ISO, specifically 27001); and Trusted Information Security Assessment Exchange (TISAX). Our cybersecurity program has achieved TISAX certification, or “labeling” for its demonstrated ability to identify, protect, detect, respond and recover from cyber risks. The “labeling” process requires independent, third-party auditors to test and confirm the controls we have implemented.
The program includes escalation and notification of potentially significant incidents to the Cybersecurity Disclosure Committee and the Audit Committee of the Board, as appropriate. Our Cybersecurity Disclosure Committee is comprised of senior leadership across multiple functional areas and is responsible for reviewing and evaluating potentially significant cybersecurity incidents and for determining whether any notification or disclosure is required under applicable laws, including the federal securities laws. In 2024, We have developed an AI Governance Council to address the cybersecurity, data privacy and data
management of emerging technologies. The Council is a multidisciplinary group with representatives from the human resources, information technology, law, compliance and ethics, privacy, and research and development functions.
Third-party specialists are also incorporated into our approach to cybersecurity. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits, cybersecurity maturity assessments or consulting on best practices to address current and new challenges. These evaluations include testing both the design and operational effectiveness of security controls.
We recognize a cybersecurity incident experienced by a supplier or joint venture partner could materially impact us. We assess third-party cybersecurity controls as part of our third-party IT risk due diligence and engage in cybersecurity consultant-led solution design reviews when integrating new tools or third parties. We contractually require third parties to report cybersecurity incidents to us so we can assess the impact of the incident and any necessary regulatory reporting obligations that may be required.
Notwithstanding our risk management efforts related to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material or other adverse effect on us. See Item 1A. “Risk Factors” for a discussion of our information technology and cybersecurity risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Audit Committee exercises its risk oversight function by carefully evaluating information and cybersecurity reports they receive from management; assessing the priorities and roadmap of the cybersecurity program; and making inquiries of management with respect to areas of particular interest to the Board. Senior leadership, including our chief digital officer (“CDO”) and our chief information security officer, periodically briefs the Audit Committee on our cybersecurity and information security programs and reviews relevant cybersecurity incidents.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|false
|Cybersecurity Risk Role of Management [Text Block]
|
Management is responsible for identifying, monitoring and mitigating the material risks facing the Company, including cybersecurity risks. The Board of Directors oversees management’s processes related to those risks. The Audit Committee of the Board of Directors is responsible for overseeing the risks associated with information technology and cybersecurity threats, and reports on its activities to the full Board following each committee meeting.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The global information technology organization manages and maintains the cybersecurity program with the goal of preventing, detecting and remediating incidents, and works to increase our system resilience to minimize the business impact should an incident occur. Our cybersecurity program is informed by multiple, overlapping cybersecurity frameworks. These include the National Institute of Standards and Technology Cyber Security Framework (NIST-CSF); Cybersecurity Maturity Model Certification (CMMC); Control Objectives for Information and Related Technology (COBIT); International Organization for Standardization (ISO, specifically 27001); and Trusted Information Security Assessment Exchange (TISAX). Our cybersecurity program has achieved TISAX certification, or “labeling” for its demonstrated ability to identify, protect, detect, respond and recover from cyber risks. The “labeling” process requires independent, third-party auditors to test and confirm the controls we have implemented.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef